by Richard Smith
The state of California recently enacted the California Consumer Privacy Act of 2018. Known as CCPA, this law specifically delineates organizations’ responsibilities to give consumers an effective way to control their personal information. Under the law, Californians have the right to:
- Know what personal information about them is being collected,
- Know whether their personal information is sold or disclosed and to whom,
- Say no to the sale of personal information,
- Access their personal information, and
- Receive equal service and price, even if they exercise their privacy rights.
The CCPA goes into effect Jan. 1, 2020. However, certain provisions require organizations to provide consumers with information regarding the preceding 12-month period, and therefore activities to comply with CCPA may already be necessary now.
Does the Law Apply to Your Company?
The International Risk Management Institute provides a good summary of which businesses must comply with the law. The criteria are generally based on a company’s annual gross revenues, handling of consumers’ personal information, and doing business in California.
There is no provision in the law that requires a business to be located in California. Thus, companies across the U.S. and around the world can be affected if they have personal information of California residents.
Even companies that do not meet the specific criteria for CCPA compliance should pay attention to the national trend toward protecting consumers’ privacy. As is often the case, California is providing a legislative model for other state jurisdictions. In the absence of federal legislation pertaining to data privacy, several states have introduced privacy bills that are similar to or even based on CCPA. Hawaii, Maryland and Massachusetts are actively developing legislation at this writing. In addition, Mississippi, Washington, New York, North Dakota, and New Mexico are progressing toward their own privacy legislation. Soon there may be a patchwork of laws around the country that have similar but subtly different requirements.
Most companies that are going to develop or adjust their applications to comply with CCPA requirements are going to treat all their data as if the records belong to California residents. That is, no one is going to create application exceptions to treat California data one way and non-California data another way. To do so would be complicated and unnecessary. Observing privacy rights is the right thing to do, regardless of where a data subject resides.
How Does CCPA Compare to GDPR?
Many companies that are fresh from adjusting their businesses to comply with the European Union’s General Data Protection Regulation (GDPR) are wondering if they are now well prepared for CCPA compliance. The answer is yes, and no. There is considerable overlap between the two pieces of legislation, but significant differences also exist.
A good resource for making the comparison between the two laws is the DataGuidance document Comparing privacy laws: GDPR vs. CCPA published by The Future of Privacy Forum.
Some of the most significant differences between CCPA and GDPR pertain to the scope of application of the regulation, the nature and extent of data collection limitations, and rules concerning accountability.
The Consequences of Non-Compliance with CCPA
Businesses have a duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information they handle. A significant provision of CCPA is that an aggrieved consumer can sue a company if a breach occurs and the company did not properly secure his or her private data. Losing such a lawsuit can be costly for a business, as judges may consider a defendant’s assets, liabilities, and net worth in determining the precise award. In addition to consumer actions, the Attorney General of California may issue fines of up to $7,500 per violation. The potential exists for extremely high penalties under either type of action, with statutory fines able to be multiplied by the number of impacted individuals.
For companies that collect or process Californians’ private data through their business applications, failure to comply with CCPA can be very costly—especially if they suffer a data breach. Unlike GDPR’s 4 percent of annual revenue maximum, there is essentially no cap on the fines and penalties that can be assessed if a breach occurs.
Should You be Concerned about your Mobile Apps?
Companies increasingly use mobile apps to conduct business with consumers. A significant amount of personally identifiable information (PII) can be collected and exchanged via mobile apps, which puts them in play for required compliance with CCPA.
There are several factors that can make mobile apps especially risky and prone to a data breach:
- All developers use third party software in their applications to save time and money. Third party open source software (OSS) and software development kits (SDKs) can have data privacy violations, security vulnerabilities, and other risks within their code. Developers often accept these risks (if they even know they exist) as a trade-off for the convenience of using the (usually no cost) code in their own applications.
- Mobile apps use application programming interfaces (APIs) to retrieve or exchange data from both external and internal sources. APIs, too, come with inherent security challenges that can easily result in data leakage or even a very serious data breach. What’s more, APIs are updated often, and what was secure yesterday might have a data vulnerability today.
- Security checks and validation of compliance with CCPA and other regulations are often not a regular part of the DevOps application development process. Rather, security and compliance validation is left to the end of the cycle when a manual “point in time” penetration test is conducted. However, embedded OSS and SDK software and APIs change often, and the rapid pace of new releases can introduce vulnerabilities that did not exist before. A validation done last week does not find the risk that gets introduced today.
How to Improve and Maintain Your Mobile App Security and Compliance Validation
The first point to recognize is that modern application development models such as Agile and DevOps are moving too quickly to still allow for manual, point-in-time security assurance and compliance validation. A development model with automated security and compliance gap analysis incorporated into all phases of the software development lifecycle (SDLC) is an absolute necessity. Thus, you need a set of tools that are specifically designed to analyze the security posture and validate the compliance requirements of your mobile and modern applications, all without manual intervention.
In addition to analyzing your own developers’ code, the toolset must give visibility to embedded open source libraries, SDKs and APIs—especially those you might not be aware of. Because these software devices are frequently updated, the toolset must monitor them for changes and continuously analyze them for vulnerabilities and gaps in compliance requirements. When issues are found, developers should be alerted and, ideally, provided with secure sample code and recommendations that will help lock down the high-risk areas of your mobile app.
The data retrieved or exchanged through APIs can be of particular concern for maintaining compliance with CCPA as well as other regulations such as GDPR, PCI DSS, COPPA and HIPAA. Your security toolset must scrutinize how the PII is handled and whether it meets your configured privacy policies. Once again, when an issue that puts an application at risk of being out of compliance is discovered, an alert should be generated, indicating the compliance gap, regulatory agency and any potential impacts (such as fines).
The stakes are high for any commercial mobile app and API service. One data breach or a serious violation of regulatory compliance requirements can result in fines or penalties that can run into the millions of dollars. Bringing security and compliance into your application development workflow gives you the peace of mind from knowing that you are proactively addressing the potential risks and vulnerabilities of your applications and APIs.
Richard Smith is the director at Data Theorem. For more information on the company, please visit their Buyers Guide listing.