The California Consumer Privacy Act (CCPA) took effect on January 1, 2020, and auditing and enforcement started on July 1. This new privacy regulation will have a significant impact on privacy initiatives not only in California, but also on organizations that have significant business operations in the state and are, therefore, collecting or have access to CA residents’ data.
The majority of initial discussions on CCPA focused on the obligation of businesses to honor California residents’ requests to access, delete, and opt-out of data collection. If you are a CA resident, you are very familiar with the incessant privacy notices that pop-up every time you visit a website. The other topic of conversation surrounding CCPA centered on the obligation to stop selling consumer data upon an individual’s request.
There is a small section in the CCPA document that focuses on data breaches and security. In my opinion, the violations outlined in these clauses have significantly greater impact on a business’s brand and future top-line growth. Private litigants did not waste any time filing lawsuits under the new law. For example, Marriott International announced a breach, which impacted 5.2 million customers, on March 31, 2020. A couple of days later (April 3), a CA consumer filed a class action lawsuit against the company under the CCPA data breach clause. If you’d like to learn more about this case and similar legal actions, privacy law firm Kelley Drye publishes a quarterly CCPA Litigation Round-up.
With all this talk of regulations, you may be wondering what role micro-segmentation plays in CCPA and how you can use micro-segmentation to address your CCPA data breach exposure.
So, with that in mind, let’s dig deeper into what CCPA is, and focus on the security and data breach protection requirements. (Legal disclaimer: although I consulted with Illumio’s security and legal teams on the contents in this blog, the information should not be considered as legal advice.
What is CCPA?
Officially called AB-375, the California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. The bill was passed by the California State Legislature and signed into law on June 28, 2018 and came into effect on January 1, 2020.
Who is required to comply with CCPA?
Your organization is legally obligated to comply with CCPA if it meets the following criteria: (1) operates for profit, and (2) collects consumer personal information on California residents, and (3) are doing business in California – AND also crosses at least one of the thresholds listed: (1) annual gross revenues exceed $25 million, or (2) annually buys, receives, shares or sells personal information of 50,000 or more consumers, households, or devices, or (3) derives more than 50% of its annual revenue from selling consumers’ personal information.
Also, an entity is considered a “business” and covered by CCPA if it controls or is controlled by an entity that meets the above criteria and shares common branding with that entity.
The legalese in this section is a tad confusing, so as a reminder, please check with your legal counsel to determine if your company is covered by CCPA.
What are the covered organizations’ obligations under CCPA?
Many Tier 1 and Tier 2 law firms have published articles on this topic, so I will not spend a lot of time on this. Google is your friend. To summarize, the obligations include but are not limited to:
- Provide consumers with a clear way to opt-out of the business’ sale of the consumer’s personal information. (Note that personal information is not equal to PII. See next question for more details.)
- Notify the consumer about its data collection, sale and disclosure practices.
- Provide the consumer the ability to access the personal information collected.
- Provide the consumer the ability to erase/request deletion of personal information collected by the business.
- Implement reasonable security procedures to secure consumer data from data breaches.
What is considered personal information under CCPA?
Note that CCPA language refers to personal information and not only PII (personally identifiable information). The definition of personal information under CCPA is also quite broad and includes but is not limited to the following categories:
- Direct identifiers – real name, alias, postal address, social security numbers, driver's license, passport information, and signature. These are considered PII.
- Indirect identifiers – cookies, beacons, pixel tags, telephone numbers, IP addresses, account names.
- Biometric data – face, retina, fingerprints, DNA, voice recordings, health data. These are considered PII.
- Geolocation – location history via devices.
- Internet activity – browsing history, search history, data on interaction with a webpage, application or advertisement.
- Sensitive information – personal characteristics, behavior, religious or political convictions, sexual preferences, employment and education data, financial and medical information.
You should check with your legal counsel and security teams to confirm the categories covered by the CCPA privacy and data breach security clauses. This analysis will help you determine the scope of your CCPA-related security obligations.
Since you are likely thinking about CCPA from the perspective of data breach exposure, I want to double-click on this issue.
What are the security obligations under CCPA?
The official CCPA document is surprisingly short, and if you have the chance to read it, you will realize that there is no prescriptive language on data security. It does include the data breach clause, which creates a private right of action for data breaches arising from failure to maintain “reasonable security” under California Civil Code 1798.81.5 (d)(1)(A). (Another reminder to please check with your lawyer).
It also includes language on a consumer’s data breach rights, which penalizes covered businesses for breaches arising from a “violation of the duty to implement and maintain reasonable security procedures and practices”.
What is the recommendation for implementing “reasonable security measures”?
CCPA does not provide prescriptive guidance on “reasonable security.” Kamala Harris, who was the CA State AG during time the law was drafted, opined in the CA Data Breach Report 2012-2015 that the state considers the Center for Internet Security (CIS) Top 20 Security Controls as the baseline for reasonable security procedures and practices. There has been no update to this opinion from the current CA State AG, Xavier Becerra, so we can assume that the 2016 recommendations still stand.
What are the CIS Top 20 Security Controls?
The CIS Top 20 Security Controls Framework has been around for more than 10 years and is updated frequently. The framework is derived from the most common attack patterns highlighted in the leading threat reports and vetted across a very broad community of government and industry practitioners. It reflects the combined knowledge of commercial and government forensic and incident response experts. It is no surprise that the CA State AG would recommend this framework as the baseline, because many organizations already take this approach, and then augment the controls to address their environment’s specific requirements.
Just to be clear, you cannot rely on a single product to implement these controls. Ideally, you will want a solution that supports the enablement of these controls and has robust APIs to play well with your other security investments such as your SIEM, vulnerability scanners, CMDB, SCMs, container orchestration, etc.
Illumio directly meets and supports 16 of the CIS Top 20 Security Controls. Here is a high-level mapping for easy viewing. I recently authored a separate blog on Mapping Illumio to the CIS Top 20 Controls if you want to double-click on each of these controls. (Note: “supports” in the Illumio capability column means that customers use Illumio data or feature to enable a portion of the control.
How can organizations use Illumio and the CIS Top 20 Security Controls Framework to enable the “reasonable security measures” requirements of CCPA?
If you have adopted the CIS Top 20 Controls to meet your CCPA security obligations, you can use Illumio to:
- Gain better visibility and effectively assess the scope of security obligations. CCPA requires organizations to create and maintain an inventory of all resources and applications that collect and store consumer data. To address this, Illumio provides real-time visibility. You can use the application dependency map to start creating your inventory and to validate the accuracy of the information typically found in static, point-in-time tools like asset management and CMDB systems. With little effort, you can see which applications, data stores, machines, workloads, and endpoints are in-scope for CCPA, and which connections and flows are authorized.
- Reduce your attack surface and make it more difficult for bad actors to reach your CCPA data. Illumio helps you design and apply policies to ringfence applications and traffic between workloads, between workloads and users, and between user endpoints by programming the Layer 3/Layer 4 stateful firewalls that reside in each host.
- Maintain and monitor your micro-segmentation security posture. Illumio’s agents, better known as VENs, act like sensors and continuously monitor your environment for new workload and end-user connections, and also for changes in connectivity to any data and applications that are in scope for CCPA. It can also block unauthorized connections or attempts to connect.
- Increase time to security compliance. The CCPA deadline was January 1, 2020. Enforcement, audits, and reporting began on July 1, 2020. Illumio will help meet the CIS 20 controls quickly by accelerating planning and design with real-time visibility and label-based policy modeling. A multi-OS, host level micro-segmentation solution means that you do not have to re-architect your network/SDN.
If you’d like to learn more about Illumio’s capabilities, check out Illumio ASP.