Menu

Articles & Blogs

Who should prepare for the California Consumer Privacy Act?

September 5, 2019 | By Accorian

Any for-profit company that does business or has customers in California should prepare for the California Consumer Privacy Act (CCPA). Here’s why they should.

The CCPA applies to businesses that are collecting data and personal information of residents in California, who meet one of the following conditions:

  1. Has an annual gross revenue of $25 million or more.
  2. The organization stores the data for over 50,000 or more consumers, households or devices.
  3. Selling consumers’ personal data yields to 50% or more of the annual revenue.

The General Data Protection Regulation (GDPR) that took effect May 25, 2018 has inspired law makes to look into new ways to protect the consumer. 

The California Consumer Privacy Act (CCPA)  legislation passed in 2018 and will take effect in the State of California on January 1, 2020. 

This new law will give California residents the right to:

  • Access their personal information that was collected
  • Request that their personal data be deleted from the company’s database
  • Opt-out of the sales or transfer of their personal information to third parties
  • To be treated the same as others who allow the company to use their data 

How similar is CCPA to GDPR?

While CCPA is similar to GDPR, they have their differences. The chart below shows some of the similarities.

GDPR (General Data Protection Regulation) is a bill designed to protect and control the usage of the personal data of European (EU) citizens in and outside Europe. The legislation applies to all companies who collect, store and process any data belonging to EU citizens. This law affects companies regardless of where they are located in the world. If you’re dealing with EU citizens, you need to comply with GDPR. 

CCPA (California Consumer Privacy Act) is an online privacy act that closely mirrors the GDPR, but it was made for  residents of California.

 The bill was signed into law in June 2018 and will go into effect in January 2020. Similar to the GDPR, the CCPA allows any California consumer to request any data that U.S company has collected from them. It also allows them to request the deletion of that data, and failure to comply with those requests can result in fines. 

At a recent Press Conference, California Attorney General Xavier Becerra said that the CCPA is “groundbreaking protection for consumers, it gives them the ability to control the use of their personal data and once again we’re first in the nation to do something like the CCPA act.”

Will other states enact similar laws?

Why does California’s new law matter to everyone else? It’s part of a global trend that pushes companies to have greater accountability and to respect their consumer data.

Consumers around the globe gravitate towards companies that respect their privacy. These laws not only allow customers to view the data that is collected on them, they will also be able to request that data from those companies without any issues. 

Nevada recently passed an online privacy amendment, meanwhile proposals in Washington DC and in New York seem to be gaining attention. However some states are slow to enact strict privacy laws. A bill similar to CCPA failed to pass in Texas and Washington. 

Privacy laws can help your business

As consumers trust in large corporations continue to decrease, it’s important that businesses take steps to become compliant. When a company takes GDPR and CCPA seriously, it makes them seem trustworthy to customers which is a huge big benefit for them. Reducing risks also lowers the risk of fines that can affect a company’s profit margin. More companies are working on become compliant through HIPAA and a HITRUST certification.

Start preparing early

“While this law just covers California currently, large companies will soon have to offer similar rights to Americans,” said Alastair Mactaggart, the chief advocate of the CCPA.

While some larger companies have addressed both GDPR and CCPA, mid-market and smaller companies also need to take action. So what needs to be done?

Create data profiles – your company should know where your customer’s data is located and who has access to it. 

Review your company’s data-governance – If your company collects consumer data in any way, you should evaluate your collection practices. For example, retail companies with loyalty programs will need to adapt data tools that allow them to comply with privacy laws. 

Assess your privacy controls – Update processes and software, install patches and look for gaps in meeting CCPA requirements.

Set up a CCPA management team – This team can handle regulations and the implementation of CCPA. Your best defense is to hire a Data Protection Officer. 

Accorian can help you

The security experts at Accorian can help you understand CCPA and help you scope, identify gaps, assist with remediation and conduct a final assessment. 

Whether it’s GDPR, HIPAA or HITRUST, our security experts can help you prepare for impending consumer privacy laws.

 Contact us today to get started.

Recent Blog

Article

Adobe's Common Controls Framework of Industry-acclaimed security standards

Today’s world is an ever-changing scenario with changes to the technology sector happening more frequently than ever due to emerging technologies. The case is quite similar in the field of Cyber Security. There are a few industry-acclaimed cybersecurity standards for governing the processes and execution of these standards. These standards are usually built upon a framework of control objectives that need to be implemented by the organizations to comply with these standards. Compliance is measured in terms of control objectives meeting the compliance criteria and also other regulatory and statutory criteria. Since most of these Cybersecurity standards speak of similar control objectives or lay emphasis on similar control areas, it is advisable to have the ‘Adobe’s Common Control Framework’, which means that if we are able to comply with a single requirement from a particular framework, in theory, we should be able to use the adherence of that requirement for ALL the similar frameworks. There are several approaches to achieving this Adobe's Common Controls Framework both in theory and in practice and will be discussed in detail later on in this article. The most relevant security and privacy frameworks are ISO 27001, NIST, PCIDSS, GDPR, SOC Type 2. There is a significant overlap of controls contained in these standards as all of these standards primarily deal with one requirement which is the protection of data. Protection of information from unauthorized disclosure, compromise, and theft forms the backbone or the building blocks of an Adobe's Common Control Framework. This leverages the fact that similar controls or that the essence of the controls is the same across standards and can be used to gauge the adherence or compliance of an organization to the standard. In actual execution, while gauging the compliance of an organization, the Adobe's Common Controls Framework is not only holistic but can reduce the effort and cost otherwise required by the organization to comply with individual standards. There are two methods of developing the Adobe's Common Control Framework for an organization and there are very subtle differences between the two methods. They are Controls harmonization and Controls Mapping. Controls Harmonization: Harmonization is the creation of a brand-new control language set from several source languages of standards taking into consideration content & context. In theory, the intent and meaning of the words and sentences remain intact, but the language and actual words of the individual standards have been changed with a new harmonized meaning defined. To achieve the usage of a single language as an industry, globally, it would have significant benefits and it would be the most efficient way to operate not only as security professionals but also as humans. Adobe’s Common Control Framework is an example of this type of construct. The benefits of having a single operating language can truly be amazing in terms of effort reduction and cost reduction. Control Mapping: Today, most brilliant and forward-thinking security professionals are using the control mapping method. The main idea behind this method is to keep the original language intact as much as possible while mapping and matching the intent and meaning of each sentence and word. This is the most practical and realistic approach because this is how humans fundamentally interact with each other globally. One can see this working in real life where two different languages are being spoken by individuals and kept mainly intact, but an interpreter or linguist is translating between the two — the map is developed in the mind of the linguist. Some real-life examples of mapping for cybersecurity frameworks can be seen in HITRUST Framework, Cloud Security Alliance Framework, and even the U.S. Government formally...

View More

Article

Risk Management Framework – Managing & Measuring what matters

A risk management program allows you to manage overall information security risk.  It is an approach to identify, quantify, mitigate, and monitor risks.  The reason to look at risk in a comprehensive manner is to make sure no one area is getting too much attention or, too little. Frameworks also help you identify the bigger elements of risk that need review and mitigation. Additionally, it help you to prioritize the treatment of certain risks. The adherence to risk frameworks also helps give your customers comfort that a standard risk management is in place and hence, reduce your audit burden.  Typically, a Risk Management program comprises of the following phases: Risk identification Risk analysis Risk evaluation Risk treatment Risk Monitoring A good risk management framework will have the following characteristics: Comprehensive in types of risks it covers Practical for an organization to implement Updated with current real-world risks Based on controls that can be reviewed and audited Reliable so that your vendors and customers can accept it There are many risk management frameworks that one can choose from and it important to understand the advantages of each. Common risk management frameworks include: NIST CSF SOC 2 ISO 27001 HITRUST NIST (National Institute of Standards and Technology) framework is a comprehensive cybersecurity framework (CSF).  It is very widely accepted across different company sizes and business domains. Most cyber-security professionals are well aware of this framework as it is readily available.  Although widely available and very popular there is no certified third-party audit mechanism. Hence, it can only be self-assessed.   SOC 2 Type 2 is an internal controls report based on the scope you define.  It is widely used in the United States to show the maturity of your controls.  A CPA firm that is part of the American Institute of CPAs (AICPA) conducts the audit & issues an assessment report.  The AICPA does not audit/review the assessment for completeness or quality.  HITRUST CSF is a framework that came leverages NIST, SOC, and ISO along with others to create a more comprehensive standard.  It is widely implemented in the United States by organisations in the healthcare space.  Unlike others, although there are external assessors that are involved in the certification process, HITRUST reviews all assessments and issues the certificate. Additionally, among all the frameworks above it tends to be the most expensive to implement.  It is important to choose a framework that matches your long-term security goals & needs.  At Accorian, we work with all of the above frameworks. We help organizations choose the right framework and aid with the implementation. This is done by augmenting our team into your security team to help steer the rollout, aid with query resolution, choosing of the right controls & workaround during mitigation advisory, facilitating the selection of vendors & products and end to end program management. 

View More

Ready to Start?

Security Compliance & Assessment Services

CONSULTING & ASSESSMENT SERVICES

PENETRATION TESTINGRed TEAM ASSESSMENTS
TECHNOLOGY STAFFING

Contact Info

E. info@accorian.com

T. +1-732-443-3468

Contact With Us

Office Address

Accorian Head Office

6,Alvin Ct, East Brunswick, NJ 08816 USA

Accorian Canada

Toronto

Accorian India

Ground Floor,11, Brigade Terraces, Cambridge Rd, Halasuru, Udani Layout, Bengaluru, Karnataka 560008, India

Ready to Start?​

Drop your CVs to joinourteam@accorian.com

Interested Position

Download Case study

Download SOC2 Guide