Technology industry executives commented this morning as part of our security experts comments series on the California Consumer Privacy Act of 2018 that was passed yesterday.
Pravin Kothari, CEO at CipherCloud:
“The trend in data privacy is not your friend right now. In the wake of the newly enacted General Data Protection Regulation in the European Union that just went into effect in May, and in the shadow of the pending U.S. Cloud Act and the U.S. Encrypt Act, California’s new regulation sets the bar higher than ever before for U.S. companies. It is pretty clear that companies doing business in the U.S. will require the same data privacy controls and capabilities that multinationals need to do business in European Union require today. As always, “failure to protect the data” signals the same need GDPR has for end-to-end encryption, tokenization, and data residency.”
Kevin Bocek, VP of security strategy and threat intelligence at Venafi:
“In some ways the California Consumer Privacy Act of 2018 is built on the European GDPR, but there are several important differences that dilute the impact. For example, the fines and penalties for GDPR are much higher than this act and businesses don’t need to comply with it until they reach $25 million in revenue. There are no similar limits on revenue size in GDPR, it affects all businesses.
‘It’s not surprising the large tech companies like Google and Facebook opposed the bill. Controlling the privacy and personal information that flows between machines is incredibly difficult, and a major challenge for all businesses.”
Willy Leichter, Vice President of Marketing at Virsec:
“Once again, California is proactively pushing the envelope on data privacy laws, and the rest of the country will inevitably have to follow. More than 15 years ago, California passed the first breach notification law (S.B. 1386) which has now been replicated in 47 states. Similar to the GDPR, this new California law codifies stronger legal protections for privacy and much stiffer penalties.
It’s not surprising that the internet giants opposed this because it throws a wrench directly into their primary source of revenue – collecting, and monetizing personal data.
It’s very appealing to consumers that they can opt-out of marketing lists and have their data deleted, similar to the European “right to be forgotten.” However, it’s hard to conceive of how this can effectively work. Doing any business online requires sharing data, where it inevitably gets shared, leaked, or shipped across borders. Good luck trying to opt-out and retrieve all your personal data when it’s littered around the globe.”
Frederik Mennes, Senior Manager Market & Security Strategy at OneSpan:
“Similar to the European General Data Protection Regulation, the Californian Consumer Privacy Act requires organizations to be more transparent about the ways they use personal data, and provides consumers more control about the usage of their personal data. Additionally organizations are required to implement and maintain security controls appropriate to the nature of the personal data. Organizations should consider implementing multiple layers of security controls, such as data encryption, data anonymization as well as access control based on strong user authentication to meet this requirement.”
Terry Ray, Chief Technology Officer at Imperva:
“Someone said to me recently, that data used to be like gold, but now it’s more like uranium, still very valuable but also highly radioactive.
Some of the requirements outlined in CCPA should be easy to meet as long as IT and security teams have data security and data incident response programs already in place. Sadly, there are plenty of organizations that have yet to fully implement either of those programs around data, and for some who have, they have likely only focused on current regulatory target data, like credit card data for PCI-DSS, healthcare data for HIPAA, or other specific data types where consumer private data is not generally included.
Many large companies still have a long way to go in finishing the technical aspects of the EU’s GDPR, and now California companies need to be ready for CCPA a year and a half later. It may seem a big demand on organizations, but in reality, it shouldn’t be. Most global organizations have already built the framework for these same requirements to meet GDPR over the last few years, so there are plenty of materials, processes and products available to assist California companies with these similar requirements. Whether it’s serendipitous or planned by California, following GDPR might have helped get organizations ready for CCPA.”
Matan Or-El, CEO and Co-founder of Panorays:
“It’s impossible not to think of this law as following on the heels of GDPR. The precedence of the GDPR demonstrates that such regulations, regardless of whether they will increase security and privacy in practice, have made lawmakers and consumers worldwide understand that such standards can be set. Furthermore, it is certainly likely that similar privacy regulations will be adopted by other states. We saw this in the past when California was the first state to publish their breach notification law and most states pursued with a similar law of their own.”
Jonas Outlaw, Senior Product Manager at Bomgar:
“In a post-GDPR business landscape, it’s no surprise that similar US legislation is gaining traction. The information landscape has changed, with the growth of the ‘always on culture’, driven by the ever-expanding capabilities of mobile devices, and the increase in the digital transformation of services, a wide range of identifiable and behavioral data is now collected and processed by organizations every time we interact online. At the same time, how and where organizations process this data has moved from inside the traditional IT perimeter and server rooms into hybrid and cloud environments in data centers across the globe.
Consumers have more awareness into the collection and processing of their personal data, making security a critical piece to an organization’s data privacy strategy to ensure they can control and protect access to the systems that hold personal data. It’s also critical that companies today ensure all remote access methods are secure to protect their data as it continues to be a leading attack vector in cyberattacks.”