How Data Loss Prevention can help with CCPA Compliance
The California Consumer Privacy Act (CCPA) has emerged as a blueprint for data protection regulations in the US. Itself inspired by the EU’s General Data Protection Regulation (GDPR), the CCPA adapted the new international standard set by the European legislation to a distinctly American context. Its impact has been considerable: similar laws are now sprouting across the United States and discussions have intensified over the possibility of adopting a federal data protection law.
While multinational companies that have gone through the rush for GDPR compliance are confident in their ability to become CCPA compliant before the 2020 deadline, many organizations that breathed a sigh of relief when they realized the dreaded-EU legislation did not apply to them, are now scrambling to come to terms with the CCPA. According to a study conducted by PWC, only 52% of companies falling under the incidence of the CCPA expect to be compliant with it by January next year.
As personal data and its use are becoming more and more legislated across the world, Data Loss Prevention (DLP) solutions have emerged as indispensable tools in data protection strategies. Covering a blind spot in traditional security frameworks, DLP protects data against employee negligence or malice, whether a computer is located in or outside the company network. Here is how they help with CCPA compliance:
1. Data visibility and the right to deletion
One of the basic requirements for any compliance strategy is knowing where your data is. You cannot protect data if you don’t know where it is. This means that it’s not enough to block certain types of data from being transferred or copied, but you must also be aware of what data is stored where.
Moreover, under the CCPA, consumers will have the right to request that their personal information be deleted. This implies that companies must make sure that their data is no longer on their network. Oftentimes data tends to make its way onto unauthorized endpoints. Employees share information with each other in the execution of their duties, disregarding internal policies concerning sensitive data.
How can organizations, therefore, ensure that when a request for deletion is made, all of the requester’s data will be erased from their network? DLP can help through its data at rest scanning capabilities. Companies can search their entire networks for specific sets of data and when they are found, they can take remediation actions such as deletion or encryption.
2. Protect sensitive data
Once you know where your data is, you have to protect it to be CCPA compliant. This means a number of things. A comprehensive framework must include firewalls, antiviruses, but also additional layers of protection against accidental data loss or malicious insiders.
DLP solutions like Endpoint Protector, offer admins the possibility of setting company-wide policies that prevent sensitive data from being transferred over the web via different channels such as email, social media or popular messaging applications. These policies are often predefined, especially when it comes to personally identifiable information (PII) that has to be protected under most data protection regulations. Organizations also have the possibility of defining their own policies based on data that they specifically collect, or is considered sensitive in the context of their particular industry.
3. Device control
Another exit point for data is removable devices. Many data protection tools do not protect against copying on the endpoint. This gives both malicious actors and careless insiders the possibility of easily taking sensitive data outside the company network.
DLP tools allow admins to either block copying onto removable devices altogether or limit their use to trusted devices such as those issued by the company. All this is done through the monitoring and control of peripheral and USB ports directly on the computer.
4. Protecting data on the move
Data is most vulnerable when it is leaving the security of a company network. Nowadays the workforce is becoming increasingly mobile: many companies offer their employees options such as remote working as part of their contracts, allowing them to work from anywhere part of or all the time. With many organizations now operating across borders, travel between company offices is inevitable as are industry events and on-site client meetings.
All this movement means one thing: devices leaving the company network being made vulnerable by the absence of network-level protection. Encryption is key in mitigating this particular hazard. USBs, in particular, are a prime offender of lost data on the move. Small, easy to forget or steal, USBs carrying sensitive information are one careless step away from data loss.
Luckily there are tools that can enforce automatic USB encryption, ensuring that any files copied onto these portable devices are encrypted and therefore secure should the devices be lost or stolen. Data is then accessible only through a password which can be reset by admins if necessary.
5. Reporting tools
An important point of all data protection regulations, including the CCPA, is the need for companies to prove compliance. DLP tools can support their endeavors in this direction through their monitoring tools which log all policy violations. Detailed reports can then be easily exported to serve auditing purposes.
These reports also help organizations pinpoint weak links in their data protection efforts such as particular types of data that are most vulnerable or employees that regularly attempt to transfer sensitive data. They can then take appropriate measures such as additional employee training or safeguards to ensure compliance with the CCPA.