Two recent privacy laws—GDPR and the California Consumer Privacy Act (AB-375) --focus more attention on protecting digital privacy of individuals. Both laws will require that security professional up their game. In this post I will cover some of the security implications of AB 375. Gone are the days when privacy requirements could be handed off to privacy officers or legal counsel. Today’s requirements are so granular that they will require new security technology, processes and knowledge.
To summarize the California Consumer Privacy Act of 2018:
- It goes into effect January 1, 2020
- It includes a private right of action in breaches involving unencrypted or nonredacted personal information
- It offers California citizens the right to
- Know what information is being collected about them
- Know if their information is being sold and to whom
- Forbid sale of personal information
- Gain access to their personal information
- Retain their rights to equitable service even if they forbid sale of their information
- Exceptions are made for business that are not located in California and do business outside of the state. This exception would apply to Las Vegas casinos, even when serving California citizens.
What are some of the implications of these rights for security professionals? Broadly, they fall into the requirements for confidentiality, integrity and risk management. One area is data classification and handling. Often neglected in risk management, it is now front and center. Businesses must know what information they are collecting and where they are getting it from. Businesses will have to respond to consumer requests regarding the categories of information they keep about consumers. Classification must include: categories of information; specific pieces of information collected; sources of information; commercial purpose for collecting; third parties to whom the data is sold; whether the information may be sold or not.
The definition of “personal information” is now broader than what many consider at first glance. AB-375 defines it as: “information that identifies, relates to, describes, is capable of being associated with, or could reasonable be linked, directly or indirectly, with a particular consumer or household. Identifiers include: name, address, IP address, email address, browsing history, search history, geolocation data, employment information, audio information, etc. More categories of data will need to be protected by organizations covered by this law.
Consumers now have the right to request deletion of their information. This mandates that data flow diagrams be created showing the lifecycle of the data. These have been required by PCI DSS and now will be required to effectively assure data destruction of other categories of personal information. More demanding are third party contracts, which now must require data destruction on an individual record basis. Security officers will need some type of assurance that this is being done.
AB-375 does not restrict businesses from collecting, using, retaining, selling or disclosing information that is deidentified. The bill requires that businesses have technical controls to prevent consumer information from being associated to a consumer, either directly or indirectly. Security professionals will need to understand how “deidentified” is interpreted under this and other privacy regulations and be prepared to support the definition with technology.
Another issue is authentication of consumers who request information about their data. The law requires that a response be provided within 45 days (extensible to 90 days). The security team will need to have a process for verification of the identity of the consumer before any information is released.
For overall risk management, AB-375 provides some financial penalties to document security impact. Damages up to $750 per incident per consumer may be sought in private action by the consumer. If your firm maintains records on 1000 consumers, you could be liable for $750,000 under a class action. In addition, the California Attorney General can bring a civil action against a firm in violation of the law and fines up to $7500 per incident can be levied.
This post illustrates the new frontier for security officers: privacy technology. While not completely new, the teeth provided by GDPR and AB-375 suggest that we all step up our knowledge of privacy technologies and processes.