Today marks the first day of enforcement of the California Consumer Privacy Act, a milestone day for all of us, who, as individuals, worry about our privacy in a hyperconnected world. This landmark regulation gives consumers greater control over how their data is used and shared by companies. Interestingly, as organizations make strides to ensure compliance with the regulation, we have seen a greater willingness by them to share data to help combat the COVID-19 pandemic. In fact, we have even seen easing of some policies related to data sharing.
For example, on March 17, the Department of Health and Human Services Office for Civil Rights (OCR) announced the relaxing of restrictions on certain video chat technologies to allow greater availability of telehealth services. Then, on April 2, OCR began allowing business associates to share normally protected health information to help offer deeper insight into the spread of COVID-19.
As we are seeing, data holds immense potential to solve complex challenges, but that must be tempered with maintaining privacy standards outlined in regulations like CCPA, that interestingly, was not relaxed due to the pandemic. This delicate balance is no easy task, however with adherence to best practices such as these, it is possible:
- Structure data properly. Structuring data is an important first step, prioritized based on relevant categorizations like names, birthdates and addresses, etc.
- Protect and control access. Implementing the appropriate controls allows organizations to protect data by giving access only to privileged users and preventing malicious and compromised users from getting it.
- Encrypt immediately. It is critical to protect the data via encryption to ensure its privacy once it is in your environment. This process converts readable data into an unreadable form.
- Decrypt with care. Once data is ready for aggregation, extra precautions must be taken because this is when data is decrypted into a readable, usable form. To avoid privacy issues, it is critical to restrict access to only those who need to see this information.
Impact On Data Security
In addition to challenges in maintaining data privacy, security is another issue that can greatly impede an organization’s ability to maintain CCPA compliance. For example, we are seeing criminal attempts to compromise networks through phishing attacks that prey on fears around the pandemic.
And with so many Americans working from home, hacking attempts through personal emails could also infiltrate work networks where critical data resides. The attacks seem to track the phases of the pandemic itself. The beginning of these attacks came through emails enticing recipients to click on links to see virus prevention tips and information.
With attacks on data increasing, it is incumbent upon every organization responsible for housing sensitive data — which is just about every organization — to be hypervigilant about protection. Keep the following suggestions in mind:
- Scrutinize everything. The most straightforward defense against such scams is this: If it sounds too good to be true, do not click. Everyone is under pressure to protect themselves, their data (work or personal) and their families, but do not allow that stress to supersede common sense. These scams play on fears, attacking users when they feel most vulnerable.
- Confirm the source. If the email seems suspicious and appears to come from an internal source, contact the supposed sender to confirm if it is real or not. Should it appear to come from a well-known company or a familiar vendor, call and confirm they, in fact, sent the email. Note: Do not call the phone number listed in the email.
- Keep all software current. Browsers and operating systems for mobile and desktop devices do an excellent job of detecting malicious sites or emails, so make sure that you have the latest updates.
- Finally, keep IT in the loop. If you fall for a phishing attempt, immediately report it to your IT department.
While not every organization is covered by CCPA, it is very possible that a national privacy referendum could be on the horizon. But beyond compliance, ensuring consumer privacy is just the right thing to do, and organizations would be wise to take all the steps necessary to use data to its full advantage, while ensuring it is protected through proactive measures. Through the appropriate solutions and actions, data utilization and privacy can be achieved simultaneously.
Portions of this article originally appeared in Forbes.