Achieving CCPA with Third-Party Application Security

The California Consumers Protection Act 2018, also known as CCPA, is a consumer privacy law passed by the State of California to give eCommerce, Online Finance/Banking, and eService users more information and control over how their personal information is being used, processed, and stored. But how is this law connected to third-party application security? Let’s take a closer look to clear the question marks.

With online activity rising exponentially, more and more personal and financial information is being exchanged via online websites and also stored on local servers. Simultaneously, cybercrime and the regulatory landscape is evolving as more and more personal information is put at risk. In many aspects CCPA is becoming the USA’s privacy regulatory benchmark, just like the GDPR in Europe.

No sector is out of CCPA’s reach, which is just one of many new US regulations. Warner Music Group’s eSales website was hacked via third-parties in mid 2020, which led to the theft of thousands of personal records. It was served a legal notice and the issues were patched up. In another case, a leading American retailer also had to pay a large settlement fee of $400,000 for its CCPA-related breach.

What is the CCPA?

In a nutshell, CCPA is an evolution of the California Online Privacy Protection Act (CalOPPA), which has been around since 2004. This law went through a major revision in 2013, where websites were required to be more transparent with their privacy policies and offer users a “Do Not Track” option. It’s also important to note that this old regulation is still very much valid despite the rise of CCPA.

So what is CCPA all about and what’s new? It’s more about elevating user privacy standards – collection, communication, storage, and more. The new regulations require the data handler to provide users’ with a clear opt-out option from the data collection process. Furthermore, when it comes to minors below the age of 13, special CCPA cookie consent needs to be fetched from the parents.

Also known as AB-375, the CCPA also puts extra focus on secure data storage and processing, not to mention the encryption requirements that have become mandatory. Due to the growing use of third-party applications and poor coding standards in general, hackers are creating more and more attack vectors to harvest personal and sensitive information. More on this later.

If you have an online business that is catering to California-based residents and you are collecting their personal information, you will have to comply with the latest CCPA guidelines at all times. Crossing any one of the three predefined thresholds will make you fully accountable for the private information you are collecting, storing, and selling on or sharing with other businesses.

1. Your business generates an annual gross revenue of $25 million or above
2. You deal with over 50,000 California-based residents or devices annually
3. 50% of your annual revenue is generated by selling Californian data

The CCPA. Website screenshot. Source: https://oag.ca.gov/privacy/ccpa 

Besides the obvious operational losses and brand damage you will suffer, CCPA penalties can seriously damage your bottom line. The California Attorney-General usually provides a 30-day notice to rectify the security issue. If nothing is done to fix the problem, business can pay up to $7,500 per intentional violation (which basically means one consumer). This can add up quickly. As we will see later in the article, more and more CCPA clones are coming up all across America, making data privacy and risk assessment extremely important.

Learn more: Compliance for Third-Party Apps on Websites – the European Perspective.
A recommended white-paper by Reflectiz’ partner Cert2Connect – the Dutch cyber security solution provider

5 CCPA Practices You Should Look At 

CCPA is changing the way data privacy is implemented in the USA. This requires organizations to rethink their security strategy and implement a multi-layered approach. Here are five effective steps that will help you get closer to CCPA compliance:

✅ Learn Your Ecosystem – Survey all involved stakeholders about where sensitive and private information resides. This includes names, addresses, email IDs, geolocation, and biometric data. Security teams need to know where this data is saved and stored at all times.

✅ Map Your DevOps Pipeline – Once you have a basic idea of your infrastructure, you will need to map your applications and come up with some kind of inventory of the type of information they are using. This mapping should involve all types of consumer profiles and third-parties.

✅ Implement a Privacy Rights Infrastructure – You will need to implement a mandatory list of notices – opt-out notice, financial incentive notice, and also a proper privacy policy. It’s also recommended to have it translated to multiple languages and accessible to people with disabilities.

✅ Engage Third-Party Vendors – Connect with the creators of the third-parties you are using and get the required regulatory information before implementing and using their solution. Learn about what data they are capturing and insist on CCPA reporting from their side as well.

✅ Third Party Application Management – Third parties are a crucial part of CCPA compliance. Security teams and their organizations are now fully responsible for any data breach or risk mismanagement caused by these external applications, as they cause huge security blind spots. 

From a third-party application security point of view,  let’s not forget that security blind spots, which are gaps between your application security standards and the data security and CCPA risks created by your third-parties, are becoming a huge pain point. While these five practices are extremely important, others are still being neglected by security teams and business owners.

CCPA and Third-Party Application Security

Over 95% of organizations now use third-party apps to supplement their analytics, marketing, sales, and development operations. This helps reduce costs due to the elimination of in-house development, while significantly shortening time-to-market times. But this is a double-edged sword.

As mentioned earlier, third-party blindness is rendering traditional security techniques ineffective, something that is not helping with CCPA compliance. The relations between business, third-parties, fourth-parties, and even fifth-parties is becoming increasingly complex. There is a growing need for a seamless security solution that can help govern and monitor this complicated ecosystem.

The typical eCommerce website has over 50 third-party apps (on average) running on it at any given time. This is also the case with financial, banking, and other eService websites. With so much external code in action and being changed constantly, vulnerabilities multiply. But having a comprehensive monitoring solution can be a game changer for your compliance stance. 

Monitoring all third and fourth parties on your website will help you gain full inventory visibility. By implementing a website sandbox solution that works in an non-intrusive manner, you gain the ability to perform dynamic behavioral analysis and risks assessment on-the-go. This third-party intelligence essentially eliminates most CCPA risks and security blind spots.

What can you learn from GDPR rulings and penalties?
Find out why Ticketmaster was fined £ 1.25 million due to a Magecart attack

CCPA is Not Alone

The regulatory landscape is evolving. Not only do you have to take CCPA seriously, you will also need to be prepared for the California Privacy Rights Act (CPRA), which is expected to put extra focus on how you control your data collections and enforce data privacy security on your website. Not monitoring, tracking, and governing your third-parties properly is no longer an option.

Furthermore, this shift in third-party application security requirements is not limited to the state of California. 15 US states proposed laws that are virtually identical to the CCPA with minor differences. Also, with the eCommerce space going global across multiple continents, American based businesses are not exactly immune to General Data Protection Regulation (GDPR) action.

The State of California is not alone.
15 states have already proposed laws that are virtually identical to the CCPA with minor differences.   

23 NYCRR 500, enforced by the New York State Department of Financial Services (NYDFS), is another set of cybersecurity laws that will need to be taken into consideration in 2021 and beyond. These guidelines apply mainly to finance, banking, and insurance companies, which are now expected to have sound identity management and third-party risk assessment solutions in place.

It’s official. Third-party application security needs to be improved across all sectors in the US. Data privacy is being taken very seriously by the authorities in all states, not just the State of California. Whether it’s CCPA or 23 NYCRR 500, you need to make sure you are in full control of your third-parties and have the ability to respond to issues in real-time. The time to get proactive is now!