The California Consumer Privacy Act (CCPA) is having an impact on the security professionals, auditors, managers and boards responsible for ensuring its effective implementation. The act, which governs the disclosure of data and the sharing of California residents’ personal information, became effective 1 January 2020. Of particular concern is the CCPA’s requirement that enterprises demonstrate use of the proper level of encryption to mitigate the risk of a data breach.
Given CCPA and regulatory requirements to encrypt data—whether at rest, in transit or in motion—there are certain risk factors that must be assessed and mitigated. Encryption disguises information by using a mathematical formula (algorithm) known as a cipher. Another look must be taken at the audit program currently used to identify, review and evaluate controls to ensure that it encompasses controls over privacy. Further, this program must assess and cross-reference other related internal and regulatory controls, such as International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001, ISO/IEC 27017, Gramm-Leach-Bliley Act (GLBA), Payment Card Industry Data Security Standard (PCI DSS).
The practical steps organizations should take are:
- Ensure there is a roadmap to compliance. There should be a program and plan to ensure that the enterprise has the expertise, strategy and answers to obtain compliance, and the organization has a program management function to track compliance.
- Ensure you meet baseline requirements. It behooves the organization to validate that process and programs supported by technology and people are in sync to ensure success by validating all artifacts to foster compliance with the relevant requirements.
- Ensure governance, such as policies and procedures, is operationalized.
- Ensure that management and IT are negotiating the nexus of the technical requirements to implement and foster improved security controls with the practical and the enterprise’s strategy to foster compliance.
- Ensure progress is made toward compliance and certification year after year. This shows regulators that the enterprise is resolved to continually improve their control and security posture and execute their programs with employee support.
Editor’s note: For further insights on this topic, read Larry Marks’ recent Journal article: “The California Consumer Privacy Act and Encryption: Theory, Practice, Risk Assessment and Risk Mitigation,” ISACA® Journal, volume 2, 2020.