12 August, 2020
CCPA Penetration Testing and Vulnerability Scanning
The much-discussed California Consumer Privacy Act (or CCPA) finally came into force at the start of this year, on January 01, 2020. As the name itself suggests, CCPA is a California State Law passed by the State Legislature of California. This law aims to expand the ambit of the privacy rights of the customers for the residents of California. It recognizes rights, such as:
- Right to know details about the personal information a business collects and the manner in which it is processed or shared
- Right to access personal data
- Right to delete personal information stored with businesses
- Right to opt-out of the sale of personal data
- Right to non-discrimination for exercising their rights available under CCPA
While we have continued to answer our clients’ queries about the overall security requirements of this regulation, in this article, we will be discussing penetration testing and vulnerability scanning requirements covered under this law.
Before talking about specific security requirements, it is crucial to decide whether this law applies to your business or not. CCPA applies to any for-profit business that:
- Derives half or more than half of its annual revenue from selling Californian residents’ personal information;
- Has a gross annual revenue of more than $25 million; or
- Buys, sells, or receives personal information of 50,000 or more Californian residents, devices, or households.
Besides, CCPA applies neither to government agencies nor nonprofit organizations. An individual can only sue a business under this law if one or more types of the following information is stolen in combination with your first name and last name:
- Your social security number (SSN)
- Driving license/password/tax identification/military identification number
- Your account number, credit/debit card number, and any other password that gives access to an individual’s account
- Medical/health insurance information
- Fingerprint, retina, iris, or any other biometric data
These types of personal information must be stolen in nonredacted and nonencrypted form.
Penetration testing and vulnerability scanning controls in CCPA
We have discussed at multiple instances that there are very few laws and regulations that specifically mention either penetration testing or vulnerability scanning or both. Well, CCPA is not one of them.
In Section 1798.150(a)(1), it specifies that
“Any consumer whose nonencrypted and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:”
This section mentions damages between $100 to $750 per individual per incident or actual damages, whichever is greater, injunctive/declaratory relief, or any other relief that the court finds proper. The court has to consider the following factors to quantify the damages:
- Nature and seriousness of the misconduct
- Number of violations
- Persistence of misconduct
- Length of time over which the misconduct occurred
- The willfulness of the defendant’s misconduct
- Defendant’s assets, liabilities, and net worth
While CCPA does not mention penetration testing or vulnerability scanning explicitly, it mentions reasonable security practices and practices appropriate to the nature of the information to protect personal information. The phrase “reasonable security practice” has a vague meaning and may have different meanings as per different contexts. On the other hand, you can select the appropriate practices depending on the results of the risk assessment. To avoid any penalties and implement reasonable security practices, our experts recommend that you should perform a gap analysis exercise against well-known standards such as ISO 27001:2013. This will help you in improving your information security practices to a great extent. Certain laws across the globe recognize compliance with ISO 27001:2013 equivalent to following reasonable security practices.
Compliance with ISO 27001:2013 will also upgrade your internal policies and procedures. But the question remains: do you require penetration testing and vulnerability scanning?
While there is a lack of clarity on the exact requirements, it is not possible to give a definite and exact answer. However, we recommend our clients perform penetration testing exercises twice a year and implement continuous monitoring of their assets through our SaaS platform. Our clients can order penetration tests and retests in a few clicks through our interactive platform. Besides, on a cost-benefit analysis, paying damages at $750 per individual for even one-fourth of your customers who belong to California is going to be costlier than adopting penetration testing and vulnerability scanning as a safeguard. In other words, conducting regular penetration tests and vulnerability scans, even if not explicitly called out, are universally adopted strong security measures and form an essential part of reasonable security practices.
Not sure how to fulfill your obligations under CCPA? Get in touch with our experts today!