What We Do
How we do it
Resources
SECURITY ADVISORIES
Jul 29, 2021
UPDATE: PetitPotam NTLM Relay Attack
THE THREAT PetitPotam is a variant of the NTLM Relay attack discovered by security researcher Gilles Lionel. It is tracked as an authentication bypass vulnerability in Active Directory (Certificate Services); currently no CVE identifier has been assigned to this vulnerability. Proof of Concept (PoC) code released last week [1] relies on the Encrypting File System Remote (EFSRPC) protocol to…
Read More
View all Advisories →
Company
ABOUT eSENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Jul 12, 2021
Tecala and eSentire Partner to Protect Enterprises across APAC from Business-Disrupting Cyber Attacks
Sydney, 12 July, 2021 - Tecala, Australia’s award-winning technology services and IT consulting provider, today announced it has chosen eSentire, the global Authority in Managed Detection and Response (MDR) cybersecurity services, as their exclusive MDR solution provider in Australia and New Zealand. This partnership will enable Tecala to augment its cybersecurity practice and offer enterprises…
Read More
Partners
PARTNER PROGRAM
Partners
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
Resources
Blog — Nov 26, 2019

Navigating the California Consumer Privacy Act

6 min read

Originally posted in Corporate Compliance Insights November 12, 2019

With the California Consumer Privacy Act (CCPA) going into effect shortly, eSentire’s Mark Sangster deliberates on evolving data privacy laws and how companies can ensure stronger data privacy for customers.

The 2018 Cambridge Analytica scandal was a watershed moment for citizen privacy and the protection of our information rights. Consumers gained a greater understanding of the fact that when a product or service is “free,” it means their own information is the actual product. This is perhaps the greatest industrial revolution: the consumer is the product. Not only did it create an uproar, but it also resulted in significant financial penalties. The Federal Trade Commission (FTC) fined Facebook a record $5 billion for giving Cambridge Analytica improper access to its users.

The settlement is important, because it demonstrates that the FTC is taking consumers’ data privacy seriously. The scandal has also caused many consumers to reconsider what information they post – and whether they post at all – on social media and how many companies hold their personal information. In the case of Facebook – and, by extension, all other organizations with an online presence – when no privacy guarantees were ever proffered fully by the company, it represented a violation of implied trust.

In the European Union, the General Data Protection Regulation (GDPR) was established before the Facebook scandal became known. It was implemented in response to many other violations of trust and data collection – both intentional and accidental – as more and more companies collect citizens’ digitized personal information. The GDPR lays out stringent guidelines for what types of data organizations can collect and what they are allowed to do with it, complete with hefty fines for noncompliance. U.S. companies conducting business in the EU or holding data on EU citizens are subject to GDPR, but attempts to pass anything like GDPR in the U.S. have so far failed to gain significant traction.

The Origins of the California Consumer Privacy Act

The California Consumer Protection Act (CCPA) is perhaps the “Plymouth Rock” of privacy. The U.S. constitution contains no express right to privacy. It’s typically left up to the civil court system to decide on such matters as governed by state law or precedent. There’s no explicit equivalent of, say, Canada’s PIPEDA or Japan’s AAPI online privacy legislation. However, when data privacy legislation called the California Consumer Protection Act (CCPA) was introduced last year, it was passed within weeks of its introduction.

Clearly, there was an appetite, at least in tech-heavy California, for GDPR-style protections. The CCPA’s quick passage was also widely seen as a compromise with online companies that were eager to prevent a tougher citizen proposal from going onto the ballot. The legislation grants consumers new rights with respect to the collection of their personal information and goes into effect on January 1, 2020.

How Will the CCPA Affect Companies?

First and foremost, the CCPA is about privacy. It requires full disclosure from companies regarding the collection of personal information – everything from what details they are keeping to what sources that information is coming from and why they are collecting it.

It also includes the right for citizens to opt-out of having their information/data sold. Users and customers will have to be notified from the get-go about their information; they will have to acknowledge that their information is being collected, but they can choose not to allow those companies to sell their information to other companies. CCPA goes one step beyond GDPR to not only define privacy rights, but also expose the economic value of consumer data.

Similarly to GDPR’s right to be forgotten, CCPA includes the “right to be deleted.”

Companies won’t be allowed to retaliate against those customers who opt out of allowing their information to be sold by charging them higher fees or rates. A company like Google, for instance, wouldn’t be able to respond to a user opting out of having their information sold by then charging them (more) or restricting access to certain services.

How Companies Can Understand the Risks and Prepare

One of the major aspects of CCPA is that companies will have to declare the value of the data they are collecting – so if a company planned to sell that data, they would need to declare its resale value.

Organizations will need to find a way to ensure that every department understands what the requirements are under CCPA. Companies that fall within CCPA’s jurisdiction will need to map all of the information they collect. For many, they’ll find that certain departments have no understanding of the implications that arise from the information they regularly gather.

For instance, the marketing department may store sales information about customers and prospects in a customer relationship management (CRM) tool to create stronger buying personas. However, marketers are likely unaware that CCPA will require documentation of where that data came from and why it is being used. And in a situation like this, pleading ignorance is no longer a viable defense.

Companies will need to be able to fully map where the information goes, including across their supply chain, with a justified purpose. They will have to work to ensure they’re conducting due diligence and analyzing the benefits versus the risks to justify their actions to regulators if they come calling. This will help prevent “shiny object syndrome,” or a hoarder’s mentality in which companies collect all the data they can in the hopes that it will someday be useful.

In addition, companies must be able to secure this data. This will change how vendors are chosen. Organizations will need to analyze the risks associated with that vendor by conducting due diligence, then establish controls. They will have to put monitoring in place to ensure their vendors are in compliance with those data controls.

Stronger Security Ahead

The CCPA represents the first legislation of its kind to pass in the U.S., but it’s certainly not the last. This year, more than 20 states have considered data privacy legislation, though only Maine, Illinois and Nevada actually passed laws. California will be an acid test to watch as of January 1 of next year, when the legislation takes effect. It’s particularly interesting to watch, given how many of the biggest names in tech are also based in the Golden State.

But privacy legislation of this kind shouldn’t and doesn’t need to be seen as crippling to business. It can actually be a business advantage by forcing companies to really evaluate their supply chain and partners to understand how and why data is being stored and collected. This can ultimately protect not just consumers’ privacy, but companies from damaging breaches or other security incidents in the long term as they get a better handle on their data.

Mark Sangster
Mark Sangster Vice President and Industry Security Strategist

Mark is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations.