Data privacy compliance has become increasingly difficult for enterprises in the past few years — first with the implementation of Europe's General Data Protection Regulation and now this year with the California Consumer Privacy Act.
With several similar data compliance regulations in the works in other states and ongoing calls for a national framework, enterprises increasingly don’t just have to figure out how to store and analyze increasing volumes of data –– they also have to keep it safe and ensure they use it properly according to the rules of multiple jurisdictions.
“The main pain point for the organizations will be managing the user data,” said James Efron, infosecurity expert at Shufti Pro. A straightforward "right to delete data" request would be difficult, as would notifying users quickly in the case of an incident with their data.
“Businesses are still struggling to understand how to respond to data breaches and other such incidents because compliance is becoming complex,” Efron said.
The CCPA’s compliance date is July 1, and U.S. businesses are largely not ready for it, said David Thomas, CEO and co-founder of Evident ID. At Evident ID, Thomas has seen companies get a lot wrong –– in particular around consumer rights requests (CRRs), which require a company to provide all the data it holds on an individual.
“CRRs can be submitted by cybercriminals, bots or bad actors hoping to obtain sensitive personal data that doesn't belong to them for nefarious purposes,” he said. “Simply put, the CRR regulation within the CCPA will introduce another avenue for hackers to steal personal data for identity theft or other criminal activity.”
This has the potential to be a major pain point for enterprises, Thomas said, one that can lead to consequences including fines and loss of consumer trust.
“There are some simple steps companies can take, such as retaining specialized lawyers and understanding their data and its movement,” Thomas said. “However, with such a complex regulation, even companies who are taking all the right steps can face landmines that can lead to massive business and reputational consequences.”
Part of the problem is that you never know when those landmines could go off, or how serious they will be when they do.
“The biggest challenge for companies that must comply with the CCPA is that you never know when a wave of subject access requests [SARs] can hit,” said Scott Hines, vice president of enterprise solutions at UST Global. A company can go months, or even years, operating under the new law and only receive a small number of SARs, but could suddenly receive thousands or even millions without warning, Hines said. And those requests could come not because of negligence or errors but due to events beyond the company’s control — for example, media reports on data security or a security breach at a competitor.
The Need for Automation
“Hyper-automation of the SAR response process is the only option for companies with large consumer bases,” Hines said. UST Global offers such solutions, he said, via its end-to-end SAR automation service that can handle a tidal wave of requests should it come.
Such a service may become increasingly essential for enterprises, especially considering the increased demands already placed on their IT departments in recent years: cloud management, data storage, automation on other fronts.
Companies need a safe and prompt response to the influx of requests they could soon receive, Thomas said. That response needs to include the ability to easily and accurately vet requests for data access and deletion.
“This is why identity verification is a key element to CCPA compliance,” Thomas said. “Building identity verification into the forefront of CRRs will prevent personal and sensitive information from getting in the wrong hands.” Having a streamlined and cost-effective process for that verification will ensure that the CCPA’s primary objective of combating fraud and protecting consumers is met, without undue consequences to businesses, he said.
Identity verification and compliance support processes will continue to require resources —
both time and money. Those demands are likely to only increase as additional jurisdictions bring in data compliance regulations like the GDPR or the CCPA.
“While adapting to powerful regulations that require organizations to leverage stronger identity verification mechanisms that produce higher levels of assurance can be challenging,” Thomas said, “this will only become more necessary in a time where cybercriminals are becoming even savvier.”