The California Consumer Privacy Act (CCPA) has ushered in a new era of privacy regulation that is quickly spreading throughout the United States. Data privacy used to be a legal problem. Today, privacy is shaping up to be a board-level, operational, and cybersecurity issue. Enforcement actions are ramping up across California, with regulators asking pointed questions about whether organizations have demonstrated “reasonable security” by implementing documented risk analysis processes that are defensible under CCPA regulations.

CCPA reasonable security requirements aren’t optional for IT professionals and business leaders. They’re a governance and risk management imperative.

 

Who does CCPA apply to?

CCPA applies to any for-profit organization that collects “personal information” about California residents and either generates revenue >$25 million annually, buys or sells the personal information of 50,000 or more consumers, or houses or processes personal information of 50,000+ consumers. Most organizations operate online or nationwide, which is why many businesses outside California find themselves subject to CCPA regulations.

CPRA Requirements Expand CCPA Compliance Obligations

CPRA, which amended and expanded CCPA, established the California Privacy Protection Agency (CPPA) to oversee enforcement of CCPA regulations. CPRA also introduced several additional requirements, including mandatory risk assessments and cybersecurity audits/penetration testing for certain “high-risk” processing activities.

Specifically, CPRA requires companies to have formal security programs that include documented risk analysis aligned with industry standards such as NIST or ISO 27001/27002. Regulatory agencies won’t simply take your word for it that you have put policies in place. You must be able to document that you have put security controls into place that are reasonable for your organization.

 

What are the key requirements of CCPA?

CCPA, CPRA provide consumers with rights to:

  • know what personal data is collected
  • delete personal data
  • correct inaccurate personal data
  • opt-out of sale/sharing
  • data privacy protections for sensitive personal information.

Key for IT/security teams: CCPA and CPRA require organizations to implement “reasonable security procedures and practices” to protect personal information. Reasonable security means security controls that are aligned with your organization’s risk profile and are built using a documented cybersecurity risk management framework that aligns with industry standards such as NIST CSF or ISO 27001/27002.

 

CPRA Enforcement Guidelines Expand on CCPA’s “Reasonable Security” Requirements

“Reasonable security” might sound vague, but California regulators and courts are increasingly defining it as risk-based cybersecurity programs that are well-documented and aligned with industry standards.

Under CCPA, businesses that suffer a breach as a result of failing to implement reasonable security measures can be liable for statutory damages and will certainly be subject to enforcement by California regulatory agencies. Recently, the California AG’s Office issued its first regulatory action involving a purportedly defective opt-out “Do Not Sell My Personal Information” link. And it’s just the beginning. Several recent settlements confirm the Attorney General’s office is actively investigating how organizations handle consumer opt-out requests, sharing, and security safeguards for personal information.
In other words, “reasonable security” needs to be demonstrated through a documented risk analysis process.

 

How do you prove reasonable security?

Demonstrating “reasonable security” starts with comprehensive risk analysis. That’s where Duty of Care Risk Analysis (DoCRA) comes in.

DoCRA is a formal risk analysis method that helps organizations determine if safeguards are reasonable by assessing:
• Risk to individuals
• Risk to the organization
• Burden of safeguards
• Requirements under law

DoCRA is aligned with risk analysis standards from NIST (SP 800-30) and ISO 27005. By using DoCRA risk analysis to assess your safeguards, you can have greater confidence that you’ve met your legal duty of care to protect personal information. Rather than indiscriminately applying cybersecurity controls until you feel like “you’ve done enough,” DoCRA creates a repeatable process to make security decisions you can defend if breached.
Learn more about DoCRA’s Risk Analysis Methodology.

For organizations subject to CCPA/CPRA compliance obligations, risk analysis is your opportunity to ask and answer the following question: Do we have evidence that our security controls are reasonable for our organization?
Implications of CCPA and CPRA for IT Professionals

If you’re an IT or information security professional, CCPA’s reasonable security requirements should have you thinking about:

  • Data mapping/inventory
  • Risk assessments for high-risk processing activities
  • Documenting your cybersecurity program
  • Vendor risk management
  • Breach detection/response readiness
  • Technical security controls such as encryption, multi-factor authentication, access controls, etc.

Regulators want to see cybersecurity risk assessments and privacy risk assessments that have been documented. If your organization suffers a data breach, the first question regulators will want answered is: Did you perform a risk analysis? And if so, was your risk analysis defensible?

We’ve seen several high-profile CCPA breaches in the healthcare, financial services, and retail industries already. Once a breach occurs, it doesn’t take long for regulators to jump in with audits and investigations. Plus, we know there are lawsuits filed against breached businesses by Plaintiffs’ attorneys leveraging the CCPA’s new private right of action. Don’t wait until after a breach to start managing your risk. CCPA violations could mean exposure to statutory damages for consumers affected by a breach.

Enforcement is already happening under CPRA. Other states are following California’s lead by enacting privacy laws with similar penalties and requirements. California lawmakers passed the CCPA’s “private right of action,” enabling Plaintiffs lawyers to file breach-related lawsuits. The time to remediate gaps in your compliance program is not after a breach or the notification of a cybersecurity audit.

 

How to Prepare for CCPA Regulatory Compliance Audits

  1. Data Mapping/inventory
    Knowing what personal information you process, where it is stored, how long you retain it, and who has access is foundational for your risk analysis and cybersecurity programs.
  2. Privacy Risk Assessment
    Perform a privacy risk assessment to identify high-risk processing activities. High-risk processing often involves sensitive personal information or automated decision-making. You may also want to conduct a risk assessment specifically for high-risk processing activities as required by CPRA.
  3. Cybersecurity Risk Assessment
    Conduct risk assessment using a defensible methodology like DoCRA. Align your cybersecurity risk assessment with NIST, ISO 27001/27002, or other industry standards to determine if your safeguards provide “reasonable security” under CCPA.
  4. Implement Security Safeguards
    Technical safeguards like encryption, endpoint protection, access controls, vulnerability management, logging & monitoring, and secure development are all cybersecurity basics. Implement appropriate safeguards as part of your cybersecurity program to protect personal information.
  5. Penetration Testing
    While not explicitly required under CCPA, penetration testing is a great way to verify your security controls are effective and identify vulnerabilities before the bad guys do.
  6. Document, Document, Document
    Having a robust cybersecurity program isn’t enough. You must be able to prove it. Document your risk analysis, security decisions, safeguards put in place, and follow-up remediation efforts.

 

HALOCK Cybersecurity Risk Assessments Meet CCPA Compliance Requirements

HALOCK’s cybersecurity risk assessments are intentionally designed to help organizations prepare for cybersecurity audits and regulatory compliance. Below are links to learn more about how our Cybersecurity Risk Assessments, Privacy Risk Assessments, and Penetration Testing services can help your organization meet CCPA compliance requirements.

Privacy Risk Assessment

HALOCK’s Privacy Risk Assessment report includes findings related to CPRA’s requirements for high-risk processing.

AI Risk Assessment

Regulators and standards bodies in the United States and the European Union have begun to call out the need for AI Risk Assessments and governance to manage those AI risks.

Cybersecurity Risk Assessments

Our cybersecurity assessments are based on the Duty of Care Risk Analysis (DoCRA) methodology. DoCRA is a formal risk analysis method aligned with industry standards like NIST CSF and ISO 27001/27002. Using DoCRA to power our cybersecurity assessments helps us provide clients with legally defensible risk analysis supporting their cybersecurity programs.

Penetration Testing

Penetration testing helps verify your security controls are effective and satisfies many internal audit teams when they see it included as part of a cybersecurity program. Learn more about HALOCK Penetration Testing here:

 

Achieving CCPA Compliance: Tying it All Together

Cybersecurity and data privacy professionals can leverage penetration testing, privacy risk assessments, and cybersecurity risk assessments to create a comprehensive compliance program. By performing all, organizations can identify high-risk processing activities with penetration testing and have audit-ready documentation that demonstrates efforts to remediate vulnerabilities and implement reasonable security practices.

 

Key Takeaways

CCPA compliance isn’t optional. It’s the new normal. Building a cybersecurity program that aligns with CCPA requirements takes more than checking boxes. IT professionals must leverage risk analysis to make defensible decisions about what safeguards are appropriate for their organization.

Interested in learning more about how HALOCK’s cybersecurity and privacy services can help you meet CCPA requirements? Contact us using the form below, and a member of our team will be in touch soon.

Sources:

California Consumer Privacy Act (CCPA) 
California Privacy Rights Act (CPRA) 
Duty of Care Risk Analysis (DoCRA) 
HALOCK Privacy Risk Assessment  
HALOCK Cybersecurity Risk Assessments 
HALOCK Penetration Testing  

 

Review Your Privacy  and Risk Posture