While nearly everyone was focusing on the results of the 2020 Presidential race, California voters passed Proposition 24, the California Privacy Rights Act (CPRA) (full text here). You might be wondering if this is a new privacy law that will replace the 2018 California Consumer Privacy Act (CCPA), which went into effect earlier this year. The CPRA provides additional context to the CCPA and attempts to close some of the loopholes and ambiguity found in the original. The CPRA gives additional rights to consumers and places additional obligations on businesses.
While some of the CPRA changes will take effect immediately, most will not become enforceable until July 1, 2023, and apply only to personal information collected after January 1, 2022. Like the run-up to the launch of CCPA, companies will have time to prepare for the new requirements.
A Quick Summary of the California Privacy Rights Act
In scope, the CPRA retains the same basic structure as the CCPA. It includes establishing a dedicated enforcement agency for consumers, tripling fines against companies that violate kids’ data privacy, and making it harder to weaken privacy laws in the future.
A couple of the more notable additions in the CPRA are that the law expands the right to opt-out of sharing of information and establishes new rights to limit how businesses use “sensitive personal information,” a new term defined broadly to include, among other things: information about health conditions, genetic data, race and ethnicity, sexual orientation, precise geolocation, and more.
ERP applications already store an abundance of personally identifiable information, such as Social Security numbers, driver’s licenses, or passport numbers. This new data classification adds to the effort of identifying and classifying information necessary to remain in compliance.
The CPRA Signals Organizations Must Get Serious About Enhancing Data Access and Usage Visibility – Especially for Legacy ERP Applications
The CCPA and CPRA require organizations to implement appropriate security measures around personal data privacy and satisfy consumer requests to opt-out of “sharing” and “selling” of their information. That means businesses must know what personal data they collect and how that data is accessed and used. However, companies using PeopleSoft, SAP ECC, S/4HANA, and Oracle E-Business Suite are likely facing significant compliance challenges due to inherent limitations that plague legacy ERP systems. Traditional ERP application logs do not produce the required level of granularity into how data is accessed.
How Appsian360 Enables CCPA/CPRA Compliance
Successful organizations will invest in technologies that monitor user behavior around data access and usage. This is where Appsian360 becomes an essential tool for compliance, as it expands native ERP logging capabilities to capture contextual details like what data was accessed, where it was accessed from, user IDs, IP addresses, pages accessed, actions performed, and more – information that is paramount for compliance reporting.
More Data Privacy Acts Likely on the Horizon
With the CPRA, Californians will likely have the most robust online privacy rights in the world. And it probably won’t be the last. The original passage of the CCPA incentivized other states to draft their own privacy bills. There’s been activity at the federal level as well. So, while the pandemic rightfully slowed down state and federal activity, there’s a good chance we’ll see additional privacy bills in 2021.
There’s no better time than the present to press forward with your compliance efforts, whether it’s for CCPA, GDPA, and now CRPA. Contact us to learn how Appsian can fast track your CCPA and CRPA compliance efforts by enhancing your visibility into data access and usage.
Do You Even Know What and Where It Is?
Not too long ago, I was involved in the war room activities surrounding the breach of a major travel company. A breach that not only led to the exposure of sensitive information, but also to the use of that information to subvert the international travel infrastructure (yes, I’m being cagey with details here.)
A war room, in this instance, is an immediate incident response step and is typically a dedicated conference room full of ‘smart’ people that is setup to lead identification and remediation activities around a suspected or confirmed security breach.
Once the firefighting was done and the immediate threat remediated, the team moved into forensics mode, where the questions moved from ‘what happened?’ to ‘how did this happen?’.
In the course of that activity, the CISO of the company was brought in. In addition to questions around security policies and response capabilities, two key questions were asked:
“Where do we have exposure to the hacking of data we categorize as sensitive to our customers, employees or partners?”
“What controls are in place to secure that data?”
In essence, his answers were:
“If you’re asking for an inventory of where sensitive data exists, I’d have to partner with the application teams to determine that.”
“As far as controls, we have a pretty strong network perimeter. But, again, I would have to partner with the application teams to ascertain what controls are in place at that level.”
That CISO is no longer employed by that travel company.
Let’s talk about the role of the Chief Information Security Officer (CISO)
Presumably it is a position that leads the charge to ensure that the organization is adequately protecting all data that is proprietary and/or necessary to conduct business operations. That casts a pretty wide net.
But that net, in addition to proprietary business intellectual property, clearly includes customer, partner and employee data. The compromise of any of these can lead to major impacts to business operations.
A phishing attack yields the credentials of an application-level, high privileged user? Well, that application is essentially ‘owned’ by the bad guy. What kind of damage can they now do?
Even the compromise of lower level users can lead to a bad guy being able to escalate privileges and/or leap frog across other applications in the enterprise.
Aside from the potential for business disruption, the exposure and malicious use of sensitive data can lead to major financial losses and regulatory penalties for any organization.
Data awareness is a critical component of today’s CISO responsibilities. Knowing where your sensitive data lives is key. Knowing the mechanisms of how it’s accessed and managed is just as key.
In the current compliance environment, data privacy is a hot button that is shaping many of the new regulations around the digital economy. Whether it be GDPR, the California Consumer Privacy Act or the multitude of other mandates on how companies will be required to support data privacy, the anticipated responsibilities of the CISO are evolving well beyond having a handle on your network protection controls.
Application awareness is becoming a necessity. Understanding what applications are housing sensitive data; whether it be a legacy ERP system or a cutting-edge cloud application, will be an inventory a CISO will be expected to maintain.
Contact us to see how Appsian can help inventory and address your sensitive data exposure in ERP applications.