What is the CCPA and How to Become Compliant with Penetration Testing

What is the California Consumer Privacy Act (CCPA) and How to Become Compliant with Penetration Testing

California businesses are now required to comply with the CCPA, effective January 1, 2020.

In the last few weeks MainNerve has received numerous inquiries regarding penetration testing for a company’s need to satisfy a CCPA requirement. Once again, our cyber ninjas here at MainNerve have come together to discuss the extent of reasonable security practices and to help give guidance on the requirements of penetration testing to satisfy CCPA requirements.

What is the CCPA?

As a response to the increased role of personal data in contemporary business practices and the personal privacy implications surrounding the collection, use, and protection of consumers personal information, the State of California passed a personal data protection law.

In short, the act enhances privacy rights and consumer protection for all California residents.

This act was created to give privacy rights back to the people. The following is included in this act:

1. Know and understand what personal data are being collected
2. Know whether personal data are being sold or disclosed to a third party
3. Say no to the sale of personal data
4. Access personal data
5. Request that a business delete any personal information about a consumer that may have been collected from that consumer
6. No discrimination against a resident for exercising his/her privacy rights

Does the CCPA apply to me?

The CCPA applies to every company in the world. This includes any entity that does business in California and satisfies at least one of the following:

1. Collection of personal data of California residents
2. A company (or their parent company or a subsidiary) exceeds at least one of the three thresholds:
   1. Annual gross revenues of at least $25 million
   2. Obtains personal information of at least 50,000 California residents, households, and /or devices per year
   3. At least 50% of their annual revenue is generated from selling California residents’ personal information

A California resident is defined by the California laws as any person who:

• Is in California for other than a temporary or transitory purpose
• Is domiciled in California, but is outside the state for temporary or transitory purposes

Any organization that falls under any of these categories are required to implement and maintain reasonable security procedures and practices for protecting the privacy of their consumers.

What does the CCPA require specifically?

CCPA specifies the following paragraph in Chapter 55, Section 1798.150 –

Any consumer whose non-encrypted or non-redacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following: 

At first glance, the phrase “reasonable security practices” is broad at best. To start the compliance process, an organization will require definite goals. MainNerve’s cyber ninjas have recommended starting with a gap analysis exercise to identify the missing parts. For example, an organization can conduct their gap analysis exercise against ISO 27001:2013 standard. Further, it is suggested that they have relevant internal policies about the incident response process, data breach notification, etc.

Is CCPA the California version of the GDPR?

No, it is not. Local California Government may have used the force created by the introduction of GDPR, but the CCPA is not as extensive as the GDPR. The GDPR shares similarities with other privacy laws introduced recently, but they have considerable differences.

These differences include the entities they cover, information required in privacy policies, prior consent, and sales of personal information. For more information on GDPR and Penetration Testing, read this blog post.

My business is GDPR-compliant. Does it mean that I’m CCPA-compliant as well?

No, being GDPR compliant doesn’t mean that you are CCPA compliant. Chances are your organization already meets some of the CCPA requirements simply by meeting the GDPR ones, but there is still some work to do. By simply adjusting the privacy policy, to include a “Do Not Sell My Personal Information” link on your home page is a start.  Also, establish methods for requests for access, change, and erasure of data, establish a method for verification of the identity of the person making a data-related request, and establish a method for obtaining prior consent by minors before selling their personal data.

Does the CCPA require penetration testing?

There is no exact explanation given under the CCPA that addresses penetration testing specifically. So, in a strict interpretation of the legislation’s language, a definite answer cannot be given unless the law is updated.

Within our experience in assisting clients with compliance requirements, MainNerve strongly recommends that a company performs at a minimum, quarterly vulnerability scanning and annual penetration testing as a proactive step to maintain a practical level of security for the technical infrastructure.

What are the penalties for non-compliance?

Non-compliance with the CCPA puts you at risk of huge fines. Companies not in compliance can expect the Attorney General to initiate a civil case against them if they remain non-compliant after 30 days upon being notified. This brings a risk of being fined up to $7,500 per violation.

This means that if a company violates the CCPA-guaranteed rights of 1000 users, it may receive a fine of up to $7,500,000.00 in total ($7,500×1000 users).

MainNerve likes to point out that the cost of performing a penetration test compared to the possible costs of being fined, it is miniscule. Therefore, instead of waiting for an organization to be fined or legislation to be updated, penetration testing exercises should be conducted as best practices and as a proactive step towards achieving reasonable levels of security.

What are the types of testing to stay proactive in maintaining a practical level of security?

At MainNerve, we cater to your business’s needs. While companies are attempting to get CCPA compliant, know that we can help! From penetration tests, to compliance requirements, we have what you need to get on the right track to compliance. Companies require a solid security plan that will save you money for planning ahead, not spending it on unnecessary fees and fines. Contact our sales team to get started today.