Richard Mendoza, Director, Data Privacy & Regulatory Compliance, Realogy Holdings Corp
The most over used phrase in this brave new world of the never-ending mission to monetize information is that “Data is the new Gold Rush”. Is it really? Can companies really benefit and profit from massive data stores? The push for organizations to develop the appropriate algorithms and analytics platforms that process data and provide the trending analysis and predictive models to all corners of their respective businesses have hit a major snag. The music is about to stop, and many organizations will not have a chair! The California Consumer Privacy Act (CCPA) looks to apply similar data privacy controls and legislation currently being promulgated within Europe (General Data Protection Regulation) to companies and enterprises doing business in California (CA).
This is the most comprehensive data privacy legislation seen in the U.S. in decades and comes at a time when the need for qualified staff, tools, and appetite to complete the necessary projects are at an all-time low. This law has weight based on the size of CA, reach of their economy, and potential punitive damages. This shift in philosophy starts with all of us in different businesses realizing this new world where any information pertaining to an individual will need to be protected as if it were at the highest levels of sensitivity. An individual’s personal email address will be treated the same as their social security number!
Eliminating legacy data will help your company mitigate risk and implement data minimization philosophies asking why you are collecting sensitive data and if you need it
This paradigm shift will put emphasis on U.S. organizations’ need for appropriate technical and organizational measures and spend your resources on areas that create the biggest risk to the individual and enterprise.
The likes of Google and Microsofts of the world are clearly the focus of this legislation, most likely. It is important to know the Attorney General’s office of CA will be charged with enforcing the law, and all fines resulting from punitive damages will find their way into the AG coffers to fund future enforcement and enhancements required. They are going big game hunting. This tells me an aggressive approach will be taken, and we will not get much leeway on findings. The law becomes effective on 1-1-2020, but chatter from AG’s office and in the community is that it will not be fully enforced until July of 2020, but with a 12-month look back. We are on the hook as we speak, so no time to waste to ramp up. The largest risk associated with this law is the ability for people to stop the selling of their information. This will need to be displayed on their client facing website home pages, and a link/button will need to be available to data subjects to opt-out of selling their information. This will also require additional back-end processes, so additional management will be necessary. The other major item which will need to be solidified, as final guidance will not be issued until October, is that “selling” information does not necessarily pertain to monies changing hands. The term selling is anything of a “valuable consideration”, so sharing information between brands, organizations, and preferred alliance partners will be impacted.
So, what do we do now? I hate when folks come to me with problems and no solutions, so I don’t want to be that person. Let’s look at this in a pragmatic way and look to apply “appropriate technical and organizational measures” for the risk the data poses to the data subjects. The first phase will be to understand where your sensitive data resides and define your critical assets and applications. The ability to understand your data inventory is critical for the CCPA and will allow you and team to fulfill data subject requests and inquiries (for instance, Right to be Forgotten). This will give you a roadmap to apply your resources in the most efficient way. The next step is to start to look at ways that reduce risk and have far reaching tentacles. A specific example would be encrypting data in-transit and at-rest. These types of enhancements are in-expensive and can be implemented relatively quickly. This will help your organization significantly reduce the risk of an unauthorized breach because encrypted and/or obfuscated data will not be in-scope for potential regulatory or compliance notifications. Another big step you can take is to apply data minimization principles and start to purge data that you no longer need. Most organizations tend to keep data much longer than necessary. So eliminating legacy data will help your company mitigate risk and implement data minimization philosophies asking why you are collecting sensitive data and if you need it. My last suggestion would be aligning with your legal team and having an assessment done to help find gaps, and provide more ammunition for your team to solve additional concerns.
To make this work, you need good partners knowing what you don’t know. In the end, good solid Information Security and Data Privacy principles/techniques applied will get you close to the finish line, and with buy-in from management will get you the rest of the way. Don’t let great get in the way of good!