The 2018 California Consumer Protection Act (CCPA) ⋆ The Cyber Sentinel

Connect--But, be very careful

How NIST 800-171 May Be The Better Solution To-date

The CCPA provides California residents the right:

To know what personal information is being collected about them
To know whether their personal information is sold or otherwise disclosed and to whom
To have the right to prevent the sale of their personal information by a business that has collected and stored such data
To be able to access their personal information and its deletion under specified situations
To receive an equal quality of service and price when they execute such privacy rights under the CCPA; there will be no discriminatory action for those residents who opt out of sharing their personal information with a business

The CCPA allows the use of NIST 800-171 where there is an absence of a codified standard. It ensures that security policies and practices of the candidate framework meets the intent of the CCPA. These not only include NIST-based frameworks, for example, NIST 800-171 and the National Cybersecurity Framework (NCF), but several internationally-recognized information security frameworks as well. An example would include the Center for Internet Security’s (CIS) 20 Critical Security Controls. Adoption of these or equivalent information security frameworks ensure accepted security policies and procedures that establish and present a good faith effort to California State reviewers and auditors charged with any oversight responsibilities. California describes this as “reasonable security,” but does not define this term; we will present a definition of “adequate security” aligned with the current NIST 800-171 definition within the State government.

What is “adequate security?” Adequate security is defined by “compliance” with the 110 NIST 800-171 security controls. It will also be considered adequate upon an authorization to operate[1] issued to the business or company by the State of California. This will most likely occur from the State Attorney General’s Office[2] or by its designated proxy. Furthermore, this does not mean all security controls are in effect, but where a deviation is needed, a Plan of Action and Milestones (POAM) is provided.

A business must implement reasonable security procedures and practices that are appropriate to the nature of the personal information that is to be protected. A POAM is required as part of an official NIST 800-171 submission package and will be discussed in a later chapter. It should identify why the company cannot currently address, and when it expects to resolve the control. See Appendix C for a more detailed discussion or see the supplementary guide: Writing an Effective Plan of Action & Milestones (POAM) available on Amazon® for further details.

Past precedence and direction from the California Attorney General’s Office in its 2016 Data Breach Report, suggested that companies that, for example, leverage the CIS’s Critical Security Controls would likely meet the security requirements of the CCPA. The guidance did not discount companies and businesses from following equivalent, industry-recognized information security frameworks such as NIST 800-171. NIST 800-171 is the most understandable and easiest to adopt, and for that reason, we will suggest this is a best choice.

Additionally, NIST 800-series in general tell a business “what” is required; however, they do not help in describing “how” to meet the 110 security control requirements. This book provides both technical and administrative solutions to address each of the controls. All are acceptable approaches within the NIST Risk Management (RM) directives and are intended to quickly provide business owners and their IT staffs the ability to swiftly implement them. This book will provide a substantive start-point. It is designed to walk through the security controls in enough detail to ensure authorization to operate and conduct business specific to the CCPA.

Need help with CCPA Guidance? Please feel free to reach out to our online experts.

More CCPA Specifics

The CCPA creates a private right of action for California residents if their personal information is subject to certain security incidents because of a business’s failure to implement reasonable security. Individuals may seek damages of $100 to $750 per consumer per incident. The CCPA also empowers the Attorney General to pursue cases against businesses for damages of up to $7,500 per intentional violation on the part of the business.

Who is affected?

The CCPA restricts certain businesses and defines a “consumer” as any natural person who is a resident of California as defined in existing California tax provisions. Specifically, a “consumer” includes:

An individual who is in California for other than a temporary or transitory purpose
An individual who is domiciled in California to include from time to time is outside the State of California jurisdiction for a temporary or transitory purpose

What information is covered?

The CCPA expands the definition of “personal information” to include information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked with a consumer or household. This would include information, for example, an individual’s name, physical address, social security number, education information, etc. The definition includes biometric data (e.g., iris scans, facial geometry, fingerprint data, etc.) collected without a consumer’s knowledge.

Businesses may find that they collect information that may be considered sensitive under the CCPA even though other regulations or statutes may not classify it as such. The current belief is that the Attorney General (AG) will adopt regulations to revise various subcomponents of the definition of personal information dependent on any follow-on regulations or guidelines. The AG could further expand the definition beyond its already broad terms. Because of the breadth of these definitions, California businesses did not consider themselves subject to any requirement for maintaining regulated personal information.

Certain categories of information are excluded and include:

Publicly available information that is lawfully available from government records
Aggregated information that relates to a group or category of consumers. The individual’s identity is removed or obfuscated in such a manner as to prevent traceability to a specified consumer
De-identified information that cannot reasonably identify, relate to, describe, etc., a consumer provided the businesses takes certain safeguards (g., properly executing procedures to protect against reidentification by unauthorized third-parties)

The Expansion and Impact of NIST 800-171

In late 2018, the expectation is that the US federal government will expand the requirement further for NIST 800-171, and it will apply to the entirety of the federal government. It is already impacting many of the states as well to include New York, Massachusetts, and now California. It will require that any company, business, or agency, supporting the federal and state governments are compliant with NIST 800-171.

The already expansive implementation of NIST 800-171 by the Department of the Defense (DOD) will more likely “beat out” the Department of Homeland Security’s (DHS)-supported National Cybersecurity Framework (NCF) –both frameworks were formulated by the National Institute of Standards and Technology (NIST). Why NIST 800-171?

DOD has already widely made the requirement compulsory for DOD contractors and subcontractors. DOD had an initial cut-off of December 31, 2017. It has established many of the policies and procedures to introduce its use beyond the DOD.
Two competing frameworks will add to COST and confusion among the private sectors’ implementation of cyber security protections. It is unlikely both will be authorized long-term.

Let’s See What Happens in 2018 (or early 2019)