Pratum Blog

California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) has been in effect since the beginning of 2020. This new legislation requires certain businesses to disclose what personal data they hold to customers requesting that information. This is considered a landmark piece of legislation to secure California residents’ privacy rights. While it’s still unclear how much this legislation will impact businesses, there are rights set in place for what consumers can expect.

New Rights for California Consumers:

  • Knowing what personal information is collected, used, shared or sold.
  • Having the right to delete personal information held by businesses, and by extension business’s service providers.
  • Exercising the right to opt-out of sale of personal information. (Children under 16 must provide opt-in consent. Children under 13 need parental or guardian consent.)
  • Having the right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.

So how will this impact the rest of the country? For one, California is not the only state to enact this sort of legislation. According to CNET, Nevada and Maine have already passed similar legislation and 11 other states are also considering privacy bills.

Another way it could impact more than just California residents is that some of the businesses complying with the CCPA are offering the same privacy rights to ALL U.S. customers, not just the ones who live in the Golden State. That means if you live in Iowa and want to know what a California business has on file about you, you may be able to find out and request it be removed from their servers.

How CCPA Compares to GDPR

While this new push for privacy may seem progressive to Americans, it’s been a part of European business practices for two years now and in a more aggressive way. The General Data Protection Regulation (GDPR) went into effect in 2018. The goal of the GDPR is to give individuals control over their own personal data. EU, EEA, and UK residents now have access to and can correct, delete, and export personal information. The GDPR also has more privacy controls in place, and much steeper fines and penalties for those who don’t comply.

These provisions apply to almost all organizations that collect data from EU, EEA, and UK individuals. That includes small businesses, non-profits, non-technology companies, and organizations operating outside of Europe.

The GDPR is also designed to make following regulations easier to comply with for groups working internationally. Under these parameters, organizations only have one set of privacy laws to understand and abide by, rather than a new set of laws for each country within the region.

Federal Privacy Law Potential

This sort of universal legislation may be something we see in the United States in the near future. With more states creating their own guidelines, there is talk of new, federal privacy legislation.

This possibility of federal privacy laws resembling the CCPA or GDRP is growing more likely after two U.S. Senators proposed legislation that would be stricter than the CCPA in some respects.  According to the Brookings Institute, Senator Roger Wicker (R-MS) and Senator Maria Cantwell (D-WA) proposed bills that place stricter limitations on algorithmic decision-making, biometric data, and data minimization.

Federal legislation has been reassuring to some businesses already following CCPA. The concern is that each state will enact their own privacy laws, making it difficult for companies to keep up with so many different sets of rules. However, even though federal law supersedes state law, some federal laws allow states to enact tougher requirements on top of the federal regulations.

Concerns Over Privacy Legislation

As with any significant change, there are some concerns being raised over the stricter privacy laws. One case out of Germany shows why the concerns may be justified. An Amazon Alexa user requested all of his audio files the device had picked up. Instead, he was given 1,700 audio files from the wrong home. Amazon blamed the mistake on “human error” and said it was an isolated incident.

That’s just one example of how requesting a legitimate customer’s private data could also be acquired by the wrong person. However, even when businesses try to avoid this sort of mistake, the possibility of critical information getting into the hands of a criminal is there. That’s why some California businesses are now setting stricter guidelines for customers wanting to access their own data.

A New York Times article outlines a recent situation in which a business trying to comply with CCPA hired a third-party vendor to handle the influx of customer information requests. The vendor started verifying these requests by asking customers to supply more identification. This was typically done by asking for images of customers’ driver’s licenses and even additional photos of customers’ smiling. This sort of extra information was concerning to some customers. In short, the business wanted more private data to release the customer’s private data.

It appears to be a cyber security cycle that organizations are still trying to figure out. What is designed to help protect your data could put you at risk of exposing even more personal information.

What You Can Do

Being that this legislation is so new, businesses could use early compliance as an advantage. Using the time and resources needed to become CCPA or GDPR compliant could put you a step above the competition. Touting an emphasis on privacy is appealing to many consumers.

Even if you’re not proactive with privacy for a business boost, you should start considering what compliance will look like for your organization. Companies should accept the fact that privacy rights are a growing concern and new legislation will be coming.

Here are a few steps your business should be taking now to get ready:

1. Designate a privacy officer, someone in charge of organizing the process to become compliant.

2. Be externally compliant. Update your privacy notice on your company website.

3. Think about data inventory. Know where information is located within your system.

4. Figure out how you will be able to obtain and report customer information when requested.

5. Decide on a verification process to ensure the data your giving out is to the correct person.

Figuring this all out may not be easy but getting to work on it early could save you a lot of issues and headaches later. Regardless if it’s CCPA or another piece of legislation, this is something many businesses will need to respond to. It’s up to each company to decide if they want to be proactive or reactive.

If you need help with objectives like inventory, security controls, process recommendations, or who to reach out to for legal compliance, Pratum representatives work with national and international businesses every day. A Pratum cybersecurity expert would be happy to help guide you through the privacy legislation process.

(References: https://www.cnet.com/news/californias-new-ccpa-privacy-rights-could-come-to-your-state-too/
https://www.brookings.edu/blog/techtank/2019/12/19/highlights-the-gdpr-and-ccpa-as-benchmarks-for-federal-privacy-legislation/)
https://www.reuters.com/article/us-amazon-data-security/amazon-error-allowed-alexa-user-to-eavesdrop-on-another-home-idUSKCN1OJ15J)
https://www.nytimes.com/2020/01/15/technology/data-privacy-law-access.html)
Rowing Team working together for a common goal.

In the early 1980’s Ford Motor Company’s slogan was “Quality is Job 1”. That mentality was born from Ford’s President, Philip Caldwell, who believed the only way to compete in the automotive industry was to stop pushing out large quantities and focus on the quality.

That change made a big impact. The slogan lasted 17 years and helped make Ford one of the top auto makers in the world. The reason that initiative worked for Ford wasn’t just because it was a catchy phrase. It's because the mentality behind it was embraced by every level of the company. From janitors to the CEO, everyone believed in the message.

For your company to have a successful cybersecurity program, you also need the whole team to get on board!

Why Does Company-Wide Cybersecurity Matter?

According to the Verizon Data Breach Report in 2019, one-third of breaches had a social engineering component. Meaning, the people inside the company, and sometimes outside, are a big part of the problem. Without education or training, employees may open dangerous emails, allow a stranger into the building, or give away private information on the phone. Hackers have become savvier and increasingly rely on exploiting human behavior. That means business leaders and employees need to be constantly adapting with the times, as well.

A significant breach of your company could be detrimental. Not only could it cost the company money, it could also cost people their jobs. That’s why, as business leaders, you need to start the cybersecurity conversation as soon as possible.

It’s More Than Just Training

There’s a difference between training and awareness. Training is the initial education activity. Awareness is an ongoing reminder.

Training is important in cybersecurity because hackers are always evolving, and it’s crucial to stay on top of the latest trends and threats. However, it’s not going to be the most important key to keeping your business safe. What really sticks with people is the connection they feel with the message. Just like Ford, you need all levels of the company to understand and support the mission of cybersecurity.

Take manufacturing plants for example. All plants should have a safety coordinator on staff checking for issues and coming up with incident prevention plans. A company whose leadership believes in that mission, and promotes the health and safety of their employees, will have a lower accident rate!

On the flip side, if a company’s top executives are primarily concerned about profit they will eventually see the effects of that with more dangerous incidents on the job.

Employees need to know the leaders in the company care. They need to see the highest level of executives spreading awareness by continually talking about things like governance policies and avoiding scams. If their boss doesn’t seem interested in cybersecurity, why should the average employee go above and beyond?

Lead by Setting an Example

If you talk the talk, you better be ready to walk the walk. Business leaders should have the same set of guidelines as the rest of the company when it comes to cybersecurity. If an executive opens a phishing email and compromises company data, they should face the same repercussions anyone else would.

That brings up another point many businesses fail to address. There need to be set consequences for not following cybersecurity protocol. These rules should be discussed openly, and not following them should be taken just as seriously as safety or money violations. Leaving your company vulnerable to a data breach is the same as leaving a cash drawer open in public. People at all levels can compromise the company’s security and they should all be held accountable by the same standards.

Cybersecurity is a Culture Issue

For people to care about cybersecurity, they need to feel a personal connection. If you can show them how their actions impact their own livelihood and their peers’, they may feel more convicted. Try to create a personal connection to the value of cybersecurity.

A good example to share with employees is someone who has access to their personal data. If you know a business or medical provider has your sensitive information stored in their system, don’t you hope the employees there are protecting it? Like public health, cybersecurity is just as much for the employee’s protection as it is for the communities’ safety. Everyone should try their best to keep data protected; whether it’s their own, a colleagues’, or a stranger.

You can't force people to care. Employees must buy into the importance of the mission for it to sink in and work. As a leader in the company, you need to make it a core value everyone appreciates.

One Size Won’t Fit All

Trying to decide how often to do cybersecurity training, or when to discuss awareness campaigns, really depends on your business. The frequency and delivery vary on the risk to your organization, job duties of each employee, and the technology the employees use. There are so many factors to consider, which is why it’s best to analyze your own situation thoroughly before starting cybersecurity initiatives without much thought. It’s all about determining risk and addressing those concerns through a prioritized approach.

There also needs to be follow through. Don’t just slap on some policies and forget them. Cybersecurity needs to be continually evaluated and at the heart of what you do every day. It needs to be just as important as the rest of your business to become a part of the culture. Without people buying into the message and mission, you will always be at a higher risk of a cyber-attack.

(References: https://www.autonews.com/article/20160629/RETAIL03/160629819/robert-cox-ad-man-behind-ford-s-quality-is-job-1-pitch-dies
https://enterprise.verizon.com/resources/reports/dbir/)
Iranian Cyberattack on United States

If you’ve been following recent news, concerns over retaliation from Iran are on the rise after a recent bombing in the country by the U.S. military. After that airstrike, Iran vowed “severe revenge” in response. The political situation is now raising concerns for all citizens regarding their cybersecurity.

Just last week, the Cybersecurity and Infrastructure Security Agency (CISA) Director sent out a Tweet, alerting people to an increased risk potential.

CISA Director Tweet about Iran Cyber Attacks

This warning from the Department of Homeland Security is due to a heightened threat of cyberattacks from Iran. Over the summer there was a rise in malicious cyber activity. Now, recent reports show that is yet again a concern. While your cybersecurity firm or IT department should be monitoring any suspicious activity, there are other ways you can protect yourself and your business.

Action Steps:

1. Raise awareness within your organization.
The best thing you can do to protect your assets is to make sure those who have access to them are diligent. Re-emphasize cybersecurity training. Put notices on walls, such as educational security posters. Make sure everyone is familiar and reminded of current cybersecurity initiatives.

2. Review your permitted and successful traffic on a regular basis.
Taking inventory of your traffic should be a regular practice, but it is even more crucial right now. Continually check any new or unusual activity. Be extra aware of what is happening within your network.

3. Respond to suspicious activity quickly!
If you do notice something that seems suspicious, or even just a little strange, investigate it immediately. Use the adage, “see something, say something.” Contact your cybersecurity representative for more instruction.

4. Have backups in place.
These hackers will not be interested in negotiating for your business’s information. According to former military personnel, once they have it, Iranian hackers are going to keep what they find. Continually update your backup system.

5. Don’t assume you’re immune to an attack.
One of the biggest misconceptions people have is that they wouldn’t be a target of these cyberattacks. That’s simply not true. No matter the size or industry of your organization, there is a potential threat.

The threat of a cyberattack is not to be taken lightly. In 2017 an attack against Ukraine, which officials blamed on Russia, was able to target government ministries, banks and companies across the country. The White House called it “the most destructive and costly cyberattack in history.”

While Iran’s cyber capabilities are said to rank below Russia’s, they have been able to attack Saudi governmental and private-sector networks. With the increased tensions between the U.S. and Iran, it is believed a cyberattack is imminent.

Here at Pratum we are remaining vigilant to ensure our clients’ information is protected. For more details on the services we offer, contact a Pratum representative today.

(References: https://twitter.com/CISAKrebs/status/1212959127003111424 https://www.washingtonpost.com/technology/2020/01/03/cyber-attack-should-be-expected-us-strike-iranian-leader-sparks-fears-major-digital-disruption/)
Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.