Combining CCPA Compliant Data Utilization and Privacy
By Ameesh Divatia, CEO and co-founder | July 1, 2020
Today marks the first day the attorney general will enforce the CCPA or California Consumer Privacy Act, a milestone day for all of us, who, as individuals, worry about our privacy in a hyperconnected world. This landmark privacy law gives consumers greater control over how data collection is used and shared by companies. Interestingly, as organizations make strides to ensure compliance with the regulation, we have seen a greater willingness by them to share personal data to help combat the COVID-19 pandemic. In fact, we have even seen easing of some policies and amendments related to data sharing.
For example, on March 17, the Department of Health and Human Services Office for Civil Rights (OCR) announced the relaxing of restrictions CCPA requirements on certain video chat technologies to allow greater availability of telehealth services. Then, on April 2, OCR began allowing business associates to opt-in to share normally protected health information to help offer deeper insight into the spread of COVID-19.
As we are seeing, data holds immense potential to solve complex challenges, but that must be tempered with maintaining privacy standards outlined in data privacy laws like CCPA and GDPR (General Data Protection Regulation), that interestingly, were not relaxed due to the pandemic. This delicate balance is no easy task, however with adherence to data security best practices such as these, it is possible:
- Structure data properly. Structuring consumer data is an important first step, prioritized based on relevant categories of personal information like names, birthdates, social security numbers, and addresses, etc.
- Protect and control access. Implementing the appropriate controls allows organizations to protect data by giving access only to privileged users and preventing malicious and compromised users from getting it.
- Encrypt immediately. It is critical to protect the data via various data encryption strategies to ensure its privacy once it is in your environment. This process converts readable data into an unreadable form to further protect against a data breach.
- Decrypt with care. Once data is ready for aggregation, extra precautions must be taken because this is when data is decrypted into a readable, usable form. To protect California residents’ privacy, it is critical to restrict cons requests to only those who need to see this information.
Baffle Data Masking and Exfiltration Control
With Baffle, companies can build their own Data Protection Service layer to contain data at the source and enforce strong access controls.
Impact On Data Security
In addition to challenges in maintaining data privacy, security is another issue that can greatly impede an organization’s ability to maintain CCPA compliance. For example, we are seeing criminal attempts to compromise networks through phishing attacks that prey on fears around the pandemic.
And with so many Americans working from home, hacking attempts through personal emails could also infiltrate work networks where critical data resides. The attacks seem to track the phases of the pandemic itself. The beginning of these attacks came through emails enticing recipients to click on links to see virus prevention tips and information.
With attacks on data increasing, it is incumbent upon every organization responsible for housing sensitive data — which is just about every organization — to be hypervigilant about protection. Keep the following suggestions in mind:
- Scrutinize everything. The most straightforward defense against such scams and access requests such as these is this: If it sounds too good to be true, do not click. Californians along with everyone else are under pressure to protect themselves, their work or personal data and their families, but do not allow that stress to supersede common sense. These scams play on fears, attacking consumers’ personal information when they feel most vulnerable.
- Confirm the source. If the email seems suspicious and appears to come from an internal source, contact the supposed sender to confirm if it is real or not. Should it appear to come from a well-known company or known service providers, call and confirm they, in fact, sent the email. Note: Do not call the phone number listed in the email.
- Keep all software current. Browsers and operating systems for mobile and desktop devices do an excellent job of detecting malicious sites or emails, so make sure that you have the latest updates.
- Finally, keep IT in the loop. If you fall for a phishing attempt, immediately report it to your IT department.
While not every organization is covered by CCPA privacy regulations, it is very possible that a referendum for consumer rights could be on the horizon. But beyond compliance, ensuring CCPA and GDPR compliance is just the right thing to do, and organizations would be wise to take all the steps necessary to use data processing to its full advantage, while ensuring it is protected through proactive security measures – be it data access control or data encryption. Through the appropriate solutions and actions, data utilization and GDPR compliant privacy practices can be achieved simultaneously.
Learn more about the California Consumer Privacy Act and about CCPA vs GDPR with help from Baffle today.
Portions of this article originally appeared in Forbes.