California Consumer Privacy Act: The Need for Data-Centric Security
CCPA is the latest in a series of global privacy regulations. It comes with new requirements for dealing with personal data and is accompanied by severe penalties. Thus, businesses must take appropriate action to comply with CCPA. While handling consent and opt-outs are at the forefront, successful mitigation of risks starts with data-centric security – it is about understanding where personal data resides and encrypting or anonymizing that data whenever possible. This is where technology, such as data tokenization becomes an essential element for every business.
Regulations impact the way businesses operate, but also how technologies evolve. Over the past few years, a series of new data privacy regulations have started impacting businesses around the globe more than ever before, while also leading to technological advancements. One of the latest regulations in that series is the California Consumer Privacy Act (CCPA). Coming into effect on January 1st, 2020, CCPA raises the bar on processing and selling personal data for businesses in California, but is expected to have a broader impact beyond the state of California. Businesses must take appropriate organizational and technical actions to comply with CCPA and to limit the consequences in case of data breaches and fraudulent use of data.
With potentially very severe fines, it is essential to mitigate these consequences. This will require, beyond an adequate organization with defined accountabilities and responsibilities and good processes, policies, guidelines, and controls in place, a well-thought-out set of technologies that help in both complying with CCPA and mitigating the scope and consequences of potential incidents.
Such technologies include tools to manage consent and opt-in/opt-out. They include data discovery for both structured and unstructured data. They include IAM (Identity and Access Management) for limiting access to systems holding personal data.
And they also include technologies for de-identification of personal data: Tokenization, format-preserving encryption, or data masking.
This enables adequate data protection and it helps to anonymize such data. It is important to note that anonymized data is not considered personal data anymore.
Businesses should take CCPA very seriously. The penalties are severe, involving class action lawsuits for damages. The less data that can leak, the lesser the potential damage. Thus, a little bit of consent and opt-out handling is far from sufficient for effective mitigation of CCPA related risks, just as that wouldn’t be sufficient for GDPR and other global privacy regulations. It requires a broader perspective, starting by protecting data itself.
Data tokenization is of specific interest because it helps businesses in balancing their need for processing personal data with the requirements of adequate data protection. In many use cases, anonymized data is sufficient to fulfill the business demand, including most scenarios around patient data in clinical trials. Tokenization allows the applications to continue working in the same manner as before, without exposing personal data.
Furthermore, tokenization, data masking, and format-preserving encryption help mitigate the risk of unprotected personal data spreading uncontrollably in an organization. Whoever needs access to personal data in the clear must request it first, which extends security controls to these use cases. This is in contrast to the common scenario of today for many businesses and use cases where personal data is processed and exported to other applications and files and quickly spins out of control. If data is either anonymized or if users must specifically ask for re-identification, it will lead to far greater control of personal data.
We strongly recommend businesses take adequate action for CCPA and related privacy regulations today and think beyond the obvious solutions such as consent management. Without control and knowledge of where personal data resides and how it flows within and beyond the organization, most of the risks of not complying with CCPA will increase. Data-centric security is essential for a successful CCPA strategy.