Tennessee-based Methodist Le Bonheur Healthcare falls largely outside the reaches of the California Consumer Privacy Act, or CCPA, the law backing consumers' rights to control their personal information that goes into effect on Jan. 1, 2020. To prepare for CCPA, even though his company isn't in California, Methodist's CISO, Steve Crocker, is following the California law's progress closely in anticipation that a similar federal law won't be far behind.
Other states, including Washington and Oregon, already have similar legislative initiatives under way, and Crocker hopes the U.S. folds them all into a single umbrella law as the European Union did with GDPR.
"This level of consumer protection is a trend we are starting to see," Crocker said of CCPA's strict underlying premise that consumers need to know what data is being collected about them and that companies can "forget" their data if consumers make that request.
Until then, he feels prepared for a federal mandate because data privacy and protection are at the forefront of his organization's risk management strategy. "If we follow the best practices of risk management, we'll always catch compliance issues as well," Crocker said. Already, many of CCPA's requirements for consumer data privacy and protection are included in the organization's application development processes, data storage practices, identity and access management strategies, self-assessments and third-party audits.
Tom Garrubba, vice president and CISO at Shared Assessments, an organization that assists Fortune 500 companies with their risk assessments, is concerned that some companies are willing to risk fines versus dealing with what they see as "the rigamarole" necessary to prepare for CCPA compliance. "They ask themselves, 'Is it worth spending $5 to protect a 50-cent item?' And, sometimes, their answer is, 'No,'" Garrubba said.
What they are missing, beyond the financial risk, in his opinion, is the reputational risk of jeopardizing customer data. "There is a negative effect to getting hit with fines for violating those regulations," he said.
For smaller companies, the cost of complying with what will likely be multiple states' laws could be prohibitive, but in Garrubba's experience, regulators don't expect companies to go bankrupt on compliance. "They just want to see that you are trying to do the right thing, even if you aren't completely there yet," he said.
First steps to prepare for CCPA
Shane Nolan, senior vice president of consumer and business services for IDA Ireland, Ireland's government agency that works to attract global investors to the country, is familiar with companies' hesitance to get ahead of compliance mandates before they go into effect. He saw that happen with GDPR. "The counterintuitive reality is that, once the regulations are in place, the guesswork is taken out, and you have more certainty in what you have to do," he said. Waiting too long makes it difficult to put systems in place and test them before regulations go into effect.
A good first step to prepare for CCPA and comply with GDPR is to answer certain basic but important questions -- e.g., what is your basis for collecting certain data? "You have to have a mechanism where you allow the consumer to know when you're collecting their data and how you plan to use it," Nolan said.
Crocker agreed, adding this question is key and should be answered with every new application and every new business process an organization develops. "Compliance should be built into the development cycle rather than bolted on at the end," he said.
Guardian Life Insurance Company in New York also embeds data privacy and protection compliance within application development, said Dante Rodino, manager of identity and access management. "Privacy and security requirements are handled right alongside business and system requirements," he said.
CCPA prep tips: Listen to the podcast
Prepare for CCPA with VigiTrust's Mathieu Gorge as he takes you step by step through the California law and compares it to GDPR regulations.
Having this type of synchronization between application development and compliance requires "a strong strategic initiative around data governance that has senior management sponsorship," Rodino said. The program needs to be driven from the top down, with explanations about how data can be accessed and who can access it, including a standardized control set. If IT security teams try to fight this from the ground up, it becomes a mess and results in poor collaboration.
To handle privacy and usage compliance, organizations are appointing chief data officers (CDOs) to be executive evangelists charged with creating a culture of data governance and building up guardrails to protect customers and employees, said Daniel Elman, analyst at Nucleus Research. CDOs tend to come from IT, are data-driven and have prior experience as data stewards for the company, he said.
CDOs: Leading data governance, privacy and protection
One of the first tasks the CDO -- or chief privacy officer, as other companies have designated them -- can take on is understanding where the organization's data is located. "You're not going to be successful if you don't know where your data lives," Methodist Le Bonheur Healthcare's Crocker said.
John ArsneaultCIO, Goulston & Storrs
Data tracking is a particularly challenging problem in healthcare because of the dependence on cloud-based applications and third-party vendors, Crocker said. His team maps data flows, paying close attention to how it travels across internal systems out to the cloud and other vendor networks. They create diagrams that illustrate data moving from system to system to make sure the organization and its ecosystem remain compliant. Crocker said his cybersecurity architects wind up being more like archeologists, digging up older data and talking to business units to understand how it was set up and how it is used today.
Shared Assessments' Garrubba said too many companies throw their hands up in the air when it comes to locating data among third-party vendors and cloud providers. "Just because you outsourced the process doesn't mean you've outsourced the risk," he said.
The same can be said for data at rest. At Goulston & Storrs, a midsize law firm on the East Coast, CIO John Arsneault insists the firm get encryption keys for all data stored at providers. "It's always been a head-scratcher to me how much data sits out there unencrypted," he said. He's also perplexed by companies that don't have domain privileges to their own data. "How can you say your company's gold -- its data -- is under your protection when you don't have the encryption keys? It's just common sense."
Tom GarrubbaVice president and CISO, Shared Assessments
Organizations should know exactly what data their vendors are collecting on their behalf and if it aligns with their mission and mandate. For instance, if a vendor is gathering and storing more personal data than an organization needs -- say, marital status or prescription numbers -- then its fines can escalate, Garrubba said.
Locking down data access
Controlling access to data is another critical part of compliance that can vex IT. Trying to secure data to minimum necessary permissions for access is difficult in a setting that has constantly changing roles. For instance, Crocker said, nurses move around a lot, requiring access to patient files across various hospital departments. "We also have community physicians that need access to our systems and want similar access for their staffs," he added.
This has led Crocker to implement SailPoint's security software to manage digital identities across the healthcare system and to create federated identities for approved user groups. Automating this task ensures he can remove employees in a timely and compliant manner and alter access rights in real time based on roles. This type of software gives caregivers the amount of access they need to care for patients without elevating risk, he said.
Attention to compliance inevitably means "bumping up against the convenience factor of the end user," Goulston & Storrs' Arsneault said, stressing the only way to combat this is for the organization to buy into the importance of a strong and proactive compliance posture.
Buy-in also is necessary to prevent users from deploying applications on their own -- i.e., going rogue -- and leaving data unaccounted for and unmanaged. As an example, Arsneault pointed to a law firm that was hacked after an employee, who had subscribed to a SaaS-based marketing tool, left the company without handing over the application's login and password. To avoid a similar issue at Goulston & Storrs, senior management enacted centralized budgetary control of all technology spending.
The firm also uses Edgewise Networks' microsegmentation tool to ensure that, if an employee did go rogue by setting up a server under his desk, for example, a hacker couldn't access the network from it. "It creates a safety net that prevents an intruder from moving laterally into other areas of the network," Arsneault said. It also protects customer data if a security team forgets to patch a system vulnerability or misconfigures a server. "There's always going to be a place where humans miss something, despite their best efforts," he said.
Nucleus' Elman agreed that humans are a key issue when trying to protect data. "The biggest vulnerability around enterprise data isn't created by technology, but by the people using the technology. Compliance is all about ensuring reliable, governed access to data for people who require it and minimizing the opportunity for those who don't to mishandle or otherwise compromise that data," he said.