Does the CCPA require penetration testing?

Businesses in California have started their preparations for January 01, 2020 – the day from which the CCPA comes into force. In the last month and a half, we have been receiving a large number of queries regarding the meaning of the phrase “reasonable security practices” and “penetration testing requirements for CCPA.”

In this article, we discuss the extent of reasonable security practices and elaborate on whether pentesting services is actually required for CCPA.

What is the CCPA?

The California Consumer Privacy Act (CCPA) of 2018 is a bill passed by the State Legislature of California to enhance privacy rights and consumer protection for California residents. The bill was introduced on January 03, 2018, it was signed into law by the Governor on June 28, 2018, and it is due to come into effect from January 01, 2020. This act intends to give the following rights to the California residents –

1. Know what personal data is being collected about them
2. Know whether their personal data is sold or disclosed and to whom
3. Say no to the sale of personal data
4. Access their personal data
5. Request a business to delete any personal information about a consumer collected from that consumer
6. No discrimination against a resident for exercising his privacy rights

Applicability

CCPA applies to any business, including any for-profit entity that collects personal data of consumers, does business in California, and satisfies at least one of the following requirements –

1. Annual gross revenue more than $25m
2. Possesses the personal information of 50,000 or more consumers, households, or devices
3. Earns more than half of its annual revenue by selling consumers’ personal information

All the organizations falling under any of these categories are required to implement and maintain reasonable security procedures and practices for protecting the personal information of consumers.

What does it require specifically?

CCPA specifies the following paragraph in Chapter 55, Section 1798.150 –

Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

In the first look, the phrase “reasonable security practices” has a vague meaning and broader connotation. To start the compliance process, an organization needs to have a definite goal. Our experts have recommended starting with a gap analysis exercise to identify the missing parts. For example, an organization can conduct its gap analysis exercise against ISO 27001:2013 standard. Further, it is suggested that they have relevant internal policies about the incident response process, data breach notification, etc.
Our experts have also advised that a business must undertake an end-to-end review of how the data of California residents are being collected, transported, stored, and destroyed to ensure the security of data.

Does the CCPA require penetration testing?

There is no specific definition or requirement given under the CCPA, which addresses penetration testing explicitly. So, in a strict interpretation of the legislation’s language, a definite answer cannot be given unless it is updated and an organization is fined.

From our experience in assisting our clients with their compliance requirements, we strongly suggest that an organization must conduct a penetration testing exercise as a proactive step to maintain a  reasonable level of security for its technical infrastructure.

The legislation contains remedies allowing the consumers to claim up to $750 per consumer for violation of the Act’s provisions. As compared to these costs, penetration testing costs are significantly lower. Therefore, instead of waiting for an organization to be fined or the legislation to be updated, penetration testing exercises must be conducted as a proactive step towards achieving a reasonable level of security.

Penetration testing is one way that businesses can assess the effectiveness of their security procedures and practices, and it may be a useful tool in meeting the CCPA’s requirement of implementing reasonable security measures. In general, it is a good practice for businesses to regularly assess their security posture and consider implementing penetration testing as part of their overall security strategy. Additionally, businesses may also want to consult with legal counsel to determine what security measures are appropriate for compliance with the CCPA and other applicable laws and regulations.

Schedule a call to learn more about CCPA requirements.