The interactions between CCPA compliance and Security solutions.
Originally published at “Cyber Defense Magazine – RSA Conference 2020 Edition”
Introduction
The California Consumer Privacy Act, AB 375 (”CCPA”) was enacted in June 2018, and became effective on January 20th 2020. CCPA’s provisions potentially reach far beyond the European Union’s General Data Protection Regulation (“GDPR”). Accordingly, now is the time to review and assure compliance with CCPA, especially for those organizations who have relied on GDPR compliance to avoid regulatory penalties.
Although strong security infrastructure is vital for CCPA’s additional requirements, unless it’s carefully monitored, it can still be a source for data loss. In this article, we discuss how Content Disarm and Reconstruction (“CDR”) can help with both regulatory compliance and effective protection against data loss and additional adverse consequences.
Together, implementing measures to meet these regulatory standards, as well as taking all steps to assure the confidentiality, integrity, and accessibility of sensitive data, can make the difference between an industry leader and a competitor who’s always trying to catch up.
Meet CCPA
California has always been known as a progressive State for protecting consumer rights and individual privacy. While this has been beneficial in many ways for its residents, new laws and regulations have also opened an opportunity for private action litigators to challenge companies for non-compliance. Companies must ramp up to protect themselves, especially given the extensive fines that can be levied for violations. The act imposes up to a $7,500 fine per breached record, and the penalties can grow exponentially over time with accumulated incidents. Beyond data protection, CCPA is intended to provide transparency to how information is used and ensure that data maintained is both securely held, and also easily accessible.
CCPA’s Privacy Impact and Reach
The CCPA regulations require companies to provide broad transparency in how they collect, share, and use all personal and consumer data collected starting from January 2020; and business to business (B2B) data is covered beginning in 2021. Consumers will have the right to access personal data collected in the last 12 months, categorized between sold and transferred, to enable them to understand how groups of companies share information to build behavior, attitudinal and predictive profiles. Data requests to consumers must be provided in a timely manner and in a user-friendly exportable format. Companies will be forced to build infrastructures to meet these mandates. Companies will also be obligated to provide opt-out choices to restrict selling or sharing consumer data with third parties. These opt-out links must be prominently displayed on their websites. Under certain conditions, consumers can demand the deletion of personal data from company data stores.
While CCPA is being touted as California’s GDPR – it isn’t only limited to residents of California, since it covers almost all organizations and companies working out of California. With tech giants such as Facebook, LinkedIn, Google and Apple all California based, the impact of CCPA is potentially global. Companies that have already invested to support GDPR may have a head start. While there is some overlap between GDPR and CCPA, several policies, processes, and systems will still need updating to address differences between the two laws; primary among them is the requirement for transparent public access to all personal records stored by companies, including a full listing of all third parties the information has been shared with. Companies have a 30-day time window to remediate violations reported by regulators or private individuals.
Security impact
A sound IT security infrastructure is the basis of preventing data exfiltration and also the basis of minimizing the exposure to CCPA violations. Yet the security systems themselves must not be a source of data leakage, and shouldn’t be vulnerable to a third party with whom privacy information is shared. With the dramatic adoption of cloud-based security services, this requirement is becoming increasingly challenging to enforce.
According to the Verizon Data Breach Investigation Report (DBIR), weaponized documents are a primary attack vector on organizations leading to hacking-related data losses. As an example, in mid-December 2019, the Israeli Cyber Command issued a warning following dozens of incidents where sensitive documents were found on multiple cloud-based malware analysis platforms. The files were invariably uploaded by the security solutions deployed by the organizations, as well as by security analysts wishing to query specific files. Rigorous scanning, especially of otherwise undetectable file-based attacks, is a necessity to overcome such vulnerabilities.
Enter Content Disarm and Reconstruction (CDR)
Content Disarm and Reconstruction (CDR), is an effective technology for the prevention of undetectable file-based attacks since it transforms all incoming content into a harmless copy that can be used safely. As reviewed by Gartner in their recent Hype Cycle for Threat Facing technologies, “CDR protects against exploits and weaponized content that has not been seen before.” Israel’s Defense Forces, Intelligence Agencies and Critical Infrastructures were early adopters of CDR, establishing it as fundamental security best practice.
Sasa Software, owned by Kibbutz Sasa in Israel, has established itself as the leader of this technology, helping to extend it from governmental usage into commercial applications. Sasa Software’s GateScanner CDR combines highly optimized Multi-AV scanners, together with NextGen detection, to prevent known and advanced malicious attacks. These modalities are integrated with proprietary file reconstruction to prevent undetectable attacks, including Zero Day Exploits and Ransomware, while maximizing both security and usability of the resulting files. The technology protects extensive use cases including portable (USB) media, Email, Document uploads, Browser Downloads, Network Segmentation and more. The solution can be deployed as a service (SaaS) as well as to protect OT and ICS networks.
GateScanner was initially designed to protect air-gapped networks, so it was built without requiring internet access or 3rd party cloud connectivity. All operations are done in a highly secure physical or virtual appliance that is disconnected while processing files. With a design based on strict security and privacy measures, the solution also returns to the safe “Zero State” after every scan, never storing copies of the information that was processed. GateScanner can also assist with the prevention of information leakage since the process can be applied in “DLP” mode, scanning outgoing files and enforcing privacy policies.
Conclusion
Preparation for CCPA requires both dedicated transparency protocols, as well as careful selection of cybersecurity infrastructures. Scrutiny should be applied when determining the effectiveness of the security provided by solutions, and how they address the privacy issues required by CCPA. Documents and files are vital for the working of every organization, yet are a key concern as a security vulnerability, as well as a potential source for privacy losses. Sasa Software is a world leader in CDR and integrates both security and privacy procedures that are effective in protecting organizations against advanced attacks and achieving privacy compliance.