With the looming compliance date of January 1, 2020, there is still confusion about what CCPA compliance means. The bill meant to enhance privacy rights and consumer protection for residents of California, U.S. Given the size and importance of the state, the bill is of significance to the U.S. as a whole and to most of the world.
To explore the impact on businesses, Anne Kimbol, Chief Privacy Officer for HITRUST (a data protection standards development and certification organization) looks at how firms can identify and mitigate gaps and risks in their existing programs in order to comply with CCPA.
DJ: What are the key points from the CCPA?
Anne Kimbol: The CCPA focuses on the sale of personal information by for profit companies that meet certain revenue or records thresholds. The definition of sale is fairly broad, although there are still questions about its exact applicability. The philosophy behind the law is that individuals should have control over how their data is used when companies are using or sharing it for commercial reasons. Before the Cambridge Analytica and related scandals, most people thought their data was used by companies to provide the particular service they sought and were unaware of the amount or value of disclosures of their personal information. Whether the law works as intended, only time will tell.
DJ: Why is HITRUST providing a strong basis for a CCPA assessment to its new release of its information risk and compliance framework?
Kimbol: There are two reasons. The first is that almost every for profit business in the United States will have to comply with the CCPA given the number of consumers and size of the economy of California. HITRUST® recognizes that in order to assess their compliance, these companies need a comprehensive information risk management framework through which to perform a risk-based analysis of their current privacy and security programs.
Additionally, while the CCPA’s focus on for profit businesses limits its applicability somewhat, the law is serving as a model for bills filed in other state legislatures and has created an expectation among individuals that they can have access to their data, ask for it to be deleted or corrected, and limit its uses. As is evident in the controls included in the HITRUST CSF®, HITRUST believes compliance with laws should be a baseline not the goal of any information risk management program. Even if the CCPA does not apply to a particular business or use of data, that does not mean its requirements should be ignored. Consumer expectations around information risk management are increasing, and businesses must be prepared to answer questions about what measures they are taking to protect the data they hold.
DJ: How is HITRUST is helping organizations quickly identify and mitigate gaps and risks in their existing programs?
Kimbol: By performing a HITRUST CSF assessment, organizations can identify, using a risk-based approach, the strengths and weaknesses in their information risk management program. This not only identifies for them potential corrective action plans but allows them to prioritize resources to address the most crucial gaps first. While no system is unbreachable, by knowing and addressing its weaknesses, an organization can reduce the risk to its systems and data.
DJ: How different is the CCPA – from the EU’s GDPR?
Kimbol: The CCPA is just different enough from the GDPR to create confusion in terms of compliance. California has a narrower definition of companies to which it applies and has a larger focus on revenue received from the sharing of data than GDPR. California also protects information that is identifiable to a household or device, which is unique and raises complex questions when it comes to the exercise of data subject rights. The exact rights a data subject has under the two fit the same basic description – notice, consent, access, portability, etc. – but the details of the rights themselves and how to exercise them vary substantially.
DJ: What work has HITRUST with the EU GDPR?
Kimbol: HITRUST began including the GDPR in version 9.1 of the HITRUST CSF. Given its broad application, a substantial number of companies have had to look at complying with EU data protection law for the first time under GDPR. Ensuring that the HITRUST CSF contains GDPR information and helps companies comply with the regulation is key to the HITRUST Approach of Assess Once, Report Many. We are also following the GDPR certification process authorized under the regulation. We have taken part in open comment periods, drafted an application to become an accredited certification body, and submitted an application for the HITRUST CSF to be recognized as proper certification standards for the European Data Protection Seal, a designation made by the European Data Protection Board. While the details of the certification process have not been finalized in the EU, HITRUST is following it closely and is ready to respond when the time is right.
DJ: How is HITRUST supporting the development and implementation of the NIST Cybersecurity Framework?
Kimbol: HITRUST is a strong supporter of NIST and the work they do to help enhance information protection in the United States and worldwide. The NIST Cybersecurity Framework provides a mechanism for assessing and maturing a cybersecurity program. The HITRUST CSF provides the details needed to implement those objectives and an assurance program to provide a means of objectively demonstrating the implementation of the NIST Cybersecurity Framework. With a HITRUST CSF Validated Assessment Report, clients receive a scorecard comparing their programs with the NIST cybersecurity objectives. If the program is of a certain standard, a HITRUST NIST Cybersecurity Framework certification will be provided. By including the NIST Cybersecurity Framework in the HITRUST CSF, HITRUST acknowledges its importance and value in the field while translating its requirements into implementable and assessable controls.
DJ: Where do you see the future of privacy regulations heading?
Kimbol: I think we will continue to see individual states in the US and individual countries worldwide developing their own privacy laws, each of which is likely to be just different enough to cause compliance and translation difficulties. Ideally, there would be a strong and enforceable international framework on privacy rights. Each country or division thereof would certainly have its own specific details, based on its own culture and norms, and no country would want to give up its sovereignty on such a key issue.
That said, a patchwork of laws does a disservice to individuals and society. Data has immense promise in helping solve some of our greatest problems, including public health issues, which can only be met if individuals feel comfortable sharing their data with entities who know how they can or cannot use it. We have bases for such a framework through the Organization for Economic Cooperation and Development (OECD) Privacy Principles, Asia-Pacific Economic Cooperation (APEC) Privacy Framework, and the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108).
While Convention 108 was recently updated, we need to ensure that any such framework recognizes the weaknesses in the current notice and consent model, which is technically followed by big tech today. While it will never be a simple issue, we can protect people’s privacy and use data for good; we just need to work together to make it happen.
