2020 is shaping up to be a decisive and historic year in many ways. While most people are focused on the presidential race, Election Day 2020 could have even larger implications for the business world. For every company with a website, 2020 will be the year that improving cybersecurity posture shifts from a good business idea to a legal necessity.
As most businesses are aware, the California Consumer Privacy Act (CCPA) is set to take effect on January 1. Requiring businesses to work toward achieving “reasonable security” of consumer data, the CCPA applies to most companies with an online presence accessible to people living in California — so, in other words, most businesses in the United States.
But what’s less well known is that the Golden State is preparing to follow up the CCPA with even more stringent data privacy laws. Consumer privacy advocates are fighting to get the California Privacy Rights and Enforcement Act (CPREA) on the November ballot; if implemented, it would take effect on January 1, 2021, with some provisions retroactive to January 1 of 2020. Also, every business owner needs to understand that privacy and security are not equal.
What Is the CPREA, and What Does It Mean for Cybersecurity?
So, what is this new California data privacy law? The CPREA basically doubles down on the online security mandates of the CCPA, giving consumers more comprehensive protection over what private info is being collected and sold. It also expands their ability to opt out of such practices without facing retaliatory or discriminatory action from businesses.
Notably, the CPREA also expands consumers’ rights to take legal action against businesses that fail to protect their data from outside attack. So, on top of the state-level penalties that the CCPA applies to businesses that fail in the realm of cybersecurity, the CPREA could usher in a whole new level of civil penalties.
Also, for larger businesses (those that collect the private info of five million or more California residents), the CPREA calls for the creation of special regulations that will require annual cybersecurity audits. They’ll also have to publish their data privacy risk assessments on a yearly basis.
Though the CPREA would, like the CCPA, be restricted to companies interacting with Californians, compliance is being seen as mandatory for organizations with a national footprint. For instance, Microsoft recently announced that it would bring all of its media and communications services — a list that includes Windows operating systems, Skype, Bing, Xbox, and more — into compliance.
To this end, the CCPA is already playing the role of North America’s version of the European Union’s sweeping data privacy law, the General Data Protection Regulation (GDPR). Implemented in 2018, the GDPR also affects non-European businesses that do business in the EU, and has resulted in high-profile prosecutions of American companies such as Google and Facebook.
The CPREA may not yet be the law of the land — as of December 1, it isn’t even certain to be on the November ballot. But the CCPA is, and so is the GDPR. And the trend is clear: The online marketplace is moving toward much stricter data protection requirements. Those who work to comply as soon as possible will be better positioned to compete in the years to come.
Businesses hoping to wait things out, or hold off on improving cybersecurity until the creation of a federal law, may face repercussions that could hurt their bottom line or even put them out of commission. In addition to being at a competitive disadvantage, those companies will also be at risk of being made an example of by prosecutors seeking to demonstrate the CCPA’s validity on a nationwide scale.
Why Improving Cybersecurity Is Now an Organization-Wide Priority
Companies that truly understand what’s at stake are planning accordingly. They know that meeting the new standards of data protection isn’t just a task for their IT team, but for the entire organization. According to a study from consulting firm Protiviti, for instance, CFOs are becoming increasingly involved in the process of improving cybersecurity, understanding the seriousness of the repercussions.
“A data breach—[of] financial or nonfinancial data—can have severe financial ramifications,” said Protiviti managing director Chris Wright via CFO Dive. “As cyber risks increase, finance leaders must adequately budget, allocate resources, and prioritize company-wide security and data protection measures.” Understanding how new privacy regulations intersect cybersecurity requires a new lens and expertise that depend on business workflows generally outside the scope of technologist tooling.
The bottom line? Improving cybersecurity posture shouldn’t just be a pipe dream or an item on your long-term wish list. It’s now an operational imperative. And the clock is ticking! By January 1, 2020, the CCPA will be in effect. And the following year is likely to make its cybersecurity requirements even more stringent.
That’s why improving cybersecurity should be on top of your list of New Year’s resolutions. And, unlike many resolutions, this is one that can’t wait until next year. If you’re looking for help getting your cybersecurity up to speed, we can help! Contact us here to set up a complementary consultation with an Omnistruct data security specialist.