With companies around the world just getting used to GDPR, those doing business in California must now prep to comply with the state's CCPA, and more consumer privacy regulations are on the horizon.
Companies required to follow these privacy compliance mandates are under pressure to make extensive changes to their IT and security processes -- and quickly.
"There is a big need to have a clear plan in place for personal data -- not only how it is being used, but how it is distributed," said Derrick A. Butts, chief information and cybersecurity officer of IT at Truth Initiative. "More transparency is needed as far as how companies are doing business because they are going to be held accountable."
Experts agree that privacy compliance rules, like the EU's GDPR and the California Consumer Privacy Act (CCPA), are certainly needed as consumer data continues to be a target for hackers. But privacy mandates leave companies scrambling as they add staff, update processes and implement tech like AI to maintain compliance.
These efforts could prove costly: An independent economic impact assessment prepared for the California attorney general's office found the CCPA could cost companies a total of up to $55 billion in initial compliance costs.
Authorizing a 'verifiable consumer request'
The new consumer privacy rights under CCPA alone will require many companies to implement policies and procedures to comply. One such rule is the verifiable consumer request requirement that enables California consumers to request access to their personal information and ask that it be deleted. Upon receiving such a request, the covered business must verify the identity of the requesting individual and respond.
Businesses must establish practices to verify the identities of requesters or risk providing unauthorized, fraudulent third parties access to personal information. This burden will likely fall on the security department, said Scott Giordano, vice president and senior counsel of privacy and compliance at Spirion LLC, during a session titled "What the California Consumer Privacy Act Means for Your Security Program" at the 2019 (ISC)2 Security Congress in Orlando, Fla.
"You have to verify that person is who they say they are," Giordano said. "Who are the lucky folks likely to get that job at your company? It's not going to legal -- legal is going to IT. Then, IT calls IT security."
Handling these types of requests will likely become a subindustry in and of itself down the road, Giordano said, but until then, the organization is responsible to make sure the verification process is secure.
To make this job at least a little easier, Giordano said, steps like creating a data inventory, establishing processes to get consumers their information under deadline and making updates to the organization's privacy statement can help.
"The onus is going to be on you guys to establish security controls for everything now for CCPA," Giordano told the audience at the (ISC)2 conference. "It's going to be a huge effort."
Designing solutions with the right to privacy in mind
One big obstacle is that, in the past, most of the engineering for new tech focused on gathering as much information as possible and then building a business model around it, said Alan Conboy, office of the CTO at Scale Computing.
This creates a huge burden on companies that built an entire business model on data collection, data mining and sharing data. Privacy compliance rules force them to try to track down exactly what data they have and then establish processes to isolate certain data to comply with mandates.
"They haven't focused on that capability, historically, at all," Conboy said.
This will leave many companies understaffed and unprepared to implement intricate data protection and security requirements to comply, he added.
"If admins are already struggling today with just subcomponent pieces, then that tells me there is way too much complexity already involved in their day to day," Conboy said. "These regulations add to that complexity exponentially."
As a result, more companies are turning to technology, such as AI and machine learning, to automate at least some regulatory compliance processes, such as data location or extraction. Old-school techniques, such as retention schedules, can help as well, said Ripcord Inc. CEO and founder Alex Fielding.
But, while Fielding said retention schedules in the past were sort of "loosey-goosey," privacy compliance rules increase the risk of exposure dramatically when data is kept beyond the expiration date.
"You could be sitting on a giant corpus of information that contains [personally identifiable information], and you may not even know it if you don't have the tools to track it," Fielding said.
Fielding added that many companies have good intentions about protecting consumer privacy but, in the past, have lacked the tools to do it. The compliance mandates force companies to act faster about implementing data privacy protection, he said.
Plus, privacy compliance is not optional anymore, and substantial fines and penalties for noncompliance will also help change behaviors, experts said.
"The days that companies could take their customers data for granted and not worry about the privacy implications for the consumer or the security implications for the company are totally over," Fielding said.