833-847-3280
Schedule a Call

What is the CCPA and How to Become Compliant with Penetration Testing

What is the California Consumer Privacy Act (CCPA) and How to Become Compliant with Penetration Testing

 

California businesses are now required to comply with the CCPA, effective January 1, 2020.

In the last few weeks MainNerve has received numerous inquiries regarding penetration testing for a company’s need to satisfy a CCPA requirement. Once again, our cyber ninjas here at MainNerve have come together to discuss the extent of reasonable security practices and to help give guidance on the requirements of penetration testing to satisfy CCPA requirements.

What is the CCPA?

As a response to the increased role of personal data in contemporary business practices and the personal privacy implications surrounding the collection, use, and protection of consumers personal information, the State of California passed a personal data protection law.

In short, the act enhances privacy rights and consumer protection for all California residents.

This act was created to give privacy rights back to the people. The following is included in this act:

  1. Know and understand what personal data are being collected
  2. Know whether personal data are being sold or disclosed to a third party
  3. Say no to the sale of personal data
  4. Access personal data
  5. Request that a business delete any personal information about a consumer that may have been collected from that consumer
  6. No discrimination against a resident for exercising his/her privacy rights

Does the CCPA apply to me?

The CCPA applies to every company in the world. This includes any entity that does business in California and satisfies at least one of the following:

  1. Collection of personal data of California residents
  2. A company (or their parent company or a subsidiary) exceeds at least one of the three thresholds:
    1. Annual gross revenues of at least $25 million
    2. Obtains personal information of at least 50,000 California residents, households, and /or devices per year
    3. At least 50% of their annual revenue is generated from selling California residents’ personal information

A California resident is defined by the California laws as any person who:

  • Is in California for other than a temporary or transitory purpose
  • Is domiciled in California, but is outside the state for temporary or transitory purposes

Any organization that falls under any of these categories are required to implement and maintain reasonable security procedures and practices for protecting the privacy of their consumers.

What does the CCPA require specifically?

CCPA specifies the following paragraph in Chapter 55, Section 1798.150 –

Any consumer whose non-encrypted or non-redacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following: 

At first glance, the phrase “reasonable security practices” is broad at best. To start the compliance process, an organization will require definite goals. MainNerve’s cyber ninjas have recommended starting with a gap analysis exercise to identify the missing parts. For example, an organization can conduct their gap analysis exercise against ISO 27001:2013 standard. Further, it is suggested that they have relevant internal policies about the incident response process, data breach notification, etc.

Is CCPA the California version of the GDPR?

No, it is not. Local California Government may have used the force created by the introduction of GDPR, but the CCPA is not as extensive as the GDPR. The GDPR shares similarities with other privacy laws introduced recently, but they have considerable differences.

These differences include the entities they cover, information required in privacy policies, prior consent, and sales of personal information. For more information on GDPR and Penetration Testing, read this blog post.

My business is GDPR-compliant. Does it mean that I’m CCPA-compliant as well?

No, being GDPR compliant doesn’t mean that you are CCPA compliant. Chances are your organization already meets some of the CCPA requirements simply by meeting the GDPR ones, but there is still some work to do. By simply adjusting the privacy policy, to include a “Do Not Sell My Personal Information” link on your home page is a start.  Also, establish methods for requests for access, change, and erasure of data, establish a method for verification of the identity of the person making a data-related request, and establish a method for obtaining prior consent by minors before selling their personal data.

Does the CCPA require penetration testing?

There is no exact explanation given under the CCPA that addresses penetration testing specifically. So, in a strict interpretation of the legislation’s language, a definite answer cannot be given unless the law is updated.

Within our experience in assisting clients with compliance requirements, MainNerve strongly recommends that a company performs at a minimum, quarterly vulnerability scanning and annual penetration testing as a proactive step to maintain a practical level of security for the technical infrastructure.

What are the penalties for non-compliance?

Non-compliance with the CCPA puts you at risk of huge fines. Companies not in compliance can expect the Attorney General to initiate a civil case against them if they remain non-compliant after 30 days upon being notified. This brings a risk of being fined up to $7,500 per violation.

This means that if a company violates the CCPA-guaranteed rights of 1000 users, it may receive a fine of up to $7,500,000.00 in total ($7,500Ă—1000 users).

MainNerve likes to point out that the cost of performing a penetration test compared to the possible costs of being fined, it is miniscule. Therefore, instead of waiting for an organization to be fined or legislation to be updated, penetration testing exercises should be conducted as best practices and as a proactive step towards achieving reasonable levels of security.

What are the types of testing to stay proactive in maintaining a practical level of security?

At MainNerve, we cater to your business’s needs. While companies are attempting to get CCPA compliant, know that we can help! From penetration tests, to compliance requirements, we have what you need to get on the right track to compliance. Companies require a solid security plan that will save you money for planning ahead, not spending it on unnecessary fees and fines. Contact our sales team to get started today.

Latest Posts

A transparent image used for creating empty spaces in columns
As technology evolves at an unprecedented pace, artificial intelligence (AI) has emerged as a transformative force in cybersecurity. Organizations now use AI to detect and respond to threats faster than ever, but this progress raises an important question: is the human factor still relevant in…
A transparent image used for creating empty spaces in columns
In the complex world of cybersecurity, simple strategies can often make a big difference. One of the most powerful ideas in protecting your organization from cyber threats is as straightforward as it sounds: don’t leave the front door open. Picture this: your company’s network is…
A transparent image used for creating empty spaces in columns
With the rise in cyber threats, data breaches, and evolving regulations, cybersecurity risk management has never been more crucial for businesses. Today, companies are more connected than ever, and every device, user, and application potentially opens a new path for cybercriminals to exploit. From ransomware…
A transparent image used for creating empty spaces in columns
 In today’s increasingly digital world, more businesses are operating entirely online with remote teams and cloud-based infrastructures. As these companies grow, so does the importance of cybersecurity. One question we often get is: “Can online companies get penetration tests?” The answer is a resounding…
A transparent image used for creating empty spaces in columns
In today’s education landscape, cybersecurity is more critical than ever. Schools are no longer just places of learning; they have evolved into hubs of digital information, housing vast amounts of sensitive data. From student records to financial information, the risk of cyberattacks has become a…
A transparent image used for creating empty spaces in columns
 In today’s digital landscape, cybersecurity is not just a luxury but a necessity. As businesses increasingly rely on technology, the importance of safeguarding sensitive data has never been greater. However, for many small and medium-sized businesses (SMBs), the costs associated with cybersecurity services, particularly…
contact

Our Team

Name(Required)
This field is for validation purposes and should be left unchanged.
On Load
Where? .serviceMM
What? Mega Menu: Services