What is CCPA? – In a nutshell, CCPA is essentially the California version of GDPR but with a few twists to it. As was fully discovered by the implementation of GDPR with numerous investigations and fines being levied against Facebook and Google, the California government was clearly concerned about the privacy of the citizens of California. Never mind that this opened numerous opportunities for the California government to levy fines against negligent business!! Regardless, it should be fully understood that the requirements for CCPA "changed" as CCPA was being implemented and further "changes" have since happened and will likely to happen. Thus...everything is in motion and we still are not entirely sure if other changes will happen.
As it is though, individuals (and households) have increased rights as in pertains to their data but far less than just GDPR, which may be either a good or bad thing. The basic rights that should be understood are:
However, on 1/1/2023, additional rights will be afforded to data subjects:
It's important to note that these right apply to individuals but also households. Yes, essentially, your house now has rights and if someone who resides in that household chooses to exercise their rights then everyone in the household is affected.
As a company how much should I care? - Great question. First you have to qualify for CCPA. These requirements are below and we'll discuss each in turn.
So what does this mean? - Well, if you fall under certain circumstances then you "may" fall under CCPA. However that doesn't mean you will fall under CCPA but does mean you should be sensitive to CCPA as it relates to how you run your business with California residents. However it also opens up areas of debate and possible loopholes.
Let's discuss each area however, for anything other than a California Business, meeting the requirements for even one area qualifies under CCPA.
Note - What should also be understood is that if a company handles sensitive information for 4M or more user information then additional obligations will apply and are not covered in this article.
Arrakis can help you become more compliant or remain compliant by offering an unbiased 3rd party assessment that is specifically tailored around the framework or regulation you are required to conform to as well as help reduce your overall risk.
Additionally, Arrakis can provide regulatory or compliance training to your company to help better prepare you for a regulatory environment. Click here to see just some of our options to train you in regulatory compliance.
These solutions can be in several forms:
3rd party audits and assessments - All major frameworks require a 3rd party assessment to be performed in the areas of vulnerability assessment, risk assessment, or 3rd party audit of your information systems. Arrakis can be your trusted advisor that will provide an unbiased and brutal honesty assessment of where you feel weak or where you feel a regulatory agency may target you. Don't be caught short in high risk compliance areas like GDPR, FFIEC, FISMA, etc...
Business Impact Analysis (BIA) - As a matter of good practice, a BIA should be done at least yearly to ensure that you completely understand the level of impact to your business should any portion of your business process fail. How long can you stay down without major incident? How long can you stay down before your customers decide to move to another solutions provider? Knowing the impact, both qualitative and quantitative, to your business is vital and required. Arrakis can help you realize exactly what your impact is.
Gap Analysis - regardless of what framework you are required to follow there is always something that needs to be reviewed to see where your gaps, or weaknesses, are so you have targeted and actionable items to focus your remediation or improvement efforts. Don't be caught short in high risk compliance areas like GDPR, FFIEC, FISMA, NIST, etc...
Framework implementation, consultation, or support - All companies that process regulated data are required to conform to some security framework. Whether it be NIST 800-53, NIST 800.171, ISO 27001, FFIEC, etc... we can help implement or provide consultation services to make your current implementation easier. Additionally, in several situations, companies have to conform to multiple frameworks or create a hybrid framework that reduces the regulatory risk to the company and executives. Arrakis can help guide you down the path of confusion to a clear outcome.
vCISO/CISO as a service - Some companies simply do not have the budget, experience, or training to have a CISO or an information security department. While all frameworks require a security department and a CISO it simply isn't in the budget or there isn't enough technical work to justify hiring the appropriate personnel. Arrakis can help you be acting as a trusted advisor to the CIO or COO to your company and essentially performs CISO functions. Technically, by the frameworks, someone in the company still must have the title of CISO however none of the frameworks indicate that the actual "work" can't be outsourced to a reputable 3rd party. Don't be caught short in high risk compliance areas like GDPR, FFIEC, FISMA, etc...
vCIO/CIO as a service - Similar to the CISO as a service bullet item, some companies are more focused on building their business and increasing their profit margin and just don't have the time or experience to perform CIO functions. They have strategy without execution because of a lack of ability to execute. Arrakis can help be the IT glue that binds all the technological functions into a cohesive package to fill this gap. The professionals at Arrakis have, on average, over 20 years of experience in all aspects of IT including managerial functions such as budgeting, project management, and process improvement.
Governance, Risk, and Compliance - Regardless of what framework your company is required to follow or the level of maturity all companies bear some risk because they are in business. Our GRC people can help your company stay in compliance with regulations, assess and track risk to your company, and provide an easy to follow governance model to ensure that your company operates in a stable manner that keeps the auditors happy. Don't be caught short in high risk compliance areas like GDPR, FFIEC, FISMA, etc...
Policy Creation and Review - Quite often companies have some form of policies in place but a majority of the time those policies simply do not meet the requirements of the auditors or the required frameworks the company is supposed to follow. While the intention of the company is to be compliant, the deficient policies do not help and only bring closer attention of the auditors. Arrakis has years of experience writing policy and can help bring you up to speed with the frameworks and provide for an easier success rate when it is time to be audited.
RSA Archer - Coupled with a GRC program, RSA Archer can be a solid investment towards lowering and visualizing your risk. Our professionals have years of experience with Archer and other GRC programs as well as industry GRC certifications from OCEG.