How MSPs Can Cash In on the California Consumer Privacy Act

MSPs and IT security companies have long relied on security assessments to generate leads, and they can do the same with California’s Consumer Privacy Act. Go in, assess and build an offer based on a bespoke compliance plan.
California Consumer Privacy Act

This blog is the first part of a limited series on California’s Consumer Privacy Act (CCPA) from CompTIA’s IT Security Community.

The term “personal information” is now incredibly broad—it includes geolocation data, cookie data and even health, sleep and exercise data, said global security evangelist Tony Anscombe, in a special presentation by CompTIA’s IT Security Community. That broad definition is also at the heart of the California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020 and acts a lot like Europe’s new standard, the General Data Protection Regulation (GDPR).

“It’s like GDPR in that it puts the ownership back in the hands of the consumer,” said Anscombe.

Though not as restrictive as its European predecessor, the CCPA still offers the consumer rights: the right to know, right to deletion, right to opt out and right to be free from discrimination. While it might be a hassle to some, it’s also an opportunity. Reasonable security at the CCPA level includes at least four services that solution providers can can offer their clients, Anscombe said.

“This is a revenue generator. You should be offering this as a service,” he said. To help solution providers get started, here are three ways to cash in on CCPA:

Build Customized Packages

Managed services providers and IT security companies have long relied on security assessments to generate leads, and you can do the same type of thing with CCPA. Go in, assess and build an offer based on a bespoke compliance plan.

Reasonable security at the CCPA level involves segmentation (firewalls), that a system is secure by design (internal and external), that the company address vulnerabilities, offers endpoint and protection, quality backup and recovery plans, and documented employee security awareness training.

Documented employee security awareness training is something you should be doing anyway, said Lysa Myers, security researcher for ESET and vice chair of the IT Security Community. “If you’re not requiring them to do security training, that puts more risk on you,” she said.

Stress the Deadline

The average time to deliver an office IT project is more than 10 months from start to delivery, according to a study by Fortune. People can start suing related to CCPA in half that time, starting January 1, 2020. For solution providers, this isn’t the kind of project you can wait on, and IT security companies and MSPs working in cybersecurity need to press the importance of compliance by the deadline. The script looks like this: “You need to put in reasonable security proceeds and practices by January 2020 or face fines that can easily reach into the millions.” 

Data breach victims can sue for damages from $100 to $750 per incident, said Anscombe.

Expand Where It Makes Sense

The third step to cashing in involves understanding what your business can handle, how to identify opportunities that work, and expand where it makes sense for your business, said CompTIA member Alex Rutkovitz, COO of Choice CyberSecurity.

If you’re an ace at backup and recovery and have a foolproof process for segmentation, stick to those parts and partner with other companies that specialize in the extras, like two-factor identification or the dreaded document employee security awareness training.

“Find a power partner, someone who can help an MSP excel in the security realm,” said Rutkovitz, whose company helps connect security teams and MSPs. “Most of the clients I work with are stretched really thin.”

For clients that are far from being compliant, start with the NIST Cybersecurity Framework, said Rutkovitz. “It goes a long way in protecting the organization if there’s an audit or a breach if you have signoffs from employees who have taken that training,” she said.

Most of the compliance stipulations require some kind of formal computer-based training, so it’s pretty straightforward when someone’s investigating to identify whether or not everyone went through the training.

Connect with members of CompTIA Communities to find partners and look for opportunities everywhere. For more on CCPA and how it can work for your business, follow this series from CompTIA’s IT Security Community.

Newsletter Sign Up

Get CompTIA news and updates in your inbox.


Read More from the CompTIA Blog

Leave a Comment