On August 29, 2023, the California Privacy Protection Agency (CPPA) posted discussion drafts of the upcoming cybersecurity audits and risk assessments regulations. These draft regulations follow an earlier amendment of the California Consumer Privacy Act (CCPA) by the California Privacy Act (CPRA) which extended consumer rights, introduced a Sensitive Personal Information category, and sharpened the privacy supervisor’s teeth. Although these drafts only mark the start of the rulemaking process and will be subjected to the Board discussion and public participation, it is clear that the ties between data privacy and data security are being further tightened. Some notable requirements for data security put forth for discussion under the draft regulations include:
Among the safeguards to protect personal data, the draft cybersecurity audit regulation requires the need for better authentication, including:
Personal information will have to be encrypted at rest and in transit. The draft risk assessment regulation also mentions other forms of privacy-enhancing technology such as differential privacy, federated learning, and homomorphic encryption.
Access Management plays an important role in protecting against unauthorized access in the draft regulations. Throughout the drafts it is clear that the CPPA pays high importance to least privilege access management. Basically, data access has to be denied by default, following the principles of Zero Trust Architecture. Access is only permitted when it aligns with the customer's reasonable expectations or the purpose explicitly communicated during data collection, as exemplified by Purpose-Based Access Controls. This rule applies universally to both internal and external data consumers and necessitates the revocation of access when it is no longer necessary, including instances such as employment termination. The draft regulation also requires organizations to catalog their personal data together with their data classifications and any tag-based access controls that use those tags to control the use and disclosure of personal data.
Organizations will be required to monitor data storage, retention, and usage logs, abd have to report the third parties to whom consumers’ personal information is disclosed.
They will also have to assess the effectiveness of their data security during the annual cybersecurity audits, and have to perform a risk assessment every three years or whenever there is a material change in data processing.
If you’re an organization that processes consumers’ personal information or doing business with one, these revisions will likely require you to invest in better data security. However, if personal data is a core competitive asset supporting your organization’s customer experiences, cost management and decision making, it will be very challenging to improve data security with the current access management technology and workflows in a way that doesn’t disrupt your data operations. You will need an approach that lets you incrementally improve data security, and time the impact on data operations. The way to achieve this is through:
Having a good understanding of your organization’s access controls and usage patterns allows you to understand your as-as and carefully plan your roadmap to CPRA compliance. It also lets you iterate incrementally from your as-is, learn from feedback loops, and adjust the implementation where needed. Monitoring capabilities will also help you comply with the Monitoring & Reporting requirements stipulated in the draft regulations.
Dynamic data teams have to federate data security responsibilities to data owners to achieve a productive balance between least privilege access management as required by the CPPA’s draft regulations, and data democratization. Without federation, data teams will be flooded with data access requests preventing them from doing their work, and creating undue hold-ups. Raito’s user friendly interface lets data owners manage access without requiring technical expertise.
Automation plays a crucial part in scaling data security. It helps you save time and reduces the risk of errors that come with manual processes. Automatically detecting and prioritizing risks, auto-approving and auto-revoking access, and automating CPRA-compliance using tag-based policies are essential to striking a healthy balance between data security & democratization.
These draft regulations are only the first step in the second amendment of the CCPA, and are likely to undergo several rounds of revisions before being finalized. However, data-intensive organizations will have to plan actions accordingly as the data security requirements are in line with a broader regulatory push towards better data protection.
I hope this helps!
Reach out if you want to learn more at bart@raito.io or book 30m with me
