Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)

Complying with the California
Consumer Privacy Act (CCPA)
Sr. Strategist, Global Government Affairs
and Cyber Security, Symantec
Ken Durbin, CISSP
KimAllman
Director,Government
Affairs - Consumer

Legal Disclaimer
The materials contained in this presentation are not intended to provide, and
do not constitute or comprise, legal advice on any particular matter and are
provided for general information purposes only.
You should not act or refrain from acting on the basis of any material
contained in this presentation, without seeking appropriate legal or other
professional advice.

Agenda
Introduction
GDPR: The First Domino
CCPA Review
Privacy: Technology Considerations
NIST Privacy Framework
Additional Resources

Copyright © 2019 Symantec Corporation SYMANTEC CONFIDENTIAL – INTERNAL USE ONLY
No One is Immune
2019 – Busy Year for Breeches
• Financial Services – 885,000,000 Records
• Large Financial – 106,000,000 Records
• Social Media Site – 540,000,000 Records
• Academic Institution – 19 Years of data
4

Privacy & Security
Security
The “How” of personal
data protection
Tactics
Privacy
The “What” of personal
data protection
Strategy
“You can have security without privacy but you can’t have
privacy without security”
5

Who’s Who in the Protection of Personal Data
7
DATA CONTROLLER DATA SUBJECTDATA PROCESSOR
DATA PROTECTION OFFICER
Data ProtectionOfficers are designated persons responsible for making sure the
organizationfollows the new regulations.
DATA PROTECTION AUTHORITY

Are you prepared for them?
Rights of the Data Subject
• Must gain Consent, in clear understandable language
• Right to access their personal data, purpose of the processing, who has it?
• Right to have inaccurate personal data corrected
• Right to be forgotten. Force the controller to erase personal data in certain
circumstances
• Right to data portability. Receive their personal data, easily transferable, machine-
readable format
• A right ‘not to be subject to’ a decision based solely on automated processing, including
profiling, which produces legal effects concerning him or her or similarly significantly
affects the data subjects
8

What is Personal Data Under the GDPR?
It’s all about Personal Data
9
EU User data belongs to the EU User, not the person who collected it.
You MUST think beyond the US definitionof PII
Personaldata = any informationrelatingto an identifiedor identifiablenaturalperson (‘data subject’).”
GDPRExamples:
• Every manner of HR data/ consumer data
• Business contactinformation(includingemail addresses)
• Behavioralinformationincluding website visitors’ data(logged in house or stored remotely, e.g. cookies)
• IT network trafficand communicationlogs
• Any potentially identifiable informationeven collected from publicly available sourcesIS personal data.

GDPR Special Category Data
It’s all about Personal Data
10
The following data elements are particularly sensitive. There should be a legitimate
and lawful reason for collecting, storing, transmitting, or processing this data.
• Race and ethnic origin
• Religious or philosophical beliefs
• Politicalopinions
• Trade union memberships
• Biometricdata used to identify an individual
• Genetic data
• Health data
• Data related to sexual preferences, sex life, and/or sexual orientation

RISK SURFACE
Enforcementby national
Data ProtectionAuthorities
72 hours to notify of a breach once aware
2% or
$10mil
4% or
$20mil
GDPR Risks to US Companies
What triggers
investigation?
•Complaint by consumer, employee, competitor
•Own initiative
•Security incident

IS GDPR BEING ENFORCED?
• Since May 25th:
• United Kingdom:
• 1,106 Data Protection Complaints in 1st Three Weeks
• Breach Notifications also up
• Ireland:
• 386 Data Protection Complaints, and..
• 547 Breach Notifications in the 1st Month
• Czech Republic & France:
• Over 400 Complaints,each
• Austria:
• Number of Complaints in 1st Month equal to total of previous 8 Months

GDPR showing it’s teeth
• Facebook dodged the GDPR Bullet
• Fined $645kfor Cambridge Analytica. Could’ve been $1 billion under GDPR
• Google Fined $57 million by France:
• Insufficient Transparency
• Vague Consent Agreements
• Unnamed German Social Media was breached. Only fined $22k due to proactive
response on their part
• Data Authorities are taking GDPR Seriously. Violations of note:
• An Austrian entrepreneur was fined for placing a CCTV outside his establishment as it was not
sufficiently marked. The camera recorded a substantial portion of the sidewalk, a “public space.”
• A Portuguese hospital was fined because of inadequate account management practices, such as
having five times the number of active accounts than required and giving doctors blanket access to
all patient files, irrespective of the doctor's specialty.
13

California Consumer
Privacy Act - CCPA

California Consumer Privacy Act - CCPA
• Started as measure on the November, 2018 Ballot
• Midnight agreement for Assembly Bill 375/CCPA
• Effective January 1, 2020
• More than 55 bills to amend CCPA
• Privacy provisions enforceable by July 1, 2020
• AG undergoing extensive and difficult rulemaking process
• Based on GDPR, but much broader
• Applies to California Residents and Businesses
• Brand wide compliance
• For profit entities that meet any of the following:
• Grossrevenue greater than $25million
• Collects info from more than 50k consumers,households OR devices
• 50% annual revenue from consumer datasales
15

Key Consumer Rights in CCPA
▪ Transparency
▪ Right to know disclosuresand sales of PI
▪ Opt-out of “sale” of PI
▪ Right to delete personal information
▪ Right to access personal information
▪ Right to portability of personal information, if in electronic form
▪ Right against ”discrimination”for exercising rights
▪ Right to sue for statutory damages for many data breaches
▪ Minors under 16 have a right to opt-in to “sale” of personal information
16

CCPA – Broad Definition of Consumer
Personal Information: information that identifies, relates to, describes, is capable of
being associated with, or could reasonably be linked, directly or indirectly with a
particular consumer or household.”
17

What happens if you violate CCPA?
• Private Right of Action for statutory damages
• $100-$750 per consumer, per incident for failureto implement and maintain “reasonable” security
procedures.
• “Reasonable”is not defined
• Enforceable by the state Attorney General
• $2500 each violation or $7500 for each intentional violation
• AG rules will have to determine if “violation” is applied to consumer, per day or something else.
18

California kicked off a National Privacy Debate
• Massive effort to amend the CCPA
• California Chamber of Commerce leading a multi-industry effort
• More than 55 separate bills competing for attention
• Unfavorable political climate for changes
• Amendments being debated related to the definition of consumer, personal
information, fraud detection,data brokers and on….
• Conflicts with the Fair Credit Reporting Act (FCRA) and the Graham-Leach-Bliley Act
(GLBA)
• No federal action in sight
• A whole bunch of copycatsacross the country
19

In other states….
• 14 states introduced CCPA copycat bills or similar which failed
• NV passed similar, but less extreme bill allowing for opt-out of PI
• No private right of action
• Washington
• More like GDPR, but failed in the end
• Proponents are using a model bill for possible passage in 2020
• Expect 2020 to be huge year for privacy bills in the states
• Until the Congress acts, we have a patchwork quilt of privacy laws in the states
20

Federal Action on Privacy?
• General agreement that there needs to be a federal law. It ends there.
• Private Right of Action, state preemption major issues
• Senate working group fell apart
• House bills are circulating and not from committeeswith jurisdiction over the issue
• Trade groups, associations and a whole host of other interested parties are writing their
own privacy proposals
• 2020
21

CCPA vs GDPR
• Compliance with GDPR is not enough
• CCPA
• Broader definitions
• Less detailed notices
• Right to opt – out of sale with few exceptions
• Right against discrimination for exercising rights
• AG enforcement $7500 per violation for intentional violations
• Data breach class action for statutory damages
• CCPA is a mess, but protecting data and consumers is key for both
22

Technology Considerations
for Addressing Privacy

Mitigating the “Impact” of a Breach
What we can learn from GDPR
Article 4 paragraph12: THE BREACH
What can happen to data?
“… a breach of security leading to the
accidentalor unlawful destruction,
loss, alteration,unauthorized
disclosure of, or access to,personal
data transmitted,storedor otherwise
processed”
Recital 75: THE IMPACT
What can happen to the data subject?
“The risk to the rightsand freedoms of
naturalpersons, of varying likelihood
and severity, may result from personal
data processingwhich could lead to
physical,material or non-material
damage”
GDPR / DPA REQUIREMENT:
Prevent, Detect, Log, Report,Remedy
GDPR / DPA EXPECTATION:
Anticipate, Avoid,Mitigate, Compensate

What is the Difference Between On-premise & Cloud?
25
None in terms of Privacy and Security
So… do you have the same visibility and control
over data in the cloud?

See Data
Wherever It Lives
Protect Data
from Being Leaked
Control
User Access
Information Centric Security
17

✓
✓
✓
The Symantec Data Loss Prevention Platform
Architecture
23

On-premises
DLP Detection
DLP Enforce
ManagementServer
The Challenges
26%of Cloud Docs
are Broadly Shared1
• Proliferationof Cloud Apps
• Shadow Data Problem
• CompromisedAccounts
Visibility, Protection, & Control in Cloud Apps
24

Extending DLP into cloud
applications
Apply ExistingDLPPoliciesto Cloud
LeverageexistingDLPWorkflow
Gain Full CASBFunctionality
• Inline Blocking and Offline Remediation
• Shadow IT Analysis
• Entity Behavior Analytics
ExtendDLP to Cloud Apps
On-premises
DLP Detection
DLP Enforce
ManagementServer
Visibility, Protection, & Control in Cloud Apps
25

Data Loss Prevention (DLP)
Discovers sensitivedata across all channels with central policy controls
Symantec Information Centric Security
Information Centric Encryption (ICE)
Integrated policydriven encryption and identityaccess
Information Centric Tagging (ICT)
Increases DLP efficiency with Users drivingDLP data classification
Information Centric Analytics (ICA)
EntityBehaviorAnalytics to find most risky or malicious users
DLP
VIP
ICA
ICT
CloudSOC (CASB)
Extends existingDLP policies,workflows and detection to Cloud Apps
Validation and ID Protection Service (VIP)
Secures access to critical data with Multi-Factor Authentication
CloudSOC
ICE
Summary
27

NIST Privacy Framework
32

Additional Resources
• Symantec Data Privacy
• California Consumer Privacy Act (CCPA)
• NIST Privacy Framework
34

Questions ?
Sr. Strategist, Global Government Affairs
and Cyber Security, Symantec
KenDurbin, CISSP
KimAllman
Director,Government
Affairs - Consumer

Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)

Related slideshows

More Related Content

Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)