Page 135 - Cyber Defense eMagazine January 2023
P. 135
What does CCPA mean for the wider nation?
After various delays, on January 1st, 2023, the California Consumer Privacy Act (CCPA) will come into
effect, and some common questions I’ve been hearing are:
▪ What does this mean for various organizations across the country?
▪ What impact will it have?
▪ How should organizations prepare for the rollout?
In today’s interconnected world, most organizations and states deal with California in some capacity, so
my advice is to look at CCPA as a precursor to what is going to be happening at a national level in the
very near term. If you take a step back and consider January’s rollout vs. what is being rolled out
nationally, you’ll notice it’s very similar. Organizations and business leaders across the country should
assume they must comply and follow all the regulations regardless of their state. Further, whether you
deal with Europe or not, you should be GDPR compliant as GDPR will be similar if not identical to what
is being proposed at the state and national level in the US. It is a significant hurdle to consider, however,
because the US is so far behind in implementing these regulations, it will be a rushed ordeal.
What about encryption?
Everyone is overlooking the encryption of consumer data and ensuring keys are stored on separate
servers. Most organizations have encrypted their data in the past, but the problem is they are leaving
their data exposed, similar to locking your door but leaving the key under the floor mat. Are we locking
our door? Yes. Is it really effective and safe - not in the slightest. A lot of old regulations we have grown
accustomed to were all about encrypt encrypt, encrypt, but it remained unclear as to what was considered
good or bad encryption. The majority of data theft we’ve seen in the US was from data that was
“technically” encrypted but wasn't encrypted correctly because the keys were all the same. Today,
regulators are doubling down and enforcing the use of different keys, which must be on separate servers.
This is where we will see many organizations get themselves in hot water in California and across the
country if strict enforcement is implemented. Historically, the US has not been a strict enforcer of these
types of regulations, and as a result, executive teams are not taking them seriously. The difference
between laws in the US and GDPR is that GDPR was strictly enforced from the start and made an
example of companies who were not taking it seriously by making them pay millions for their mistake. As
a result, the law was taken very seriously.
The most important factor in getting it right and establishing efficiency is ensuring individuals and
organizations are compliant. The reasons why organizations are compliant with GDPR has nothing to do
with the European Standard. GDPR is effective because of the enforcement and significant fines. If we
look at PCI and HIPAA compliance, the US has struggled with enforcement, and for CCPA and ADPPA
to be effective, better enforcement will be critical to its success. It will be a make-or-break moment, and
questions like who will enforce the law? What will the penalties be? and what are the costs of
implementation? These questions and answers will have to be clearly defined in order to raise the
likelihood of compliance and prove effective or ineffective.
Cyber Defense eMagazine – January 2023 Edition 135
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.
