The newly passed California Privacy Rights Act expands consumer privacy laws. Here are 3 crucial ways businesses should prepare in 2021, according to a veteran cybersecurity expert

The newly passed California Privacy Rights Act expands consumer privacy laws. Here are 3 crucial ways businesses should prepare in 2021, according to a veteran cybersecurity expert

January 5, 2021
  • Dave Cole is a 20+ year security veteran who led cybersecurity firm Tenable through an IPO as chief product officer and helped grow CrowdStrike into a global juggernaut. He also ran the $2 billion Norton consumer cybersecurity business.
  • On November 3, local voters approved the California Privacy Rights Act, a new law that adds data privacy and security requirements to the existing California Consumer Privacy Act (CCPA) regulations. 
  • Though the CPRA doesn't take effect until 2023, Cole says it's critical that businesses prioritize compliance work this year. 
  • It's especially important to note the new requirements on regulating "sensitive personal information," providing consumers with new rights about opting out of automated processes, and submitting mandatory risk assessments and audits. 
  • Cole suggests identifying any sensitive data your company stores that could be subject to regulation under the new law, and creating comprehensive policies to protect how that information can be stored, distributed, and shared. 
  • Continuously monitor and audit your businesses for any potential data policy violations, especially if you want to stay on top of additional data regulations in the future. 
  • Visit Business Insider's homepage for more stories.

Among the outcomes of the November 2020 elections was yet another acronym for security and compliance teams to know: CPRA.

The term stands for California Privacy Rights Act, a new law that California voters approved on November 3. The CPRA introduces novel data privacy and security requirements that extend beyond California's existing CCPA (California Consumer Privacy Act) regulations. 

The CPRA matters because it will likely be the bellwether for future US national regulation on data privacy to come. Other US states are already following in the CPRA's footsteps with data privacy laws of their own, such as New York, Illinois, Washington, and Illinois.

The CPRA doesn't take effect until 2023, but even with two years of time, experience with CCPA and GDPR (General Data Protection Regulation) has taught us that it's not a lot of time. Compliance work must start quickly in 2021. 

Here's a primer on what cloud security practitioners should know — given the bulk of data is created or moving to cloud stores — and how they can start preparing for the implementation of the CPRA.

Read more: A software startup shifted to a 4-day work week for a month after measuring employee engagement since the start of the pandemic. Its cofounder explains how it collected the data.

What are the CPRA requirements?

In general, you can think of the CPRA as a stricter, more expansive version of the CCPA. Both laws govern the way that regulated companies have to manage personal data that they collect about customers or users. However, the CPRA takes these requirements further in several key ways.

For one, whereas the CCPA focuses primarily on regulating personal information that could be used to identify an individual, such as IP addresses and social security numbers, the CPRA introduces an additional category called "sensitive personal information." The latter category includes information like ethnicity and religious beliefs. From the perspective of cloud management and security teams, this means that more types of data that may be stored in cloud environments are subject to regulation under the CPRA.

Additional consumer rights are a second key difference between the CCPA and the CPRA. Under the CPRA, not only will consumers have rights involving knowing about and deleting data that companies collect about them, but they will also be able to request data correction. In addition, the CPRA provides consumers with new rights involving knowing about and opting out of automated decision-making processes, including the data that powers them.

A third important new requirement under the CPRA is mandatory risk assessments and audits. Companies will be required to submit the results of these assessments to California regulators on a "regular basis," a requirement absent from the CCPA. The teeth behind the CPRA will be a new agency, the California Privacy Protection Agency, the first dedicated agency of its kind in the US with rulemaking, auditing, investigation and enforcement authority.

Read more: How companies can best navigate California's Assembly Bill 5 if they consistently work with independent contractors or freelancers

How security and cloud teams can start preparing for CPRA

Even if you're perfectly compliant with CCPA requirements, then, you will need to have more expansive and granular strategies in place for data discovery, control, and auditing to meet the CPRA's rigid regulations. 

Here are the three essential things to first get in place to prepare to meet that challenge.

1. Discover and know your data

An essential first step is getting to deeply know your company's data. Identify where and what sensitive data your company stores that may be subject to CPRA regulation — which, again, includes a broader set of data than that protected by the CCPA. In addition to where the data lives, you'll also need to identify who has access to the data, how it can "flow" across your infrastructure boundaries, and data lifecycle processes like sharing, retention, etc.

When you consider the plethora of native cloud data storage services across a multi-cloud as well as the ongrowing proliferation of non-native databases that can run on cloud compute, there are hundreds of ways that your data can reside in the cloud and you need an accurate way to discover it all.

Of course, a one-off data discovery process isn't enough for tracking dynamic data that must be protected under CPRA requirements. You'll want to set up continuous data discovery that's accurate, automated, and economical — observable across live maps, dashboards and reports.

2. Get your data policies in place

A second critical step toward CPRA compliance is to create and maintain granular data security and privacy policies.

You need policies that specify how each item of data can be stored, who can access it, how the data is allowed to flow, how it should be retained and shared.

A single misconfiguration can cause a massive breach. Establishing these policies "as code" brings with it many advantages such as version control, shared tooling, and the foundations for automating. Comprehensive data policies are the foundation to effectively controlling and protecting any regulated data that your company stores.

A policy engine that is gaining industry momentum for cloud native environments is the open source, Open Policy Agent. It enables unified, context-aware policy definition and enforcement not only for data but for the entire stack. A fast expanding set of vendors and projects now support it. Such a broadly interoperable policy engine will help you to automate much more of the data protection processes across tools and infrastructure.

Read more: I'm a financial advisor to Google, Salesforce, and Microsoft employees. Here's where I tell them to put their money to set themselves up for early retirement.

3. Monitor continuously to find and fix your high data risks sooner

A third important practice is to monitor continuously for data policy violations — it's an essential basis for enforcing protection. One-off or periodic audits aren't enough. You need to ensure that your team is quickly notified whenever a data security or privacy rule is broken. These continuous audits will also make it easy for you to meet the CPRA risk assessment mandates.

Naturally, you will want to automate as many aspects of the process as possible involving data auditing and security.

Automation helps you avoid the human errors that come with manual processes. When you define your data policies as code, track drift, and continuously audit for compliance automatically, you mitigate the chances of an oversight that could lead to CRPA non-compliance, and more importantly, a data breach.

You also gain the benefit of being able to take advantage of features like automated remediation of data security non-compliance issues, which can help your team correct issues quickly, before they become significant enough to lead to mandatory disclosure of a compliance violation.

Prepare for CPRA in 2021

Modern data privacy laws like CPRA in the US — also GDPR in the EU, LGPD in Brazil, etc. — are having a reverberating impact around the world. These laws are adding teeth on top of citizens' desire for more transparency, empowerment, and accountability with their sensitive personal data. Compliance challenges will only become more complicated. So start early on readiness initiatives and implementing operational foundations for visualization, control, and auditing. It will help keep you not only stay ahead of CPRA requirements but also with additional data regulations the future may hold in store.

Dave Cole is cofounder and CEO of Open Raven, the cloud-native data protection platform that automates security and privacy operations to prevent data breaches, leaks, and compliance incidents.

Source: Read Full Article