Whenever new data privacy and cybersecurity laws go into effect, they create more work and responsibilities for cyber professionals. This reality hasn’t gone unnoticed by attorney Scott Giordano, who reminded cybersecurity professionals during a session about the California Consumer Privacy Act (CCPA) that the law will create new duties for them.
Giordano, Vice President of Data Protection at Spirion, went over details of the law, which takes effect on Jan. 1, 2020, and how organizations should prepare for it. His was one of a series of presentations at the 2019 (ISC)² Security Congress, taking place in Orlando this week, about privacy and security regulations, and their impact on how organizations go about collecting and keeping personal customer data.
The California law comes in the heels of Europe’s General Data Protection Regulation (GDPR), and employs a broad definition of personal information. It includes identifiers such as name, address, email account and passport number, as well as other data such as personal property, web purchases, and internet browser and search history. “You can see that just about anything is personal information,” Giordano said.
The law will require businesses to respond within 45 days to requests from individuals for the information companies keep about them. It also will give users the right to have their data deleted. But there are exceptions, such using the data for debugging and security incident detection.
Giordano fielded a lot of questions in a roomful of (ISC)² Security Congress attendees, who clearly are keenly interested in how the law will work and what it means to them. Giordano also shared a list of recommendations to prepare for the law, including the following:
Create a data inventory.
Create a data subject access request (DSAR) process.
Determine what to include in a report to ..
Support the originator by clicking the read the rest link below.
