This blog is part of a limited series on California’s Consumer Privacy Act (CCPA) from CompTIA’s IT Security Community. Find out how MSPs can cash in on CCPA and how to make sure your company is compliant with CCPA's security awareness training requirement.
The California Consumer Privacy Act (CCPA) is similar to Europe’s General Data Protection Regulation (GDPR) in that it puts the ownership back in the hands of the consumer and that businesses are financially responsible for the compromise of personal data in the event of a security breach. In both cases, the burden is on the organization—or its IT company—to make sure everything is in compliance.
If you think California’s new consumer data protection law doesn’t apply to you, think again. Companies that deal in the personal information of even a handful of Californians a day need to put in “reasonable security proceeds and practices” by January 1, 2020 or face fines and lawsuits for each violation—and the clock is ticking.
The deadline is fast approaching, and California’s tech laws have in the past set a precedent for the rest of the country. Get ahead of CCPA for yourself and your clients. Here are four steps to get you there, put together by CompTIA’s IT Security Community.
1. Assessment
Do you know where your data is? CCPA is about tracking personal data, and companies dealing in the data of Californians needs to be able to map out the data of their clients. If you're a CompTIA member, you can start with the assessment from the IT Security Community. The IT Security Assessment Wizard is a three-page questionnaire that covers record keeping, payment processing, and exchange of possibly confidential data. It’s not a full assessment under CCPA guidelines, but is a good place to get started.
2. Gap Analysis
The same way IT pros were able to turn Europe’s GDPR law into a growth opportunity, you can generate business thanks to CCPA by offering a thorough gap analysis for your clients. Internally, this gap analysis will show you the clear differences in how you want the business to perform and what business requirements are actually being met. As the trusted IT expert, it’s your job to build out the plan that brings these two worlds together.
In IT, an information security gap analysis compares an organization’s security program to overall best practices to suss out vulnerability and risk. It’s not a job for a newbie—a gap analysis is a high-end security skill tested in CompTIA’s highest security certification, the CompTIA Advanced Security Practitioner (CASP).
To start a gap analysis, first choose a framework like NIST’s Cybersecurity Framework and then study the office environment, including organizational charts, policies and procedures, and application inventory. Determine how well the current system works within the organization’s IT architecture and do an in-depth analysis to develop an IT security profile for the organization. The profile should include strengths and weaknesses, and paint a clear picture of the organization’s security strategy.
3. Compliance Roadmap
The road to compliance is long and bumpy. Security pros need to map out training across all personnel, document data breach procedures and how records are processed, audit and analyze privacy framework and go through data protection impact assessments. Before any of that can happen, though, the first step is getting the right endorsement in the office, said Alex Rutkovitz, COO of Choice CyberSecurity during the IT Security Community Meeting at this year's ChannelCon.
The same is true for security awareness training, one of the most challenging parts of CCPA compliance. The buy-in doesn’t have to be elaborate but you need to understand the company you’re working with and the politics of the people inside, she said. The right email from the right person on the management team can inspire—or frighten—people into action, said Rutkovitz. “I’ve seen that happen. We sent one email and within 48 hours 200 people completed the requirements,” she said. “It just came from the right person.”
4. Implementation
The January 1 deadline doesn’t make implementation come together any easier. It’s a multistep process that includes testing, business readiness and post-implementation analysis. Technical and operational teams need to work together on implementation and reach out to marketing and sales so that the compliance message and roadmap is the same across the board.
Once again, it starts with senior management. If senior leaders aren’t on board, the plan is dead on arrival. “When we talk about the inability to truly stop all cyber incidents, it depends on the organization’s leaders to truly prioritize it,” Rutkovitz said.
For more on CCPA and how it can work for your business, join peers and industry leaders in CompTIA’s IT Security Community.