The California Consumer Privacy Act (CCPA) went into effect Jan. 1, but its enforcement began July 1. Yet, many organizations have not prepared for CCPA at all, according to a study from data privacy management company Ethyca. More than half of the organizations surveyed said they aren’t ready for any data privacy regulations. There are plenty of excuses why—no buy-in from executives, not enough staff to make the changes needed, lack of budget and resources and a lack of understanding of how these privacy laws work, to name a few.
However, would they be more apt to take the steps to be compliant if they looked at CCPA not from a privacy point of view but from a cybersecurity point of view? CCPA and other data privacy regulations could be a catalyst to help SMBs improve their overall cybersecurity footprint.
In an email interview, Logan Kipp, director at SiteLock, pointed out that while small family-run stores are likely in the clear, high-growth small businesses will need to take action to become CCPA-compliant.
“Even if SMBs do not meet the CCPA compliance criteria, cybersecurity should be top of mind,” Kipp said. “Cybercriminals often target those who are least suspecting it, making ill-prepared businesses that much more desirable.”
To combat this, he added, implementing comprehensive security tools and establishing a standard operating procedure for patching vulnerabilities, as well as training employees to be more cyber aware, will go a long way for organizations to ensure their customers’ personal information is safe.
How CCPA Helps SMB Security Footprint
Owners and decision-makers at SMBs too often believe they are immune from cyberattacks, thinking they are too small to be a target. We know this is not true. Attacks tend to be random, and in the eyes of a hacker, all data—whether it comes from a large enterprise or a five-person business—is valuable.
“Privacy laws, like the CCPA, make it so even the small businesses that are required to comply start to think about privacy and security more,” said Kipp. “Seeing privacy laws enforced should signal to these small-business owners that privacy and security are to be taken seriously, and if they don’t have safeguards in place, now is the time to act.”
There are a lot of comparisons made between CCPA and GDPR, but their differences in their approach third-party data sales makes CCPA a little stronger when looking at its cybersecurity benefits.
When third parties acquire data via another business, CCPA requires they provide explicit notice and an opportunity to opt-out before reselling this personal information.
“This relates to cybersecurity because you may trust the navigation app that you’ve previously agreed to give your data to,” explained Kipp, “but if a third-party company buys your data from that app and they get breached, then your data will be out there and you had little say in the matter. Now with the CCPA, consumers should have the opportunity to opt-out of these data sales or even request that their information be completely deleted at a later time.”
Too Small to Care?
Even companies that are small enough that they aren’t required to comply with CCPA, Kipp recommended they still take steps to be in compliance. “Implementing parts of the law will ensure the company is better prepared for any future data breaches or cybersecurity incidents. CCPA is likely the first of many state-led privacy laws so similar regulations could be on the horizon for many. By getting ahead of it now, small businesses can ensure they are well-prepared for any future laws that could apply to them, as well as future growth.”
The pandemic has made following data privacy regulations even more important, as businesses are forced to (at least temporarily) move from a traditional storefront model to an e-commerce model. Kipp warned that it is as important to protect the online business as much as you would your physical business space. And that begins with being proactive about cybersecurity.
“Cybersecurity doesn’t need to be daunting or expensive; small things like not reusing passwords, implementing multi-factor authentication, using a VPN and training your employees are great places to get started,” he said. And when looking at security from a data privacy aspect, “Organizations must also implement reasonable security measures in order to protect their consumers’ personal information. To ensure they comply, SMBs should prepare to enhance their privacy protections and update their privacy policies.”