Did you know that nine out of ten Americans consider online privacy a significant issue? According to a Gartner Survey, 88% of Boards of Directors view cybersecurity as a business risk.
With data security always at risk, businesses must adopt adequate security measures to combat evolving threats and take a proactive approach to safeguarding personal information, ensuring compliance with data privacy laws such as the California Privacy Rights Act (CPRA).
What is the CPRA?
The CPRA is an expansion of the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020. The CPRA took effect on December 16, 2020, but most of the provisions revising the CCPA didn't become operative until January 1, 2023.
The CPRA is designed to enhance the privacy rights of California residents. It does so by introducing new protections, such as:
- Creating a new enforcement agency known as the California Privacy Protection Agency (CPPA).
- Empowering consumers with the right to correct personal information, such as any inaccuracies in their personal data.
- Empowering consumers with the right to limit the use of sensitive personal information such as health data, racial information and geolocation.
- Empowering consumers with stronger opt-out rights to opt out of sharing personal data for cross-context behavioral advertising.
- Expands the definition of personal information to include new categories, such as sensitive personal information.
- Obligates businesses to inform consumers about how long they plan to retain a consumer’s personal data under the new data retention requirements.
- Introduces new contractual requirements for third parties, requiring service providers and contractors to protect consumer data through binding contracts.
- Introduces stringent requirements for businesses handling the personal information of minors, meaning individuals under 16.
- Obligates businesses that engage in handling high-risk data to conduct annual risk assessments and audits, ensuring top-notch data security.
Learn more about the CPRA.
The Role of Data Security in CPRA
The CPRA introduces several obligations on businesses, particularly addressing key data security provisions. It defines security and integrity as the ability of networks or information systems to detect security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal information. It requires businesses to detect security incidents, resist malicious, deceptive, fraudulent, or illegal actions, assist in prosecuting those responsible for such actions, and ensure the physical safety of natural persons.
Several sections of the CPRA outline data security requirements, including:
A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.
Under (a)(15), businesses are required to conduct a cybersecurity audit on an annual basis, including defining the audit scope and establishing a process to ensure thorough and independent audits. The factors to be considered in determining when processing may result in a significant risk to the security of personal information include the size and complexity of the business, as well as the nature and scope of the processing activities.
Under (d)(2), businesses are required to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for those purposes.
Under (a)(1), if a consumer’s personal information (that is not encrypted or redacted) — or their email address combined with a password or security answer — is accessed, stolen, or disclosed without authorization, and this happens because a business did not implement adequate security measures, then the consumer has the legal right to sue the business (a civil action) for damages (money for harm done), an order to make the business fix its security practices, or Both.
In essence, the CPRA mandates businesses to implement reasonable security measures, conduct risk assessments and cybersecurity audits, and ensure data minimization and retention.
Key Steps Toward CPRA-Compliant Data Security
Here are practical steps businesses can take to align their data security practices with CPRA:
The CPRA defines sensitive personal information as personal information that reveals the following:
- A consumer’s social security, driver’s license, state identification card, or passport number.
- A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
- A consumer’s precise geolocation.
- A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership.
- The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication.
- A consumer’s genetic data.
By understanding the scope of sensitive personal information, businesses can categorize and classify information that needs additional security guardrails and protect sensitive data.
2. Conduct Data Inventory and Data Mapping
Businesses should conduct a data inventory and mapping activity to identify and document the personal and sensitive information they collect, process, store, and share. By doing so, businesses can better understand data flows — where data originates, where it’s stored, who accesses it, and where it’s directed.
3. Implement Robust Data Security Measures
As an industry best practice, businesses should implement robust data security measures, including encrypting data at rest and in transit, engaging multi-factor authentication (MFA), assigning role-based access control, and updating systems with necessary patches to defend against evolving threats.
4. Data Minimization, Limitation, and Retention
Under Section 1798.100(a)(3), businesses must inform consumers how long they plan to keep each category of personal and sensitive personal information. If a specific time can't be provided, they must explain the criteria used to decide the retention period. In any case, data must not be kept longer than reasonably necessary for the purpose for which it was collected. As a best practice, businesses should create or update a well-defined data retention policy.
Apart from enforcing a data retention policy, businesses should adopt a comprehensive data minimization approach. This involves routinely assessing stored data, identifying information that is no longer needed, and making ethical and legally right decisions with such data, including safely deleting it or relocating it to cold storage or archive systems.
5. Vendor Risk Management
Businesses are responsible for ensuring that contractors and service providers comply with the CPRA's data security regulations. This entails conducting due diligence and audits, monitoring vendor performance and compliance, and revising contracts to include CPRA-specific provisions.
Businesses should conduct cybersecurity audits on an annual basis, including defining the audit scope and establishing a process to ensure thorough and independent audits. Annual audits provide a comprehensive overview of an organization’s data security posture, whether there are any vulnerabilities and which areas need security patches and improvement.
7. Prepare for CPPA Enforcement
At the core of a robust data security posture is the groundwork of processes, structures, frameworks, and collaboration among teams that work together to prepare for CPRA compliance. The CPPA is the primary authority responsible for auditing and enforcing compliance with the regulations. Noncompliance penalties can range from $2,500 to $7,500 per violation, depending on the nature, impact, frequency, and other relevant factors.
Enhance Your Data Security Posture
Staying compliant with the CPRA is an ongoing process, not a one-time checkbox. Businesses should implement adequate security measures that enhance the organization’s overall data security posture.
Securiti is the pioneer of the Data Command Center, a centralized platform that provides a built-in Data Security Posture Management (DSPM) solution, enabling organizations to secure sensitive data across multiple public clouds, private clouds, data lakes and warehouses, and SaaS applications, protecting both data at rest and in motion.
Organizations can leverage contextual data intelligence and controls to discover and classify data, minimize ROT (Redundant, Obsolete, and Trivial) data risk, reduce misconfiguration vulnerabilities, prevent unauthorized data access, understand data flow, and enforce consistent security controls across the data journey, including real-time streaming data, while also managing compliance and breach risk.
Request a demo to learn more.
