Blue Hexagon Blog

Privacy, Security, and the Implications of the California Consumer Privacy Act

Just in time for National Cybersecurity Awareness Month, California has issued final draft regulations dictating how its new privacy law, the California Consumer Privacy Act (CCPA), is to be implemented and enforced. CCPA, which was signed into law in 2018 and goes into effect on January 1, 2020, follows the global trend of establishing strict rules requiring that companies make the protection of consumer data a priority. 

The Golden State has been a U.S. privacy leader on this front. California’s landmark data breach notification law, SB 1386, brought consumer privacy to the fore following a breach by data broker ChoicePoint in 2004. The legal battle that ensued affirmed one state’s right to enforce its consumer protection laws against companies in other states if their residents were among those affected by the actions of that company. 

The personally identifiable information (PII) of fewer than 200,000 people was exposed by the ChoicePoint breach (which seems quaint by today’s standards, where compromised customer files are often measured in the hundreds of millions), but ChoicePoint is considered a watershed moment in privacy and data protection. Today, because of that event, every organization that collects and holds PII must consider cybersecurity a business imperative. 

Now, instead of merely requiring that companies notify people affected by the so-called inevitable—the “assume breach” posture has persisted for too long—organizations are expected to adopt “state of the art security” (in the case of GDPR), or “reasonable security” (in the case of CCPA) to minimize the risk of an unauthorized disclosure, whether the result of an accident or the work of a hacker. If they don’t and a breach happens, regulators will come calling and fines will be assessed. Recent penalties in the U.S. and Europe, where the General Data Protection Regulation (GDPR) is in effect, have been in the hundreds of millions of dollars, including $650 million against credit agency Equifax and $230 million against British Airways

The CCPA is the first privacy act in the U.S., and will likely be what other states look to as a model for their equivalent privacy regulations. When CCPA takes effect next year, all-for-profit businesses that fit the following criteria will have to comply:

  • Have over $25 million in annual revenue, or;
  • Purchase, sell, or share over 50,000 records as part of their business (defined as information linked to “consumers, households, or devices”),  or;
  • Have as their primary business the sale of PII; and,
  • Do business in California, even if they are not based in California and have no physical presence there.

As you can see, this impacts any organization that does business in California even if they are not based in California. 

In its current form, CCPA does not tell us what level of data security is required. However, the California attorney general’s office released a report in 2016 entitled California Data Breach Report and recommended that organizations consider NIST (800-53 or CSF) or ISO 27001 standards, and use CIS Controls for  guidance. 

CIS Controls include the following: 

  1. Inventory of authorized and unauthorized devices
  2. Inventory of authorized and unauthorized software
  3. Security configurations for hardware and software on mobile devices, laptops, workstations, and servers
  4. Continuous vulnerability assessment and remediation
  5. Controlled use of administrative privileges
  6. Maintenance, monitoring, and analysis of audit logs
  7. Email and web browsing protection
  8. Malware defenses
  9. Limitation and control of network ports, protocols, and services
  10. Data recovery capability
  11. Secure configurations for network devices such as firewalls, routers, and switches
  12. Boundary defense
  13. Data protection
  14. Controlled access based on the need to know
  15. Wireless access control
  16. Account monitoring and control
  17. Security skills assessment and appropriate training to fill gaps
  18. Application software security
  19. Incident response and management
  20. Penetration tests and red team exercises

Note that CIS Control #8 is implementing malware defenses. A major problem for companies working diligently to prevent data breaches has been the lack of speed and accuracy available for identifying and stopping malware from getting inside their networks. Traditionally, malware detection has been like playing Whack-a-Mole on the carnival midway. Malware samples show up, you address the known threats with an IDS signature and  send the unknowns to a sandbox for analysis. Then more malware is unleashed the next day. 

Now, with the speed and volume of malware variants being created — at a rate of 300,000 per day— your IDS signatures don’t work, and your sandbox malware analysis either takes too long or is ineffective. 

Reasonable security for malware defense means addressing these three key considerations in to identify and stop malware and its manifestations in the network:

  • Speed: Attacks come at you quickly. It is estimated that, globally, there are four new attacks unleashed every second, and that the best hackers can get inside a network, steal the data they are targeting, and get out–all in under twenty minutes. Those are worst-case scenarios, but they are the benchmarks against which malware detection must now be measured.
  • Efficacy: Malware come in a wide variety of flavors, including ransomware, cryptominers, trojans, botnets, and more. And each category has many variations. The ability to accurately recognize the full spectrum of threats is vital to protecting data.
  • False Positives: A big challenge for security teams today is recognizing benign events from malicious ones. Chasing “false positive” threats wastes time and degrades an organization’s security posture.

As we celebrate National Cybersecurity Awareness Month and prepare for privacy acts like CCPA, we need to set higher standards for ourselves both personally and as an industry. We believe artificial intelligence holds the key to achieving the speed and accuracy needed to combat today’s threat landscape. Blue Hexagon is here to help with a new platform that uses the most advanced type of machine learning—deep learning—to take a quantum leap forward in the detection of malware and its manifestations.