Phone Number +1-202-802-9399 (US)

Thycotic is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

The Impact of the California Consumer Privacy Act on Privileged Access Management

Written by Joseph Carson

October 6th, 2020

Consumers are demanding greater control and security over the collection and processing of their personal data. A bevy of privacy laws are rolling out across the world and multiple U.S. states, driving changes in data governance and security practices.

The California Consumer Privacy Act (CCPA) has the broadest impact of any U.S. state or federal privacy law, as it directly impacts 40 million consumers and hundreds of thousands of businesses. It provides stricter compliance requirements than any privacy law which U.S. businesses have addressed before.

Fewer than half of companies are confident they can meet the CCPA requirements today

The law went into effect on January 1, 2020, after protracted debate and many rounds of review which was eventually passed on June 28th, 2018. Yet, numerous studies have reported that companies aren’t yet ready to comply. Fewer than half of companies are confident they can meet the CCPA requirements today and only a quarter expect to be ready during 2020.  Companies who had previously experienced EU GDPR which went into effect on 25th May 2018 and regulates EU citizens’ personal data will have been much better prepared for CCPA regulations.

Privileged Access Management helps protect personal privacy and increase security

Privacy compliance intersects with Privileged Access Management (PAM) because both functions are responsible for protecting personal, sensitive information. CCPA raises the importance of maintaining a least privilege policy for personal information; only those people and systems who need access to personal data should be entitled and required to satisfy security controls while accessing personal data.

With the passage of CCPA, it’s more important than ever that information managers and application owners have full visibility into the systems and accounts which provide access to personal data, including on-premise and cloud-based databases, as well as third-party SaaS business applications.

Quick CCPA primer for PAM teams

CCPA introduces the following rights for consumers regarding their personal data:

  1. Right to know all personal data collected by a business
  2. Right to say no to the sale of personal data
  3. Right to delete personal data
  4. Right to be informed of what categories of personal data will be collected prior to its collection, and to be informed of any changes to this collection
  5. Mandated opt-in before sale of children’s information (under the age of 16)
  6. Right to know categories of third parties with whom personal data is shared
  7. Right to know categories of sources of information from whom personal data is acquired
  8. Right to know the business or commercial purpose of collecting personal information
  9. Private right of action when companies breach personal data

In accordance with CCPA, businesses must provide consumers the ability to make requests for data access, deletion, etc. in the form of a Data Subject Access Request (DSAR). Typically, consumers make these requests via your website, as well as emails and phone calls.

Consumers don’t necessarily need to be your direct customers; they can be any consumer who wants to know if you have collected, stored, or managed their data. After receiving a request, you have 45 days to provide complete and accurate information back to the consumer.

Your company must comply with CCPA regulations if any of the following holds true:

  • Your company has $25 million+ annual gross revenues
  • 50,000 or more consumers, households, or devices have personal information you buy, receive for commercial purposes, sell, or share for commercial purposes each year
  • 50% or more of your annual revenue is derived from selling consumers’ personal information

You need to know how personal data is stored, processed, shared, or sold

CCPA has a broad definition of personal data. It defines personal information as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

That includes data with standard identifiers such as name, address, passport number, social security number, driver’s license number, etc. as well as information such as biometric and geolocation data, and behavioral tracking data. For most companies, personal data is a mix of first-party data from different business units and acquired companies, as well as behavioral insights, purchased data, and other third-party data from vendors.

Personal data can be found in data stores throughout your IT ecosystem. MarTech applications, managed by privileged business users, are some of the biggest collectors, users, and buyers of customer data in a company. As part of the SaaS explosion, the number of MarTech applications grew from 150 in 2011 to over 7,000 companies in 2019.

Check to see which applications include personal data. Make sure you know who has the ability to access that data and to what degree.

What does the future hold for privacy legislation?

Privacy law is undergoing a period of change like never before. Currently, 12 other states plus countries like South Africa and Brazil are adopting new privacy laws. CCPA is expected to go through additional adjustments as businesses adapt to the operational requirements.

The most important thing right now is to make sure you have complete visibility and control over the handling of personal data via privileged accounts. As privacy laws change, you’ll have the information you need to adapt your data management practices and demonstrate compliance.

By taking steps to ensure you are a responsible data steward, you’ll show consumers that your company values them as current or future customers, and you’ll show compliance regulators that your company is upholding the highest privacy standards.

Where to get started with PAM and CCPA compliance?

Start with a Data Impact and Risk Assessment to classify and identify personal data that you collect or process so you’ll know what information is most important to your business and which data will require you to comply with CCPA regulations, or similar. Conduct an audit and confirm who should have access rights to view and manage this personal data.

Privileged accounts are everywhere in the environment. They are the glue that connects vast information networks including cloud applications.  Privileged access usage can be human or non-human. Some privileged accounts are associated with individuals such as business users or network administrators however many are service accounts used to run services and are not associated with a person’s unique identity.

Once you have performed a Data Impact Assessment the next step to maturity is to follow the Thycotic Privileged Access Lifecycle to get you moving quickly on the path to protecting and securing privileged access.

Request a Quote

What does cyber security like this cost?
Not as much as you think.

Get a quote for the ONLY enterprise-grade PAM solution available both in the cloud and on-premise.