Legislative Updates

California Consumer Privacy Act and Cybersecurity Requirements


Emptech's founder, Jeff Aleixo


Jeffrey Aleixo

CCPA cybersecurity requirements

By now, most U.S. companies are aware of the new privacy requirements imposed by the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020. Like its predecessor from the EU, the General Data Protection Regulation (GDPR), CCPA requirements create radical new standards for both data privacy and data security. 

For the most part, this law is dedicated to the rights of California citizens, how businesses should interact with them regarding their data, and how this data is used. Also, this groundbreaking privacy law has introduced a set of cybersecurity requirements, obliging businesses to take necessary steps from both data privacy and cybersecurity standpoint.

Why Is CCPA Important

A key premise of the CCPA is that California residents have the right to know what personal data is being collected about them and why, the methods used to collect that data, and if the information is sold or disclosed to a third-party. As such, the CCPA is designed to give Californians more power over the collection and use of their private data, including financial information, social security and passport numbers, household information, online identifiers, email addresses, and more. Consumers are also able to access their personal data stored by a business and request deletion of any personal information collected.

All companies that serve residents of California and have at least $25 million in annual revenue need to comply with the CCPA. In addition, companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data, also fall under this law. Furthermore, CCPA encompasses even companies that are not based in California or have no physical presence there.

Simplify compliance and your security efforts with smart software that eliminates clerical errors, stores all data securely, and puts an end to missed deadlines.

What Does the CCPA Mean for Cybersecurity?

While the CCPA puts consumer data privacy in the focus, its cybersecurity requirements have an equally significant impact on companies. However, when it comes to data protection and security, the California law does not clarify the specifics.

The CCPA determines that businesses need to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, but it fails to define what those reasonable procedures are.

The only guidance for organizations seeking a reliable standard for reasonable security can be found in another set of guidelines. In its 2016 California Data Breach Report, the Office of the Attorney General (OAG) used the Center for Internet Security’s 20 CIS Controls as a baseline for reasonable security. The 20 CIS Controls identify a minimum level of security that all data-driven organizations should meet, including authentication, administrative privilege, mobile device security, incident response plans, and data-protection policies, among 15 others. This framework provides the best protection against CCPA claims, but the possibility to meet the CCPA cybersecurity requirements based on the implementation of these protocols remains uncertain.

On the other hand, when it comes to penalties for cybersecurity violations, the CCPA is much more specific. If companies become victims of data theft or other breach resulting from non-compliance with the law, they could face civil lawsuits and pay up to $750 in fines per resident and incident, or actual damages, whichever is greater. However, the CCPA only applies data breach sanctions if companies fail to protect personal data with encryption or redaction. If personal information is protected with appropriate data-level measures, it cannot be used by unauthorized parties, so consumers are left unharmed.

Broadening Efforts to Meet Cybersecurity Requirements

While proving that a company has reasonable cybersecurity measures can be difficult and costly, the CCPA encourages employers to take timely steps to avoid the reputational damage and risk to their bottom line caused by a data breach. It is rather complicated to reach CCPA cybersecurity requirements because of the law’s relative vagueness, but there are ways for companies to protect their customers and their business from cyberattacks. For example, access control policies, multifactor authentication, penetration tests, software updates, and proper employee training are different measures that help businesses meet the standard of reasonable defense against data breaches.

Also, to achieve compliance with CCPA’s cybersecurity requirements, companies have to examine their partners, vendors, and service providers. Such a process of safeguarding data shared with third parties shows regulators and consumers that companies take steps to mitigate the potential risk. This also helps companies meet one of the CCPA cybersecurity requirements that companies understand and document what data is stored where.

Increased Regulation around Consumer Data Privacy and Security

With the CCPA and its cybersecurity requirements, businesses have a compelling reason to create a culture of cybersecurity within their organizations and to invest in operational improvements to prevent data breaches. Therefore, each company should implement appropriate cybersecurity measures that depend on factors such as the size of the company, the kind of data it has, and the threats it faces.

Taking into consideration the CCPA’s broad implications, it is imperative for businesses to establish security performance management and continuous internal and external monitoring. Adopting reasonable security posture and considering CCPA cybersecurity requirements allows employers to avoid costly enforcement actions and be better-positioned for success in today’s technology-driven world.

Data security requires an ongoing commitment, including consistent monitoring, measurement, testing, and improvement. While meeting evolving privacy and cybersecurity requirements can be complex and challenging, the entire process can be significantly simplified with appropriate programs and technologies. Such a proactive approach ensures meeting a wide range of data protection requirements, integration with the rest of an organization’s security systems, data classification as well as constant monitoring of potential threats.

Create new savings opportunities with a range of industry-leading solutions designed to help you ensure constant compliance with different regulations, together with minimal impact on your company’s operations and bottom line.
The information contained within this document is general in nature and is not intended and should not be construed as legal, HR, or opinion by Emtpech. Please contact Emptech or another subject matter professional prior to acting on any information provided in this document. We recommend caution when contemplating acting on any information provided in this document as it may not be applicable or suitable for the specific viewer’s needs. Emptech assumes no obligation to update any viewer of any changes in law, rule, or regulation that could affect the information contained herein. Without express written permission from Emptech, no part of this document may be reproduced, retransmitted, or otherwise redistributed in any form or by any means, including, but not limited to photocopying, electronic, facsimile transmission, or using any other information storage and retrieval system.