COVID-19 may be complicating organizations’ cybersecurity efforts as they shift more of their operations online, but that doesn’t lessen the pressure to comply with government regulations that are placing increased scrutiny on data privacy.
Despite the pandemic, companies are obligated to comply with many laws governing data security and privacy, including the two most familiar to consumers — the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). With CCPA enforcement set to begin July 1, organizations’ regulatory responsibilities just got tougher.
The CCPA is similar to GDPR in that it is designed to improve privacy rights and consumer protection, giving Californians the right to know when their personal data is being collected, whether their personal data is being disclosed or sold, and to whom. It allows them to access their personal data, say no to its sale, and request that a business delete it.
The law applies to any business with gross revenues over $25 million and that has personal information on 50,000 or more California citizens, whether the company is based in California or not. Violations can result in stiff fines.
Like GDPR before it, CCPA makes data security and regulatory compliance more of a challenge and requires businesses to create a number of new processes to fully understand what data they have stored in their networks, who has access to it, and how to protect it.
The challenge is especially rigorous for large organizations that collect and store high volumes of data, which is often spread across multiple databases and environments. And CCPA’s enforcement date comes as companies have already been scrambling to deal with COVID-19’s impact – enabling remote workforces while guarding against hackers trying to exploit fresh openings to infiltrate networks.
Here are four things that every business should consider in maintaining a rigid security posture to protect its most important asset – its data – and meet rising regulatory requirements:
1. Protect headcount.
We may be in an economic downturn, but now is not the time to lay off anyone with data security and privacy responsibility. Oftentimes when a company is forced to fire people, the pain is spread equally across the organization – say 10 percent for each department. Because the CISO organization (as well as the rest of IT) are usually considered “general and administrative” overhead, the target on its back can be just as large.
In the current environment, security staff certainly needs to be exempt from cuts. Most security teams have little to no overlap – there is a networking expert, an endpoint specialist, someone responsible for cloud, etc. And one person who focuses on data and application security, if you’re lucky enough to have this as a dedicated resource.
The data and application security role has never been more vital, both to safeguard the organization as more data and applications move online and to handle data security regulatory compliance, an onus companies continue to carry despite the pandemic. This person should be considered untouchable in any resource action.
2. Don’t drop the ball on breach notification.
It’s a question mark to what extent officials are aggressively conducting audits to vigorously enforce these laws during the pandemic. However, I would advise companies to assume that stringent enforcement remains the norm.
This is another reason that fostering strong security is all the more crucial now. For example, companies are still required to notify the relevant governing body if it suffers a breach. This initiates a process involving its IT, security, and legal teams, and any other relevant departments. Who wants that distraction anytime, and especially during a global crisis?
Beyond regulatory factors, companies simply owe it to their customers to handle their data responsibly. This was of course true before COVID-19 and CCPA enforcement, but its importance has intensified. A Yahoo-style scandal now could cause reputational damage that the company never recovers from.
3. Ask the critical questions that regulations raise.
Where is personal data stored? Companies must scan their networks and servers to find any unknown databases, identify sensitive data using dictionary and pattern-matching methods, and pore through database content for sensitive information such as credit card numbers, email addresses, and system credentials
Which data has been added or updated within the last 12 months? You need to monitor all user database access — on-premises or in the cloud — and retain all the audit logs so you can identify the user by role or account type, understand whether the data accessed was sensitive, and detect non-compliant access behaviors.
Is there any unauthorized data access or exfiltration? Using machine learning and other automation technologies, you need to automatically uncover unusual data activity, uncovering threats before they become breaches.
Are we pseudonymizing data? Data masking techniques safeguard sensitive data from exposure in non-production or DevOps environments by substituting fictional data for sensitive data, reducing the risk of sensitive data exposure.
4. Assume more regulation will come.
As digital transformation makes more and more data available everywhere, security and privacy concerns keep growing. One can assume that GDPR and CCPA may just be the tip of the regulatory iceberg. Similar initiatives in Wisconsin, Nevada, and other states show that it behooves organizations to get their data protection houses very much in order. Compliance will need to be a top priority for organizations for many years into the future.
About the author: Terry Ray has global responsibility for Imperva’s technology strategy. He was the first U.S.-based Imperva employee and has been with the company for 14 years. He works with organizations around the world to help them discover and protect sensitive data, minimize risk for regulatory governance, set data security strategy and implement best practices.