The California Consumer Privacy Act (CCPA) became effective from January 2020. Like its sister regulation in Europe, the GDPR the CCPA is stepping up the regulations around use of personal identifiable information (PII). For many organizations these regulations are seen as something negative that only adds more requirements and work.
As a CISO I am absolutely affected by these Privacy regulations as my job title includes compliance with external regulations. On one hand that means additional work, but on the other hand I am glad that those regulations are there, and here´s why:
- As a CISO I am responsible for protecting critical information. PII is just another category of critical information that needs to be protected. The reason why this has become an issue is because this category of information has not been given the same attention and protection previously.
- Privacy regulations give an additional incentive to do what we should have done all along, namely identify what kind of information we are processing, where we are processing that information and for what reason, and protect it accordingly.
- All data should be classified according to its criticality. Thousands of documents are created every week, or maybe even every day. These documents may contain confidential information that needs to be protected. Regulations like Privacy laws help put a focus on classifying these documents and protecting them according to their classification.
- The need to identify what personal identifiable information we process and where we process it is just another argument for implementing a good information architecture. The need to protect the confidentiality, integrity and availability of critical and sensitive information starts with information architecture. If you don´t know where your critical data is, how can you ensure that it is sufficiently protected. The data subjects right to be deleted also requires that you know all the places where the information is stored.
- The threat of fines related to breaches of PII gives me an additional card on hand to use when arguing why we must invest more in security and not less. With risk management you do a cost benefit analysis of the mitigating activities. If the cost of protecting the data is higher than the consequences of not protecting, then it is bad for business to protect. With the potential fines for not complying with these regulations the consequences can get really high. This again means more security measurements will now be beneficial for the business.
- The data owners of PII areis not the CISO or anyone working with security. It is usually not even someone working within IT. The data owners would be sitting in HR, Finance or Marketing/Ssales departments. This now means that these data owners also have to start thinking about data security. The more people thinking about data security the better for me.
All in all, regulations like CCPA are helping CISO´s put a focus on information security and moving everyone forward to a more secure data processing. The threat of fines that can reach up to $2,500 for unintentional violations and $7,500 for intentional violations. The consumer can also collect between $100-$750 for each incident. These sums can easily add up into the millions and should make any board member assume a new found interest in information security.
Christian Olsen is Chief Information Security Officer at Kriptos. His experience includes IT audit leader and senior security architect at firms such as E&Y and Sopra Steria.
To find out more about Kriptos Data Classification solutions, please contact us to schedule a demo.