What We Do
How we do it
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
Jun 01, 2023
Critical Vulnerability in MOVEit Transfer
THE THREAT eSentire is aware of reports relating to the active exploitation of a currently unnamed vulnerability impacting Progress Software’s managed file transfer software MOVEit Transfer.…
Read More
View all Advisories →
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
Mar 20, 2023
Exertis and eSentire Partner to Deliver 24/7 Multi-Signal MDR, Digital Forensics & IR Services and Exposure Management to Organisations Across the UK, Ireland, and Europe
Basingstoke, UK– 20 March, 2023. Leading technology distributor, Exertis, announced today that it has bolstered its cybersecurity services, adding eSentire, the Authority in Managed Detection and Response (MDR), to its Enterprise portfolio of offerings. eSentire’s award-winning, 24/7 multi-signal MDR, Digital Forensics & Incident Response (IR), and Exposure Management services will be available…
Read More
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Blog — Nov 26, 2019

Navigating the California Consumer Privacy Act

5 minutes read
Speak With A Security Expert Now

Originally posted in Corporate Compliance Insights November 12, 2019

With the California Consumer Privacy Act (CCPA) going into effect shortly, eSentire’s Mark Sangster deliberates on evolving data privacy laws and how companies can ensure stronger data privacy for customers.

The 2018 Cambridge Analytica scandal was a watershed moment for citizen privacy and the protection of our information rights. Consumers gained a greater understanding of the fact that when a product or service is “free,” it means their own information is the actual product. This is perhaps the greatest industrial revolution: the consumer is the product. Not only did it create an uproar, but it also resulted in significant financial penalties. The Federal Trade Commission (FTC) fined Facebook a record $5 billion for giving Cambridge Analytica improper access to its users.

The settlement is important, because it demonstrates that the FTC is taking consumers’ data privacy seriously. The scandal has also caused many consumers to reconsider what information they post – and whether they post at all – on social media and how many companies hold their personal information. In the case of Facebook – and, by extension, all other organizations with an online presence – when no privacy guarantees were ever proffered fully by the company, it represented a violation of implied trust.

In the European Union, the General Data Protection Regulation (GDPR) was established before the Facebook scandal became known. It was implemented in response to many other violations of trust and data collection – both intentional and accidental – as more and more companies collect citizens’ digitized personal information. The GDPR lays out stringent guidelines for what types of data organizations can collect and what they are allowed to do with it, complete with hefty fines for noncompliance. U.S. companies conducting business in the EU or holding data on EU citizens are subject to GDPR, but attempts to pass anything like GDPR in the U.S. have so far failed to gain significant traction.

The Origins of the California Consumer Privacy Act

The California Consumer Protection Act (CCPA) is perhaps the “Plymouth Rock” of privacy. The U.S. constitution contains no express right to privacy. It’s typically left up to the civil court system to decide on such matters as governed by state law or precedent. There’s no explicit equivalent of, say, Canada’s PIPEDA or Japan’s AAPI online privacy legislation. However, when data privacy legislation called the California Consumer Protection Act (CCPA) was introduced last year, it was passed within weeks of its introduction.

Clearly, there was an appetite, at least in tech-heavy California, for GDPR-style protections. The CCPA’s quick passage was also widely seen as a compromise with online companies that were eager to prevent a tougher citizen proposal from going onto the ballot. The legislation grants consumers new rights with respect to the collection of their personal information and goes into effect on January 1, 2020.

How Will the CCPA Affect Companies?

First and foremost, the CCPA is about privacy. It requires full disclosure from companies regarding the collection of personal information – everything from what details they are keeping to what sources that information is coming from and why they are collecting it.

It also includes the right for citizens to opt-out of having their information/data sold. Users and customers will have to be notified from the get-go about their information; they will have to acknowledge that their information is being collected, but they can choose not to allow those companies to sell their information to other companies. CCPA goes one step beyond GDPR to not only define privacy rights, but also expose the economic value of consumer data.

Similarly to GDPR’s right to be forgotten, CCPA includes the “right to be deleted.”

Companies won’t be allowed to retaliate against those customers who opt out of allowing their information to be sold by charging them higher fees or rates. A company like Google, for instance, wouldn’t be able to respond to a user opting out of having their information sold by then charging them (more) or restricting access to certain services.

How Companies Can Understand the Risks and Prepare

One of the major aspects of CCPA is that companies will have to declare the value of the data they are collecting – so if a company planned to sell that data, they would need to declare its resale value.

Organizations will need to find a way to ensure that every department understands what the requirements are under CCPA. Companies that fall within CCPA’s jurisdiction will need to map all of the information they collect. For many, they’ll find that certain departments have no understanding of the implications that arise from the information they regularly gather.

For instance, the marketing department may store sales information about customers and prospects in a customer relationship management (CRM) tool to create stronger buying personas. However, marketers are likely unaware that CCPA will require documentation of where that data came from and why it is being used. And in a situation like this, pleading ignorance is no longer a viable defense.

Companies will need to be able to fully map where the information goes, including across their supply chain, with a justified purpose. They will have to work to ensure they’re conducting due diligence and analyzing the benefits versus the risks to justify their actions to regulators if they come calling. This will help prevent “shiny object syndrome,” or a hoarder’s mentality in which companies collect all the data they can in the hopes that it will someday be useful.

In addition, companies must be able to secure this data. This will change how vendors are chosen. Organizations will need to analyze the risks associated with that vendor by conducting due diligence, then establish controls. They will have to put monitoring in place to ensure their vendors are in compliance with those data controls.

Stronger Security Ahead

The CCPA represents the first legislation of its kind to pass in the U.S., but it’s certainly not the last. This year, more than 20 states have considered data privacy legislation, though only Maine, Illinois and Nevada actually passed laws. California will be an acid test to watch as of January 1 of next year, when the legislation takes effect. It’s particularly interesting to watch, given how many of the biggest names in tech are also based in the Golden State.

But privacy legislation of this kind shouldn’t and doesn’t need to be seen as crippling to business. It can actually be a business advantage by forcing companies to really evaluate their supply chain and partners to understand how and why data is being stored and collected. This can ultimately protect not just consumers’ privacy, but companies from damaging breaches or other security incidents in the long term as they get a better handle on their data.

View Most Recent Blogs

eSentire, Inc., the Authority in Managed Detection and Response (MDR), protects the critical data and applications of 2000+ organizations in 80+ countries, across 35 industries from known and unknown cyber threats by providing Exposure Management, Managed Detection and Response and Incident Response services designed to build an organization’s cyber resilience & prevent business disruption. Founded in 2001, eSentire protects the world’s most targeted organizations with 65% of its global base recognized as critical infrastructure, vital to economic health and stability. By combining open XDR platform technology, 24/7 threat hunting, and proven security operations leadership, eSentire's award-winning MDR services and team of experts help organizations anticipate, withstand and recover from cyberattacks. For more information, visit: www.esentire.com and follow @eSentire.