Cybersecurity Roundup: California Privacy Law, Pensacola Attack, Bitdefender-Datto and More
Ready or not, the California Consumer Privacy Act (CCPA), the most comprehensive U.S. data privacy law to date, will go into affect on Jan. 1.
While the General Data Protection Regulation (GDPR) protects personal information (PI) that could potentially identify a specific individual, including name, address, telephone number and Social Security number, CCPA goes beyond that to include product purchase history, social media activity, IP addresses and household information.
The California Attorney General can fine companies $2,500 per violation or up to $7,500 for each intentional violation, and every individual affected by a violation is counted as a violation, so an intentional breach of 100,000 people’s data could bring a total fine of $750,000 plus damages of $1 million to $7.5 million to the victims.
Businesses are granted a 30-day cure period for most violations, but CCPA, like GDPR, provides for a private right of action in case of certain data breaches, so an individual can directly sue a company.
To learn more about CCPA and implications for the channel, we spoke with Chet Wisniewski, Sophos‘ principal research scientist, Mike Nelson, DigiCert‘s vice president of IoT security, and Morey Haber, BeyondTrust‘s CTO and CISO.
Anyone doing business with California residents that has revenues greater than $25 million, trades in personal information on more than 50,000 people or derives 50% or more of their revenue from selling personal information will need to comply, Wisniewski said. Most small businesses under these rules would be exempt, but it will still impact a huge number of organizations, he said.
“Compliance is big business and most companies will need to revise their privacy policies, procedures and tools that interact with consumers to comply with the legislation,” he said. “Another emerging risk is many new forms of ransomware, like Snatch, that not only lock up data, but steal information before the ransom attack. Companies required to comply with both CCPA and GDPR will now need to report these incidents. This might be a big incentive for companies to look more seriously at outsourcing more of their security to larger more specialized service providers who can stay on top of the latest threats and regulations.”
CCPA requires businesses to change their processes around consumer data collection, Nelson said. The law gives consumers more awareness of what is happening with their data, and allows them to opt in or out of that data sharing. The secure handling of that data is, and always has been, a critical security practice, he said.
“I don’t see this regulation being a big driver for more managed security services,” he said. “However, businesses will need to build automated systems that enable the type of consumer communication required to be compliant with the regulation. Changing processes in any large business is costly. These costs can come in the form of process change, development, legal and compliance.”
Any business that operates only with other businesses is arguably excluded from this act as long as they do not collect an individual’s personal consumer data, Haber…