Customer personally identifiable information (PII) breaches have become a growing problem for retailers, with more than 19 breaches at major retailers between early 2018 and late 2019 alone. This is happening in a climate where many states are considering legislation similar to CCPA, and the pandemic has made for a major surge in people shopping online. These three events, among others, create a defined urgency as the California Attorney General (AG) begins enforcement of the law, with key implications for businesses generally and retailers specifically:
- 45-day complete record response window for California residents’ request for personal data stored or compliance breach;
- Right to opt out of retailer storing or sharing their personal data with third parties;
- Right to know personal data purchased by a third party, the third party’s identity, and who they purchased it from;
- Right to demand deletion of stored personal information;
- Providing an opt-in for California consumers under the age of 16 and parental consent for those under the age of 13;
- Retailers barred from penalizing any California consumer who exercises their rights under the CCPA; and
- Clearly posted, with easy access, to online “Do Not Sell My Personal Information,” opt in/opt-out button option.
Implementing A CCPA Compliance Strategy
Retailers understand by now that CCPA compliance strategies will involve internal data assessments and governance, policy development, education and technology changes. This starts with a complete mapping or audit of customer data, to find out the end points of where it is collected, stored and used. This requires answering the following questions:
- What people have access to it?;
- What data is being collected?;
- The types of data being stored;
- The format, location and application/workload dependencies of that data;
- Data encryption measures in use;
- Which database contains purchasing history?;
- Is the data structured or unstructured?; and
- Are there third-party vendors, suppliers or partners that have access to, store, or use any of that data?
Information security must be pervasive throughout an organization, and it should begin with raising security awareness with end users and employees. Many breaches could have been avoided with better user education and following security leading best practices like CIS guidelines. But to build a comprehensive and cost-effective compliance strategy, retailers must establish a cross-functional team with clear, attainable goals that will align with your organization’s budget.
The first step for this team will be to understand the CCPA requirements and align them with how they apply to your business, which forms the basis of your attack strategy. This strategy will be built on the mapping of your data and its application/workload dependencies, to answer consumer access requests about what information your company collects about a consumer and how it is being used.
Retailers must first account, classify and institute reasonable security controls to protect the sensitive information of consumers. In the age of cloud computing and e-Commerce, knowing and accounting where all your information assets are located is crucial and foundational in a CCPA/cybersecurity strategy. That requires true visibility and updating of both the information technology (IT) and operational technology (OT) that underpins the retail environment.
IT/OT Governance Steps For CCPA Compliance
Retailers have a significant number of back-end and front-end endpoints where data can be gathered, stored, accessed and shared. This combination of IT and OT spans from POS systems to an internal network to beyond the network edge, web portals, databases and the cloud. Meeting data privacy, security and CCPA compliance requires:
- Developing an action plan and implementation of customer identity access management (CIAM) technology, to streamline customer data from multiple web and mobile platforms into one profile so that businesses can easily provide a customer’s personal information upon request, encrypt customer data and provide world-class data protection;
- Implementation of device-level endpoint protection and network server-based security software;
- Implementation of data encryption at rest and in motion viafull-disk encryption software solutions, and use of cloud services provider encryption at rest services with SSL and VPN encryption of data in motion;
- Development of protocols and systems with third-party vendors and service providers that may share PII to ensure CCPA requirements are met;
- Developing employee policy and protocols for responding to customer data requests, including the process for resolution and response and the tools to extract the data and fulfill deletion;
- Revamping web site and e-Commerce portals with clear details on how to make a right-to-access request, display of Do Not Sell My Personal Information link, and opt-in/opt out buttons properly displayed along with details on how PII data is used; and
- Instituting policy training for anyone involved in CCPA compliance, privacy practices and handling of customer requests, which must be updated each year.
For retailers, CCPA compliance, data privacy and security are about consumer trust. By implementing a compliance strategy that encompasses digital risk management, data governance, risk and compliance measures, retailers protect their customers and their business. Even the largest retail enterprises may lack the ability to handle this process on their own, so a cybersecurity/privacy consulting partner can be crucial to planning, implementation, management, monitoring and follow-up.
While not every retailer in the country meets the threshold as a covered entity under California’s CCPA regulation, this is how all states will eventually go. Now is the time to implement the policies, processes and technology to meet this data privacy and security need, to avoid future enforcement actions and mitigate the risks of private actions while protecting your customers and your business.
Technologent Chief Information Security Officer Jon Mendoza has over 24 years of experience in information technology and cybersecurity. He has created security programs for businesses and organizations and has led a team of engineers from various IT disciplines and domain. He has a Bachelor’s in Computer Information Systems and is currently completing his Master’s program in Cybersecurity engineering. He lives in Southern California with his wife, two kids, four dogs, and his African Grey Parrot.