The California Consumer Privacy Act (CCPA) is a new data protection bill that will come into effect on the 1st of January 2020. The CCPA is designed to give Californian citizens more control over how their personal data is stored and processed.
The CCPA applies to any for-profit company that collects, stores and trades personal data belonging to Californian residents.
Under the CCPA, companies must demonstrate that they are able to identify, delete or quarantine personal data in a timely manner, as per the data subjects request. Additionally, should a company experience a data breach which resulted in the theft/misuse of personal data, they must be held accountable.
Although, breach notifications were a requirement of the original specification, this was repealed in subsequent drafts. Instead, before notifying the authorities, individuals will be required to pursue their own lawsuits – notifying the business 30 days before initiating legal proceedings.
Regardless, a failure to comply with the CCPA may result in fines of up to $2,500 per violation, assuming the security incident was accidental, and the company failed to respond to the incident within a period of 30-days. For security incidents that are deemed intentional, fines can reach as much as $7,500 per violation.
The Four Key Principals of the CCPA
Opt-out: The opt-out clause gives data subjects the right to deny companies the right to sell their data to third parties.
Right to be forgotten: Companies must delete a data subject’s personal data, should they request it.
Right to privacy without penalty: Should a data subject exercise their privacy rights, companies must adhere to their requests without requesting any additional forms of payment.
How can LepideAuditor Help to Meet CCPA?
The first step towards achieving compliance is to find out where personally identifiable information (PII), and other forms of sensitive data, is and classify it accordingly. LepideAuditor provides a data discovery and classification feature which allows companies to scan their content for sensitive information such as PII, PCI, PHI, and so on. It also allows for automatic tagging and scoring of data, and lets you define classification rules which can be applied both at the point of discovery, and creation.
Knowing where your personal data resides will make it a lot easier to respond to Subject Access Requests (SARs), which include accessing or deleting data, upon request from the data subject.
For those who wish to prevent a given company from selling their personal data, a separate category could be set up and assigned to their data. Access rights can then be assigned to this category, preventing certain members of staff, such as those in the marketing department, from gaining access to the data.
Not only do companies need to know where their personal data is stored, but they also need to monitor all changes to this data, along with the privileges that have been assigned to it. LepideAuditor is designed to detect, alert, report and respond to such changes.
As they say, it’s not a matter of if, but when a security incident occurs, and as with other relevant compliance requirements, companies must be able to provide evidence that they took the necessary precautions when storing and processing personal data. LepideAuditor is able to automatically generate a wealth of customized reports, which can be presented to the supervisory authorities on demand; thus helping companies avoid potentially large fines.