Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
- 1. Complying with the California
Consumer Privacy Act (CCPA)
Sr. Strategist, Global Government Affairs
and Cyber Security, Symantec
Ken Durbin, CISSP
KimAllman
Director,Government
Affairs - Consumer
- 2. Legal Disclaimer
The materials contained in this presentation are not intended to provide, and
do not constitute or comprise, legal advice on any particular matter and are
provided for general information purposes only.
You should not act or refrain from acting on the basis of any material
contained in this presentation, without seeking appropriate legal or other
professional advice.
- 4. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
No One is Immune
2019 – Busy Year for Breeches
• Financial Services – 885,000,000 Records
• Large Financial – 106,000,000 Records
• Social Media Site – 540,000,000 Records
• Academic Institution – 19 Years of data
4
- 5. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
Privacy & Security
Security
The “How” of personal
data protection
Tactics
Privacy
The “What” of personal
data protection
Strategy
“You can have security without privacy but you can’t have
privacy without security”
5
- 7. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
Who’s Who in the Protection of Personal Data
7
DATA CONTROLLER DATA SUBJECTDATA PROCESSOR
DATA PROTECTION OFFICER
Data ProtectionOfficers are designated persons responsible for making sure the
organizationfollows the new regulations.
DATA PROTECTION AUTHORITY
- 8. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
Are you prepared for them?
Rights of the Data Subject
• Must gain Consent, in clear understandable language
• Right to access their personal data, purpose of the processing, who has it?
• Right to have inaccurate personal data corrected
• Right to be forgotten. Force the controller to erase personal data in certain
circumstances
• Right to data portability. Receive their personal data, easily transferable, machine-
readable format
• A right ‘not to be subject to’ a decision based solely on automated processing, including
profiling, which produces legal effects concerning him or her or similarly significantly
affects the data subjects
8
- 9. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
What is Personal Data Under the GDPR?
It’s all about Personal Data
9
EU User data belongs to the EU User, not the person who collected it.
You MUST think beyond the US definitionof PII
Personaldata = any informationrelatingto an identifiedor identifiablenaturalperson (‘data subject’).”
GDPRExamples:
• Every manner of HR data/ consumer data
• Business contactinformation(includingemail addresses)
• Behavioralinformationincluding website visitors’ data(logged in house or stored remotely, e.g. cookies)
• IT network trafficand communicationlogs
• Any potentially identifiable informationeven collected from publicly available sourcesIS personal data.
- 10. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
GDPR Special Category Data
It’s all about Personal Data
10
The following data elements are particularly sensitive. There should be a legitimate
and lawful reason for collecting, storing, transmitting, or processing this data.
• Race and ethnic origin
• Religious or philosophical beliefs
• Politicalopinions
• Trade union memberships
• Biometricdata used to identify an individual
• Genetic data
• Health data
• Data related to sexual preferences, sex life, and/or sexual orientation
- 11. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
RISK SURFACE
Enforcementby national
Data ProtectionAuthorities
72 hours to notify of a breach once aware
2% or
$10mil
4% or
$20mil
GDPR Risks to US Companies
What triggers
investigation?
•Complaint by consumer, employee, competitor
•Own initiative
•Security incident
- 12. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
IS GDPR BEING ENFORCED?
• Since May 25th:
• United Kingdom:
• 1,106 Data Protection Complaints in 1st Three Weeks
• Breach Notifications also up
• Ireland:
• 386 Data Protection Complaints, and..
• 547 Breach Notifications in the 1st Month
• Czech Republic & France:
• Over 400 Complaints,each
• Austria:
• Number of Complaints in 1st Month equal to total of previous 8 Months
- 13. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
GDPR showing it’s teeth
• Facebook dodged the GDPR Bullet
• Fined $645kfor Cambridge Analytica. Could’ve been $1 billion under GDPR
• Google Fined $57 million by France:
• Insufficient Transparency
• Vague Consent Agreements
• Unnamed German Social Media was breached. Only fined $22k due to proactive
response on their part
• Data Authorities are taking GDPR Seriously. Violations of note:
• An Austrian entrepreneur was fined for placing a CCTV outside his establishment as it was not
sufficiently marked. The camera recorded a substantial portion of the sidewalk, a “public space.”
• A Portuguese hospital was fined because of inadequate account management practices, such as
having five times the number of active accounts than required and giving doctors blanket access to
all patient files, irrespective of the doctor's specialty.
13
- 15. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
California Consumer Privacy Act - CCPA
• Started as measure on the November, 2018 Ballot
• Midnight agreement for Assembly Bill 375/CCPA
• Effective January 1, 2020
• More than 55 bills to amend CCPA
• Privacy provisions enforceable by July 1, 2020
• AG undergoing extensive and difficult rulemaking process
• Based on GDPR, but much broader
• Applies to California Residents and Businesses
• Brand wide compliance
• For profit entities that meet any of the following:
• Grossrevenue greater than $25million
• Collects info from more than 50k consumers,households OR devices
• 50% annual revenue from consumer datasales
15
- 16. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
Key Consumer Rights in CCPA
▪ Transparency
▪ Right to know disclosuresand sales of PI
▪ Opt-out of “sale” of PI
▪ Right to delete personal information
▪ Right to access personal information
▪ Right to portability of personal information, if in electronic form
▪ Right against ”discrimination”for exercising rights
▪ Right to sue for statutory damages for many data breaches
▪ Minors under 16 have a right to opt-in to “sale” of personal information
16
- 17. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
CCPA – Broad Definition of Consumer
Personal Information: information that identifies, relates to, describes, is capable of
being associated with, or could reasonably be linked, directly or indirectly with a
particular consumer or household.”
17
- 18. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
What happens if you violate CCPA?
• Private Right of Action for statutory damages
• $100-$750 per consumer, per incident for failureto implement and maintain “reasonable” security
procedures.
• “Reasonable”is not defined
• Enforceable by the state Attorney General
• $2500 each violation or $7500 for each intentional violation
• AG rules will have to determine if “violation” is applied to consumer, per day or something else.
18
- 19. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
California kicked off a National Privacy Debate
• Massive effort to amend the CCPA
• California Chamber of Commerce leading a multi-industry effort
• More than 55 separate bills competing for attention
• Unfavorable political climate for changes
• Amendments being debated related to the definition of consumer, personal
information, fraud detection,data brokers and on….
• Conflicts with the Fair Credit Reporting Act (FCRA) and the Graham-Leach-Bliley Act
(GLBA)
• No federal action in sight
• A whole bunch of copycatsacross the country
19
- 20. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
In other states….
• 14 states introduced CCPA copycat bills or similar which failed
• NV passed similar, but less extreme bill allowing for opt-out of PI
• No private right of action
• Washington
• More like GDPR, but failed in the end
• Proponents are using a model bill for possible passage in 2020
• Expect 2020 to be huge year for privacy bills in the states
• Until the Congress acts, we have a patchwork quilt of privacy laws in the states
20
- 21. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
Federal Action on Privacy?
• General agreement that there needs to be a federal law. It ends there.
• Private Right of Action, state preemption major issues
• Senate working group fell apart
• House bills are circulating and not from committeeswith jurisdiction over the issue
• Trade groups, associations and a whole host of other interested parties are writing their
own privacy proposals
• 2020
21
- 22. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
CCPA vs GDPR
• Compliance with GDPR is not enough
• CCPA
• Broader definitions
• Less detailed notices
• Right to opt – out of sale with few exceptions
• Right against discrimination for exercising rights
• AG enforcement $7500 per violation for intentional violations
• Data breach class action for statutory damages
• CCPA is a mess, but protecting data and consumers is key for both
22
- 24. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
Mitigating the “Impact” of a Breach
What we can learn from GDPR
Article 4 paragraph12: THE BREACH
What can happen to data?
“… a breach of security leading to the
accidentalor unlawful destruction,
loss, alteration,unauthorized
disclosure of, or access to,personal
data transmitted,storedor otherwise
processed”
Recital 75: THE IMPACT
What can happen to the data subject?
“The risk to the rightsand freedoms of
naturalpersons, of varying likelihood
and severity, may result from personal
data processingwhich could lead to
physical,material or non-material
damage”
GDPR / DPA REQUIREMENT:
Prevent, Detect, Log, Report,Remedy
GDPR / DPA EXPECTATION:
Anticipate, Avoid,Mitigate, Compensate
- 25. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
What is the Difference Between On-premise & Cloud?
25
None in terms of Privacy and Security
So… do you have the same visibility and control
over data in the cloud?
- 26. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
See Data
Wherever It Lives
Protect Data
from Being Leaked
Control
User Access
Information Centric Security
17
- 27. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
✓
✓
✓
The Symantec Data Loss Prevention Platform
Architecture
23
- 28. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
On-premises
DLP Detection
DLP Enforce
ManagementServer
The Challenges
26%of Cloud Docs
are Broadly Shared1
• Proliferationof Cloud Apps
• Shadow Data Problem
• CompromisedAccounts
Visibility, Protection, & Control in Cloud Apps
24
- 29. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
Extending DLP into cloud
applications
Apply ExistingDLPPoliciesto Cloud
LeverageexistingDLPWorkflow
Gain Full CASBFunctionality
• Inline Blocking and Offline Remediation
• Shadow IT Analysis
• Entity Behavior Analytics
ExtendDLP to Cloud Apps
On-premises
DLP Detection
DLP Enforce
ManagementServer
Visibility, Protection, & Control in Cloud Apps
25
- 30. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
Data Loss Prevention (DLP)
Discovers sensitivedata across all channels with central policy controls
Symantec Information Centric Security
Information Centric Encryption (ICE)
Integrated policydriven encryption and identityaccess
Information Centric Tagging (ICT)
Increases DLP efficiency with Users drivingDLP data classification
Information Centric Analytics (ICA)
EntityBehaviorAnalytics to find most risky or malicious users
DLP
VIP
ICA
ICT
CloudSOC (CASB)
Extends existingDLP policies,workflows and detection to Cloud Apps
Validation and ID Protection Service (VIP)
Secures access to critical data with Multi-Factor Authentication
CloudSOC
ICE
Summary
27
- 32. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
NIST Privacy Framework
32
- 34. Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
Additional Resources
• Symantec Data Privacy
• California Consumer Privacy Act (CCPA)
• NIST Privacy Framework
34
- 35. Questions ?
Sr. Strategist, Global Government Affairs
and Cyber Security, Symantec
KenDurbin, CISSP
KimAllman
Director,Government
Affairs - Consumer