Are CCPA Loopholes Providing Open Access to Pandora’s Box?

CCPA is happening because companies have faced increased pressure over the past several years in the form of lawsuits and financial hits because of data breaches and other privacy violations. (For example, Target and Yahoo!) Lawmakers have recognized the need to place regulations on how businesses protect customer information.

The European Union pioneered a customer privacy law with its General Data Protection Regulation (GDPR), and now California is implementing the most sweeping consumer privacy law in the U.S. Other states are quickly following suit. In fact, Nevada’s law goes into effect in October 2019.

The California Consumer Privacy Act of 2018 (CCPA) goes into effect on January 1, 2020, giving consumers the right to request that businesses disclose the personal information they have collected. Furthermore, businesses must post a link, easily accessible throughout their website, that allows California consumers to easily exercise this right to access their own collected information. Once they have gained access to their information, they will be empowered to request that the business not only delete their data but also refuse the sale of this personal information to third parties.

Additionally, the CCPA’s “right to private action” gives California consumers the ability to sue a company if they do not comply with this statute.

In theory, the policy should give individuals more rights over their own personal information.

In reality, its current structure and lack of identity management and data standards will put that data at significant risk.

Before going further, keep in mind my thoughts and opinions are not intended to replace formal legal guidance that you would get from your organizations legal team. Before making any changes based on CCPA or other forthcoming state laws, you should consult with your organization’s legal team.

What’s the problem with CCPA?

As often happens when lawyers and legislators get involved, how policies will actually be managed and the complexities of what needs to be implemented for effective execution are both not as clarified as they could be. As CCPA is written, there are several loopholes that may have unintended consequences and may allow criminals to misuse the data and commit fraud for financial gain.

For example, a consumer may ask a business to disclose what personal data they have stored, but how does a business verify that someone actually is who they claim to be? CCPA requires this verification before providing personal information, but what constitutes verification?

The CCPA “does not provide much explanation of what constitutes a verifiable consumer request or how a business is to verify such a request.” They do not include specific guidelines for companies to effectively govern the data they keep or manage identity validation, leaving individuals at risk for having their data and ultimately their identities stolen.

Specifically, CCPA does not provide details on:

• the type of information companies should require to verify a consumer’s identity,
• the mode of communication that should be used to make the request,
• any kind of standard template for consumers to use to make the request,
• who should verify requests (in-house or a third-party), or
• any best practices that already exist in similar laws like GDPR.

Without standards like these, thieves could exploit vulnerable areas of the law to gain access to consumers’ personal information – especially through organizations who haven’t taken this challenge on themselves, such as those who are waiting for CCPA to tell them what to do.

In 2017, $16 billion worth of personally identifiable information (PII) was stolen, impacting 16.7 million U.S. victims, and unfortunately, the numbers are trending upwards. So, if we don’t have strong validation requirements addressed when the law takes effect, are we just opening another channel for bad actors to obtain sensitive personal data even easier and faster than before?

What is California’s government doing to address this – and what does that really mean for you?

While the California Attorney General is supposed to provide more clarity around protecting PII later in the fall, the timing and level of detail of the expected guidance is somewhat unknown. This doesn’t give companies much time to address the risk before January.

Companies will find themselves in quite a bind if they don’t take consumer privacy into their own hands to actively do what’s right for their consumers. Some, like Facebook and First American Financial Group, have already found this out the hard way. They continue to grapple with the cost of crisis management, improving data security, and repairing consumer trust.

Organizations should bear in mind: it is far less costly to tackle a problem before it happens than to fix it amidst a crisis.

How can companies be smart with Personally Identifiable Information (PII) right now?

Here are actions organizations can start immediately:

Read and Understand CCPA Requirements

It’s important for companies to understand if or how the law pertains to their business by familiarizing themselves with the requirements. It’s not only companies based in California that are impacted, but also those that do business and have customers (or potential) customers in California.

Other criteria for who CCPA will impact:

• Companies with an annual gross revenue of more than $25 million, or
• companies that receive, share, or sell personal information of more than 50,000 individuals, or
• businesses that earn 50% or more of their annual revenue from selling consumers’ personal information.

While a variety of sectors are affected by this law, some of the key verticals include businesses within financial, health care, public sector, retail, and accommodation industries because they either naturally collect highly valuable and sensitive PII, offer great financial gain, can be easier to hack, or lack investment in cyber security.

Establish Modern Identity Authentication Processes

Businesses must update their technology to make individuals prove their identity in a smart and secure way. Multi-factor authentication is a verification method in which an online user is granted access only after successfully presenting two or more factors of authentication, such as using their own personal knowledge (e.g., a password), something they possess (e.g., a smart card or a cell phone), and/or something they “are” (e.g., a fingerprint using biometrics).

Think Google and Microsoft. Both recently released reports that their two-factor identification blocks nearly 100% of account hacks. Avoid following in the footsteps of recent data breaches by Evite, Toyota, and others. Multi-factor authentication is highly effective and critical.

Create Strong Governance Policies Around Data Storage and Maintenance

Companies collect data to understand what their customers need and want, as well as to improve their service offerings. However, much of the data they collect may not necessarily be used efficiently or even at all. For instance, a company may need demographic data but not PII, though they have collected it regardless.

Businesses need to put more structure and governance around what data they really need, as well as how they will store and retain this information. Whenever possible, they should also plan to garner the insights they need and then either get rid of the sensitive data or aggregate it in summary form. Companies making efforts in this area include Google, who announced in May that it will automatically delete data, and Facebook, who has added privacy policies, standards, and privacy positions and committees.

There can admittedly be a significant cost associated with this kind of process change, in addition to ongoing managing, maintaining, and complying with regulations like CCPA. These tasks require more manpower and other resources – but again, it should be about doing what’s right.

While it’s most certainly complex, broad-stroke changes like this happen for the betterment of all. Sweeping it under the rug isn’t going to make it go away, and hoping that your company has done just enough to comply with CCPA in January is not a strategy.

Partnering with experts in the fields of data, identity management, and security helps ensure you’re taking the right steps to keep customer data safe and secure – and that your reputation stays intact for years to come.