June 20, 2019

Last Updated on January 12, 2024

As Pivot Point Security’s CISO (and with the management team’s full support) I recently decided that we will be CCPA compliant by Q1 2020, even though we are technically exempt.

Why?

  1. We work for some very large companies with strong Vendor Risk Management programs, and we assume they are going to ask us to sign a Data Protection Addendum because they need to conform.
  2. Eating your own dog food makes you better at your craft. Being CCPA compliant will make our Privacy Service Offering stronger.
  3. It’s the right thing to do. Amendments to the US Constitution create the right to Privacy, which makes it our obligation.

We are currently working our way through our PII Data Mapping exercise, which is really just a more formal, structured approach to the “scoping” that is integral to all good information security frameworks like ISO 27001 and NIST/FISMA, as well as good audit/attestation frameworks like SOC 2. The difference is some of the downstream requirements, most notably the right to present PII and the right to forget PII on a consumer’s request, changes the required specificity of the scoping for CCPA. To meet these demands, it becomes more important to understand not only the individual PII data elements but also the processing activities that act on the data, and the specific assets that support those processing activities. The greater specificity is necessary to understand exactly where all PII for a particular individual is, to support retrieval, presentment, and deletion requirements.
While this concept can be daunting, the principal of knowing exactly what data you have, and where it is, is central to the concept of Information Governance. I know that Information Governance is very much an aspiration for most of us, but I sense that it is becoming more of a reality with each new PII standard. As we are working our way through CCPA Data Mapping, increasingly I find myself wanting to revisit the mapping process with other forms of sensitive data in our environment, most notably our clients’ information security related data.
In principle, shouldn’t a client have the same rights a consumer does under GDPR or CCPA? A customer should be able to say, “Tell me what data you are gathering, what are you doing with the data, and who else has access to it; present it to me when I ask for it; and delete it all if I ask you to.” As an ISO 27001 certified company, we are almost in a position to do exactly that. As an ISO 27001 and CCPA certified company—and with a little additional effort—we will be able to.
When we started our CCPA compliance effort, I knew we would end up doing a better job of protecting PII; however, I didn’t expect we would do a better job of protecting all of our sensitive data.
I can hear Greg Brown crooning now; “Hey, Hey, Hey, Hey, Who would have thunk it?”.