CCPA: What You Need to Know for Public Cloud

We live in a data-driven world. From the information we collect to authenticate consumers to the data we use to target advertisements, organizations store personal information to make important business decisions, gauge appropriate pricing, and improve customer experience. But many companies also sell this data without consumer knowledge or consent.

The California Consumer Privacy Act (CCPA) aims to address this issue. According to the website of Californians for Consumer Privacy, an organization that advocated for the legislation, the act is meant to accomplish three major goals:

  1. Give consumers ownership of data collection: Consumers have the right to know what information companies are collecting and why they are collecting it.
  2. Give consumers control of data retrieval and deletion: Consumers have the right to say “no” to a business sharing or selling their personal information as well as the right to request a deletion.
  3. Give consumers data security: Consumers have the right to protection from businesses that do not uphold the value of privacy.

If your organization meets any of the following criteria, you will be expected to comply with CCPA come January 2020:

  • Company obtains personal information of 50,000 or more California residents annually.
  • Company obtains 50% or more of their annual revenue from selling California residents’ personal information.
  • Company exceeds an annual gross revenue of $25 million.

When it comes to the impact of CCPA on your cloud business, two key questions need to be evaluated: 

  1. How will this impact your public cloud security and compliance program? 
  2. What does this mean for that mile-deep pile of customer data you currently store in Amazon Simple Storage Service (S3)? 

A few key insights and recommendations can help you prepare to address these questions.


Data Collection Ownership

The CCPA requires that businesses inform consumers as to the categories of personal information they are collecting and the business purposes for which they will be used. The legislation also requires that, once a year, businesses must inform consumers which categories of information they currently have stored. If they sell consumer information, they must disclose what information they have sold and to whom.

You can leverage cloud provider services and tools, such as S3 object metadata, to help you categorize, sort, and track consumer data that is relevant to CCPA as it enters the public cloud. You can also create policies using services like AWS Config and Azure Policy that enforce tagging rules and conventions. For data you already have stored, it is recommended that you use data loss prevention (DLP) products to scan public cloud storage. 

Once your tagging strategy is configured to identify data categories bound by CCPA, you need to establish methods of informing your consumers of these data collection categories. One approach would be to leverage serverless functions, such as AWS Lambda, to enable automatic email notifications to customers on a yearly basis that inform them of the info you are currently storing, the purpose for storing it, and so on.

You can also use Amazon QuickSight or Azure Power BI to sort and filter data by category and then inform customers which types of information you have. 

Stepping back from the technologies for a moment, the strategy that needs to be implemented is one that ties the specific discovery and tagging of consumer data to individual consumer identities for the purpose of annual notification.


Data Retrieval and Deletion

The CCPA also grants consumers the right to request deletion of personal information at any time and requires companies to provide a “do not sell my data” button at the bottom of any page where they collect information that is bound by CCPA.

There are many cloud services available that can help you comply with this requirement by assisting in the retrieval and deletion of specific data. You can use AWS Glue or Azure Data Factory, serverless functions that can automatically crawl and retrieve data for a specific consumer, and prepare that data for deletion when requested. 

Another approach is using AWS CloudWatchEvent to run an AWS Lambda function containing code to gather and delete all metadata associated with a given identifier that is, in turn, associated with a consumer. You can also create a verification process to confirm that the requested data was successfully deleted, and the request recorded. For example, suppose you want to delete all the data for a specified user; your Lambda function can identify the associated metadata for the specific user ID within an Amazon Relational Database Service (RDS) table, delete the data, and record the successful deletion in a DynamoDB table.

The key theme here is that you don’t necessarily have to build complicated application flows into your existing user interfaces. Simple check boxes in your applications can trigger cloud applications to support the requirements within CCPA. 


Data Security

Under the CCPA, businesses are required to implement “reasonable security measures” to safeguard personal information. In the event of a data breach involving consumer information, businesses found to be in violation of this act may be held liable for such violations by penalty and fees (under sections 1798.108, 1798.109, and 1798.111).

Like many compliance regulations, there are gray areas, and ultimately it is up to each organization to decide what the best security measures are based on their unique business, data, and risks. When it comes to “reasonable security measures” in public cloud, it is always a good idea to start with the CIS Foundations Benchmark for AWS, Azure, and GCP, and then comply with relevant information compliance regulations, such as PCI-DSS for companies storing credit card data or HIPAA for healthcare companies.

Also, it’s absolutely critical that you understand the shared security responsibility matrices that public cloud providers publish. Ultimately, the data inside these clouds are your responsibility, so measures to protect this data should be taken within your organization.

Because cloud environments are constantly changing, it can be tricky to stay continuously aligned with security and compliance policies. For AWS environments, there is a comprehensive white paper from AWS on CCPA. For more complex, multi-cloud environments, third-party tools such as Prisma Cloud can help you automate your cloud compliance workflow and streamline policy enforcement across different clouds. 

If you are interested to know your specific level of compliance risk, try our free, two-minute compliance risk assessment.

The post CCPA: What You Need to Know for Public Cloud appeared first on Palo Alto Networks Blog.

Article Link: