Time is almost up for companies scrambling to get their data privacy strategies in compliance with the California Consumer Protection Act (CCPA). Beginning as early as July 1, 2020, the California Attorney General’s office can start enforcing the CCPA and handing out penalties of up to $2,500 per violation or up to $7,500 per intentional violation.
So, when exactly, will the CCPA become law? On June 1, 2020, the California AG took the final step before the regulations become enforceable by submitting the final text of the CCPA Regulations to the California Office of Administrative Law (the “OAL”). The OAL has 30 working days–plus an additional 60 calendar days related to the COVID-19 pandemic–to review the submission and approve it to become an enforceable law. Doing the math, the California AG can begin enforcing violations as early as July 1 or as late as September 1, 2020.
Companies using PeopleSoft, SAP ECC, S/4HANA and Oracle EBS are likely facing additional compliance challenges due to inherent limitations built into these legacy ERP systems. Let’s look at a couple of tactics for enhancing your ERP systems to improve compliance with CCPA and establishing the capabilities to prepare for the uncertainty around data privacy.
1: Enhance Visibility into User Activity
The CCPA requires organizations to implement appropriate security measures around personal data and satisfy data subject access requests (DSARs). That means businesses must know what personal data they store and the user activity going on around it. However, traditional ERP systems do not provide the required level of granularity.
To achieve detailed visibility around data usage, organizations need to expand their native logging capabilities by adopting a strategy that focuses on data access and usage. Meaning, organizations must capture contextual details like date of access, UserID, IP address, device, location of access, actions performed, etc.
This is information that is critical for compliance reporting and understanding how data is being used within your organization.
2: High Privilege Access Should be the Highest Priority for Strengthening DLP
When it comes to ERP systems, the static rules that govern access can be limiting because roles and privileges are user-centric, not data-centric. User-centric roles say a person (or group in most cases) can view something under any circumstances, while data-centric means the nature of the data defines the access. This gets organizations in trouble time and time again from a DLP perspective because high privilege users always have the ability to see more data than they actually need (to do their job.) This makes non-compliance with CCPA almost inevitable. Overexposure of data is your biggest enemy and governing access by static rules (aka ‘all or nothing access rules’) creates an enormous liability.
Implementing data-centric policies (typically through attribute-based access controls) ensures that a user can only access data deemed necessary and job-related. This is because the data itself is governing access – not a user role. For example, access to certain high-risk transactions can be restricted based on a user’s location – or access can be granted, but with masked data fields. With every variation of context, attribute-based access controls can pivot and adjust accordingly. By reducing the threat surface, companies can reduce the risk of data leakage and mitigate compromised access damages.
3: Use Real-Time Analytics and Data Visualization (SEIM) to Expedite Incident Response Time
Integrated and real-time analytics displayed on dashboards were always a “nice-to-have” feature for security teams; however, keeping CCPA deadlines of breach identification and reporting in mind, data visualization has become a must-have feature. These advanced dashboards equip security professionals with real-time snapshots of data usage. The drill-down capabilities allow for enhanced data discovery and exploration to expedite breach detection and response, helping organizations stay compliant with CCPA and other existing and upcoming regulations.
If you’ve not wrapping up your CCPA compliance efforts by now, there’s no better time than the present to start (or continue down that road). Appsian can help you fast track your compliance efforts by enhancing your visibly and applying a data-centric ERP compliance framework.
The last thing any company wants is to discover that they’re out of CCPA compliance only when there’s a breach of the regulation.
Contact us to learn how Appsian can help you address your end-to-end security and compliance needs.