2020’s Data Privacy Day is historic as it will be the first time that it is observed with the California Consumer Privacy Act (CCPA) in full effect. Complying with CCPA means that, at a minimum, organizations must be able to ensure a baseline level of visibility and control over sensitive data. However, companies should aim to do everything that they can in order to attain the maximum level of data security – particularly when dealing with the public cloud. More and more, consumers are discovering the information that is collected about them, how that data is used, and how daily breaches put their data at risk. Consequently, to remain compliant and maintain consumer trust, it is imperative that companies make security a priority.
The path to compliance requires change
Large enterprises tend to possess the fiscal, legal and technological resources necessary for adhering to regulations like CCPA, including Microsoft, which enforces CCPA protections across its entire U.S. presence and not just in California. However, this is not true for the majority of organizations, especially small- and medium-sized businesses (SMBs) that are more scrupulous in their investments. In fact, most businesses will need a significant redesign of their entire security program in order to be CCPA compliant. For example, some legacy, on-premises (on-prem) security vendors may not be able to equip their customers with proactive tools that can adapt to new regulations in today’s cloud-first, mobile world. As more companies continue to migrate to the cloud for enhanced flexibility and cost savings, they must make sure that they are doing so securely and that they are able to adapt to the constantly evolving enterprise cloud footprint.
Consequences of non-compliance
Fines for non-compliance can be catastrophic for many organizations. Since GDPR’s enactment in May 2018, there have been over $126 million in fines imposed for approximately 160,000 reported data breaches. The largest was a $57 million fine placed on Google for a lack of transparency. Unfortunately, barriers to maintaining cloud security still plague many businesses; for example, it can be quite difficult to justify additional security spending in light of large sunk costs associated with prior investments in on-prem security tools. However, the fact is that these legacy, on-prem tools do not translate well to data stored, shared, and accessed in the cloud.
In addition to fines, lawsuits, and other associated monetary costs, non-compliant companies will be dealt severe damage to their brand reputation. Suffering a loss of consumer trust can be devastating in the long run as potential and current customers will begin to turn to competitors, decreasing any business’ market share.
Luckily for organizations that may not be compliant with CCPA, there is still an aura of ambiguity around the new legislation that has led to a slow start for enforcement. This particularly benefits small- and medium-sized businesses (SMBs) that lack the same amount of legal and fiscal resources as larger corporations, making it much more challenging to ensure compliance while still continuing business operations. However, once this initial lull period concludes, we should expect to see a plethora of fines and lawsuits dealt to companies that fail to adhere to CCPA.
What we can learn from one company’s failure to comply and secure data
In late 2018, it was reported that British Airways suffered a data breach that allowed cybercriminals to exfiltrate the names, home addresses, email addresses, and payment card details of 380,000 customers who booked flights between Aug. 21 and Sept. 5, 2018. The breach stemmed from hackers installing Magecart, a credit card skimming malware, on British Airways’ website. As a result, the company is facing up to $230 million in fines under GDPR (1.5% of its annual revenue). This does not include other expenses such as the $72.6 million in compensation charges that it must pay.
If other companies can learn anything from British Airways’ mishap, they should learn that security must be a priority (which will also help them comply with regulations like GDPR and CCPA). The incident also proves that even large companies fall victim to malware, and unless specific security measures are in place, malware can spread and compromise highly sensitive consumer information – like payment card data, in British Airways’ case.
All organizations, even those with limited IT resources, must take a proactive approach to security and turn to flexible, easily deployable, and cost-effective solutions that can prevent data leakage. For example, data loss prevention (DLP), user and entity behavior analytics (UEBA), and encrypting data at rest are all critical for companies that want to be certain that their data is truly secure. This will enable them to address evolving threats and use cases as well as scale with growing enterprise operations. In this way, organizations can ensure that their data is protected 24/7 and, consequently, that they are compliant.