The New CCPA Regulations and What They Mean For Your Security Program with Scott Giordano at RSA

Check out this talk on from Scott Giordano, Spirion’s VP and Senior Counsel, Privacy and Compliance, on how the new CCPA Regulations will affect your security program.

Here’s the video:


Read the transcript below:

New CCPA Regulations and What They Mean For Your Security Program

Hi, good afternoon. Oh wow. That sounds really loud. Good afternoon and welcome to The New CCPA Regulations and What They Mean For Your Security Program. I’m Scott Giordano and welcome to my session here. If you would like a copy of this presentation, I have all kinds of bonus slides. My email address is right there. Feel free to copy it down and send me an email. I will be happy to send you a copy of the slide deck or you can give me your card afterwards or you can come by the booth afterwards and I’ll be happy to exchange cards with you and give you a copy then. So any of those things will work just great. So without further ado, again, I’m Scott Giordano. I work for a company called Spirion, and I’m going to talk to you a little bit about the CCPA and what it means for your security program.

CCPA Already In Effect and Lawsuits are Already Happening

If you have questions, my producer Shane over there, walking around, will be happy to give you the microphone and you can ask any questions you’d like. So without further ado, let’s talk about what I think you should leave with, if you leave with nothing else. So the CCPA is in effect now. I know you’ve heard that it’s not in effect till July 1st. It’s actually in effect now and the first lawsuit’s already happened. I’ll talk about that in a minute. Formal enforcement happens on July 1st, but that hasn’t stopped the plaintiff’s bar from filing lawsuits, so keep that in mind. That’s live. It’s hot right now.

CCPA and GDPR Similarities

It is the most comprehensive US state law. It’s likely our national standard, and this is likely the only national standard we’re going to get any time soon. It is not a breach notification law. Some folks think that this is a breach notification. It’s not. That law has been around for about 20 years. In fact California had the first breach notification law. This is not it. But I’ll tell you how they all work together as a unit.

Importance of Data Inventories

It borrows many of the elements of GDPR including InfoSec, which is why presumably you’re all here, and we’re going to talk about InfoSec the next 18 or so minutes. Verifying requests, that means finding out if someone is who they say they are when they’d like information or like things deleted. That’s the toughest part of CCPA, and that unfortunately falls to all of you. That’s why we’re all here today. Understanding where personal information lies in your information ecosystem, as I like to say it, is crucial and I’ll talk to you a little bit about data inventories and why they’re so important. And then finally if you see items in red, that means InfoSec is implicated. If they’re in light blue, it means risk assessments are implicated.

So that’s it. And if you just came in, my name is Scott Giordano, I’m an attorney, but I’m really a nice guy aside from that, and I’m happy to answer any CCPA-related questions that you might have. My producer Shane over there will be happy to give you the mic. So let’s talk about information security under CCPA.

Section 150 of the CCPA on Security

So CCPA has one section on security. It’s section 150. Sometimes they’ll just call it Section 150, Security. Here’s the thing, it is not a positive security section in the sense it doesn’t say, “You shall do something.” It says, if you don’t do something, quite literally, if you don’t have reasonable security going, then you’re in trouble. And notice it also says that security has to be appropriate to the nature of the information.

Risk Assessment and Appropriate Controls

What does that mean? That means that you need to do a risk assessment ahead of time so that you can match the controls to the risk. If you don’t have a risk assessment, there’s going to be bad things happening if there’s a lawsuit, because in litigation the other side’s going to ask you, “So where’s your risk assessment so we can see on our own if the controls were appropriate?” So this is a gotcha that most folks don’t see in the statute, but I picked it up right away.

Statutory Damages and the CCPA

Also, notice that if the plaintiff wants to, they can go right to court and get what’s called statutory damages, which is basically, “I don’t know what the damages are. I’m just going to ask for a round number.” However, if they know or have a good idea what the damages are, they can go to court and just ask for whatever they want, and presumably they can get it, especially in a class action situation.

Curing the Breach Undefined by CCPA

Here’s the deal though. If you ask for statutory damages, basically it’s a give-me or a free damages. Then you have to give the victim, if you will, who got breached, the opportunity to cure the breach, and I’m using air quotes here, “to cure the breach”. What does that mean? We don’t know. Okay? They don’t define it in CCPA. They don’t define it in the regulations. So keep that in mind, that right now we don’t know what a cure means. We do know that if you mitigate the damages, that will go a long way to curing things, but that’s not a cure in and of itself.

First Class Action CCPA Lawsuit

Okay. This is the first lawsuit. This was filed here in San Francisco and not terribly surprisingly enough, earlier in the month, it’s the first class action lawsuit. Notice in the orange box at the bottom, it is against Salesforce. We all, I think, know, have used or are using Salesforce, so this is the first class action complaint that cites CCPA, and in fact you can see it right there. So we have made history, folks. The first CCPA lawsuit here in lovely San Francisco. So anyone tells you that this law is not live right now, you can point to this statute and say, “Yes, it’s live right now. This lawsuit proves it.”

California Breach and Security Statutes

Let’s talk about California breach and security statutes. There’s two statutes in question I want you all to know about. Okay? One is the regular security statute. This says, and you can see in the red here, this says that you shall implement reasonable security procedures and practices, again, appropriate to the nature of the information. By now, you all know if it’s appropriate in the nature, it’s a risk assessment that’s being implicated here. That means you’ll have to have one of those ready to go. Again, this is an existing statute. This is way before CCPA came along. If someone wanted to file this lawsuit, they could use this. They don’t have to wait for CCPA.

Breach Notification Status

Also the breach notification statute. There’s another gotcha here. Look at the bottom where it says, “The disclosure shall be made in the most expedient time possible and without unreasonable delay.” Whenever you see that phrase “without unreasonable delay”, that means do it now. If you have the capability, don’t wait.

Without Unreasonable Delay and Breach Notification

And I’ll give you a great example. Suppose you’ve got a contract with your customers, your vendors, your suppliers, that says “You must notify the vendor within five days or notify the customer within five days.” Well, guess what? That’s now your standard. If you can’t meet five days for your other customers, then the opposing party is going to ask you why not? You can meet it for customer X. Why not for customer Y? That means you created an unreasonable delay, and as we know, lawyers are all about what’s reasonable and unreasonable. In fact, we use that word quite a bit and it’s used a lot here in this kind of a statute. I’m going to a full stop there. Are there any questions or comments about anything I’ve said thus far? If so, my producer will be happy to take them now. Okay. Yes. Jody? My producer is right here.

Audience Question: How does that breach provision dovetail with the California breach notification?

This breach notification here, 82.A, is the California breach notification. That’s the thing, is that there is no breach notification under CCPA. So it indirectly dovetails with it. Yes, what you’re seeing here, and I’m glad you asked this, because 81.5 is a security. Okay, that’s a complete separate from CCPA and then 82(a), that is the original breach notification statute from 2003. And they all dovetail indirectly. So this is the interesting thing. By the way, CCPA was written in six days, folks, not six weeks or six years. Six days, and it reads like it. So that’s why you get this very jarring comparison to other state statutes. I know, it’s great being a lawyer, but I’m probably not something you all want to do. Yes sir. Did you have a question?

Audience Question: What Are Reasonable Security Standards?

Oh really? Okay. All right. All right, that’s fine. I apologize for repeating apocrypha, but it is fun, you got to admit. Okay, so what are reasonable security standards? Well, it just happens to be that about four years ago, the state attorney general, Kamala Harris’ office has produced a report on breach notification and breaches and security standards and they cited the CIS CSC top 20 sometimes called the SANS top 20, to be used as the standard. So here it says that SANS top 20 is the minimum level of security and the failure to implement same is proof or at least is a reasonable indication of a lack of reasonable security. Again, there is that word reasonable that we use all the time.

Now you might think that CCPA cited this, but you would be wrong. CCPA did not cite this. The statute did not, the regulations did not. A G Brisera’s office did not cite this. It’s floating around out there, but still, it’s a very good reference document. It also speaks highly of other things, like HIPAA HITECH and ISO27K, but it really focused in on CIS CSC top 20, so some food for thought there.

Consumer Rights Under The CCPA

Okay. Consumer rights under CCPA. So there’s about seven big buckets of information or rights or responsibilities under CCPA. For our purposes, the two that we really care about: right to access, right to delete personal information. And here’s why. Because think about spouses breaking up or business partners breaking up. Potentially one party is going to want to get dirt on the other, or going to want to do something bad to the other during the divorce or the split-up or what-have-you. So this is an especially vulnerable opportunity and an opportunity for you to run afoul of the law.

Right to Access and Right to Know

And I’ll give you an example here. So right to access, right to know is what they call it. It’s the same thing as a DSAR. If you’re familiar with GDPR, Data Subject Access Request, same exact idea. Five pieces of information. The what? So what categories of information, what specific information, who’s got it, where did you get it, why do you have it? This is something that you have to share within 45 days of a verifiable request. And you see “verifiable request” is in red because it’s information security. It applies to all of you, presumably. That’s why you’re here. So what does that request? It’s a request made by a consumer that the business can reasonably verify. There is that word again. You’re going to see it throughout this entire thing. And the business is not obligated to hand over that information if it cannot verify that the requester is who they say they are. So this then the onus becomes on you to be able to develop these reasonable methodologies for finding out if someone really is who they say they are. That’s not easy.

Reasonable Method To Verify The Requester’s Identity

Now the CCPA regulations were issued in October. They were revised this month. You can see this is the first page here and Article Four is all about verification and requests. Your attorneys should be poring over this like it’s a sacred text, because there’s so much information here that they need to know. So for example, the business, that’s you, has to come up with a reasonable method for verifying that the requester is who they say they are. And when possible, if you’ve got information already about the requester, the alleged requester, match that up with what you already have and sync up the request that way.

Reasonable Procedures to Detect Fraudulent Activity

Also, you have to implement reasonable security procedures to defect fraudulent activity. We talked earlier about this idea of spouses in a divorce trying to get dirt on one another, or business partners trying to stick it to one another, if you will. This is a great opportunity where this comes up. The onus is on you to develop these security methods. The CCPA does not cite anything. It relies on you.

Verifying Identity With Account and Non-Account Holders

So two different kinds of tracks here. Password-protected, so you have an existing customer, they’ve got a password-protected account. Or someone that does not, they’ve called you out of the blue and they say, “Give me everything you got on me.” Those, the two tracks that you’re going to deal with. Password-protected, a little bit easier. If you already have a relationship with this person allegedly asking for information about themselves, then you can verify that using your normal methodology. Say that you use two-factor authentication or you use some other mechanism, you can use that to verify this person and then go about your business as normal.

However, even here, if you suspect that there’s fraud and you have to set up red flags essentially trying to detect fraud, then you cannot give the information over to that requester. So this is why, just because someone has an account with you, doesn’t mean that they can just automatically ask for things and get them. You still have to have a mechanism to suss out people that have maybe taken over the account and are trying to get dirt, again on an opposing party or a spouse or what-have-you.

If there’s a non-account-holder, folks, this gets a lot tougher. Okay? So if someone wants… Say they don’t have an account with you, they’re just someone out of the blue. You’ve never seen them before. They want the categories of personal information that you’ve got about them. We collect social security numbers, we collect dates of birth, we collect IP addresses or GPS, what-have-you. Then they’ve got to match two points. You’ve got to match two points with data you already have with them. So if they’ve sent you their name and their address, you have to match that. That’s already in your system.

CCPA Affidavit System Setup

But it gets better. If they want to know specific pieces of information, then you’ve got to match three things and they have to sign an affidavit. But the state doesn’t really tell you how to set up any of this affidavit system to go and get this stuff signed. This is all falling to you. That’s the challenge that you’re facing, and no one is talking about this. They’re talking about other things and I’m not saying that’s wrong but this is the nitty-gritty of complying with CCPA and I hear very little discussion in the information-security world about it.

Verifying Identification of Non-Account Holders

So non-account-holders, again, this is going to be the tough nut. You have to verify them. Say they want to delete information, not just get it but delete it, which is potentially even worse because they may be deleting information about someone they don’t like and they’re pretending to be that person. So you either have to do it with a reasonable degree or reasonably high degree. Again, there is that word. It’s throughout this entire statute and regulation. So depending on the risk of harm, which means that again, you have to have an idea what the risk of harm is if someone gets that information, which means you have to do a risk assessment. So this all comes back to that risk assessment and getting an idea of just how bad things can be. If you’ve ever done a DPIA, data protection impact assessment, I worked on many of those when I was getting ready for GDPR. Same idea.

Risk of Fraudulent Identity Requests

What’s the worst that could happen if this information gets out? Suppose your HR system is exposed to the world, what damage could happen to your employees? It’s the same kind of inquiry that you’ll be making here. If there’s no reasonable way that you can verify someone is who they say they are, then you cannot give them the information. You tell them that. And also if this is how you treat everyone that is in the same situation, you can put that on your privacy notice, or what they call a “privacy policy”. It’s really your publicly-facing privacy statement.

Which Businesses Are Subject to CCPA?

So in summary, as a business subject to CCPA… And by the way, we still don’t know the exact threshold of who’s subject to CCPA. We know there’s a $25-million threshold, but we don’t know if that’s money made in California, money made in the US, money made worldwide, we still don’t know even to this day. So you must create a reasonable method for verifying people are who they say they are. When possible, don’t collect what I call radioactive information. Things like SSNs, driver’s-license numbers, medically-related information. Just avoid all of that if possible.

Risk Assessments and Understanding Harm

Understand the risk of harm. Again, there’s that idea of risk of harm, of doing a risk assessment ahead of time. And develop reasonable security practices. So this is where you’re really going to be called to rise to the occasion, because the state is not going to tell you how to do this. They’re asking you to look at practices like CSE top 20, ISO27K, your favorite control program, your favorite control set. I’m familiar with NIST 800-171. I used to work in the defense industry. Same idea. Pick a control set that you really like and execute well. It’s better to have a control set that maybe is not popular, but you know very well and you know you can execute than picking something that’s just too big of an ocean to boil.

CCPA Checklist before July 1st, 2020:

So, next steps. You have a checklist before July 1st. Get legal involved sooner rather than later. I can tell you how many times people have brought me agreements the day before they’re due to be signed and say Scott, “Would you take a quick look at this?” Guys, attorneys can’t take a quick look at anything. Okay? Except maybe the lunch menu. I can’t help you if you bring me something the day before it’s due. Get legal involved ahead of time, way early when you’re doing these assessments to see if you’re meeting the standards that CCPA is requiring.

Data Inventories, Risk Assessments, and CCPA:

Create a data inventory. Here’s the thing, when I did data inventories at my old company, for every two applications I would find, I would find a third we didn’t know about, so it’s like cleaning out your attic. You go in there and you find stuff you never knew you had. And believe me, if you find it, you can bet the bad guys are going to find it before you do. They’re very good at that kind of stuff, so always get your data inventory. I’ll show you an example of when I really did in just a moment.

Conduct your risk assessments for the areas I cited in blue. Get your program, update it and document it and assume that it’s going to be reviewed in a trial, which means it should be very jury-friendly. I’ve just reviewed a couple of security programs yesterday and they’re not anything I would put in front of a jury. Unfortunately they are just all legalese. You want something that’s easily understandable by a jury.

Reasonable Methods of Verifying Identity:

Develop your reasonable methods to verify that people are who they say they are, and deliver the information within 45 days. Test, test, test. Don’t wait until July 1st to test this, folks. I guarantee, as we’ve seen in recent events, software doesn’t always work the way you think it’s going to. Have a protocol, a ticketing system to make sure nothing falls through the cracks. That could be just a regular ticketing system you use for IT support. And work with legal when you’re doing your draft updates. Make sure there’s nothing in your draft updates on your privacy statement you’re not really doing, because I guarantee the FTC is going to find that and then go, “Wait a minute. You’re not doing that, but you say you’re doing it.” That’s an unfair or deceptive labor practice, and it’s an easy way to get sued and easy way to lose a lot of money. It’s a very low bar to clear to say something’s unfair or deceptive.

Data Inventory Example:

Here’s an example of a data inventory. This is a real inventory by the way. I really did. I changed the names to protect the innocent. But in the red box is the real personal information that we found going through the system and finding exactly what is subject to, in this case, this was GDPR. It could have been CCPA. But this is real stuff. If you have questions about this, just email me or grab me at the booth later, but this is something that really needs to be done way before July 1st.

That’s all I have for you. Let me ask you this. Has this been helpful? Has it? Wonderful? If you have questions, see me. I’ll be in the back after we’re done, or come by the booth or send me an email. Thank you very much for joining us today.

Want to know more about the information covered in this talk?

Check out our resources below.

Webinar On-Demand: The California Consumer Privacy Act: Your Questions, Answered.

White Paper: California Consumer Privacy Act (CCPA) Compliance

Blog Post: How to Prepare for Data Breaches in 2020

Blog Post: Data Privacy and Compliance (CCPA, CPREA, GDPR): A Look Ahead for 2020

Blog Post: The Final CCPA Amendments Are In