California’s privacy law went into effect at the start of 2020 bringing with it a number of regulations affecting how the data of the state’s residents must be managed. The law, which was passed in June of 2018, defines rules targeted at consumer data, and taking inspiration from Europe’s GDPR, seeks to ensure that organizations are putting procedures in place to protect the personal information of their customers.
Who has to comply?
The California Consumer Privacy Act, more commonly referred to as CCPA, applies to any for-profit organization doing business in California where one or more of the following are true:
- Has gross annual revenues over $25 million
- Possesses the personal data of 50,000 or more consumers, households, or devices
- Generates more than half of its annual revenue from selling consumer data
Organizations doing business online collect and maintain user information (e.g. names, email addresses, browser cookies, or credit card numbers), so if your organization satisfies one of the above three criteria, you are bound by CCPA when conducting business with California residents.
The first CCPA violations will set the stage
The impact of failing to protect customer data under GDPR made headlines when British Airways was handed a massive $230 million fine for violations resulting from a web skimming attack. The fine, which equated to around 1.5 percent of the organizations revenue, was not only substantial, but sent a clear message that GDPR was real — and the consequences were severe.
Section 1798.150 of CCPA specifically highlights that an organization is liable for data loss resulting from implementing inadequate protection. Therefore, the law states that when “data exfiltration, loss or theft is the result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information“, consumers are able to institute a civil action. The law clearly spells out that consumers can expect “to recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater”.
But, the consequences for data loss events are substantial and the state will look to make examples (read: large fines) of the initial cases they bring to court. Unfortunately, the law does not give prescriptive guidance to companies regarding how to “reasonable” protect their consumer data, leaving organizations to determine for themselves how to accomplish this task. But, the risks of not doing so are more than the fines — they will include brand damage and revenue loss.
The risk of web skimming attacks
While the definition of “reasonable” will no doubt be a subject of debate and will likely depend on case law to be defined from the first few challenges, CCPA is aimed at preventing the types of data losses we have seen recently from web skimming attacks on Macy’s, Sweaty Betty, and the Australian Bushfires donation website. The net result will prove that current security solutions are not enough.
Here is the rub. Regardless of whether your own code or the third-party code used within your site is at fault for the data loss, consumers are looking to you to protect their data — it will be you they go after in the event of a breach and it is you that will be held responsible in the eyes of CCPA since you collected the data. And not protecting this data is costly: IBM puts the average cost of a data breach around $3.92 million. Given the nature of web skimming attacks, infected web apps and websites can go unnoticed for a significant period of time, leading to the types of fines we saw with British Airways.
Instart Web Skimming Protection prevents data loss to help you meet CCPA requirements
Instart’s cutting-edge nanovisor technology delivers protection in the customers browser, where data is entered. This client-side web security provides organizations with complete control over which scripts have access to form fields, cookies, and other page elements, whether the scripts are hosted on the website or provided by a third party. By implementing Instart Web Skimming Protection, organizations are able to clearly demonstrate that they have implemented protection designed to prevent data loss as required by CCPA.
*** This is a Security Bloggers Network syndicated blog from Instart blog RSS authored by Natalie Lambert. Read the original post at: https://www.instart.com/blog/ccpa-data-protection-requirements