What We Do
How we do it
Jul 29, 2021
UPDATE: PetitPotam NTLM Relay Attack
THE THREAT PetitPotam is a variant of the NTLM Relay attack discovered by security researcher Gilles Lionel. It is tracked as an authentication bypass vulnerability in Active Directory (Certificate Services); currently no CVE identifier has been assigned to this vulnerability. Proof of Concept (PoC) code released last week [1] relies on the Encrypting File System Remote (EFSRPC) protocol to…
Read More
View all Advisories →
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
Jul 12, 2021
Tecala and eSentire Partner to Protect Enterprises across APAC from Business-Disrupting Cyber Attacks
Sydney, 12 July, 2021 - Tecala, Australia’s award-winning technology services and IT consulting provider, today announced it has chosen eSentire, the global Authority in Managed Detection and Response (MDR) cybersecurity services, as their exclusive MDR solution provider in Australia and New Zealand. This partnership will enable Tecala to augment its cybersecurity practice and offer enterprises…
Read More
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
Blog — Jan 23, 2020

What You Need to Know about the California Consumer Privacy Act

3 min read

Originally posted in Best Manufacturing Practices January 16, 2020

On the heels of the European Union’s General Data Protection Regulation (GDPR) and the revelation that Facebook and other social media platforms were selling their data, consumers began to demand stronger data privacy protection. However, the U.S. constitution contains no express right to privacy. It’s typically left up to the civil court system to decide on such matters as governed by state law or precedent. When data privacy legislation called the California Consumer Protection Act (CCPA) was introduced last year, it was passed within weeks of its introduction.

The CCPA’s quick passage was widely seen as a compromise with online companies that were eager to prevent a tougher citizen proposal from going onto the ballot. The legislation, which went into effect Jan. 1, grants consumers new rights with respect to the collection of their personal information. The CCPA represents the first legislation of its kind to pass in the U.S., but it’s certainly not the last. In 2019, more than 20 states considered data privacy legislation. California will be an acid test to watch as the legislation takes effect.

Due to its focus on consumer privacy, the CCPA mandates full disclosure from companies regarding the collection of personal information — everything from what details they are keeping to what sources that information is coming from and why they are collecting it.

Under CCPA, California citizens have the right to opt out of having their data/ information sold. Users and customers must be notified from the get-go about their information. They have to acknowledge that their information is being collected, but they can choose not to allow those companies to sell their information to other companies. CCPA goes one step beyond GDPR to not only define privacy rights but to expose the economic value of consumer data.

The “right to be deleted” is another CCPA assurance for consumers, akin to GDPR’s right to be forgotten. Companies aren’t allowed to retaliate against those customers who opt out of allowing their information to be sold by charging them higher fees or rates.

The Logistics of CCPA Compliance

Every department must understand CCPA’s requirements, so manufacturers need to set up some training if they haven’t already. Companies that fall within CCPA’s jurisdiction will need to map all of the information they collect. And for many, they’ll find that certain departments have no understanding of the implications that arise from the information they regularly gather.

As a real-world example, consider that the marketing department most likely stores sales information about customers and prospects in a customer relationship management (CRM) tool to create stronger buying personas. However, marketers are likely unaware that CCPA requires documentation of where that data came from and why it is being used. And in a situation like this, pleading ignorance is no longer a viable defense.

This data is valuable to your company, and that means it is also valuable to others. One of the major aspects of CCPA is that companies must declare the value of the data they are collecting — so if a company plans to sell that data, it must declare its resale value.

Manufacturers must also justify why they possess customer data and to fully map where the information goes, including across their supply chain.

Manufacturers are also responsible for keeping this data safe, which couldchange how vendors are chosen. Organizations will need to analyze the risks that are associated with that vendor by conducting due diligence and then establish controls. They will have to put monitoring in place to ensure their vendors are in compliance with those data controls.

Yes, such laws require new processes and sometimes new people, but it doesn’t herald the death of manufacturers with California customers. Instead, companies can use this mandate to re-examine their partners, supply chain and data collection and storage purposes and methods. This, in turn, has the knock-on effect of stronger data security and greater consumer confidence.

Mark Sangster
Mark Sangster Vice President and Industry Security Strategist

Mark is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations.