The Cost of Noncompliance Is Steeper Than You Think
This November, California voters approved Proposition 24, also known as the California Privacy Rights Act (CPRA). While some of the CPRA changes will take effect immediately, most will not become enforceable until July 1, 2023.
Notably, the CPRA expands the breadth of data covered through a wider definition of sensitive personal information. It also introduces new General Data Protection Regulation (GDPR)-style governance measures and establishes a new enforcement agency. Importantly, the CPRA does not replace or repeal the California Consumer Privacy Act (CCPA) but rather adds to California’s existing law and closes some of the loopholes businesses were using to circumvent the law.
While penalties of the CCPA range from $2,500 to $7,500 per violation, the CPRA will triple fines for violations involving children’s data, totaling to a maximum of $7,500 per violation as opposed to $2,500 for other, non-intentional violations.
More states are sure to follow with their own legislation, and regulation at the federal level may not be far behind. Bills like the New York Privacy Act, which is likely to be reintroduced in 2021, have provisions that are considered to be even more rigorous and groundbreaking than the CCPA.
Now’s the time to invest in a solution that automates data compliance to save time and resources, and avoid hefty fines—not to mention, a loss of consumer trust.
Non-Production Environments: Taming the Beast
Most companies that collect sensitive data—like birth dates, credit card information, or even social security numbers—already have proper security measures in place when it comes to highly visible production environments.
It’s the data living in non-production environments that are often left out of compliance conversations, and as a result, they are incredibly vulnerable. Non-production environments used for development and testing contain multiple copies of real customer and company data. These environments are numerous—for every production instance of an application, there are at least 10 copies of a non-production environment. Each dataset often reflects a large swath of users. What’s more, non-production data is sometimes moved across different systems, whether on-premises or to the cloud, introducing further security risks. And today, these risks are compounded by the challenges of remote work and the securing of employees’ home networks.
In 2016, for example, hackers infiltrated Uber’s third-party cloud servers, where the company stored sensitive consumer data for use in non-production environments. The hackers’ entry point was an access key posted by an Uber engineer to a code-sharing website. With it, they downloaded unencrypted files containing personal data of millions of Uber customers.
The CCPA, GDPR, and the like are designed to protect consumers from instances like the Uber hack. Now more than ever during this global pandemic, data collection is a constant reality for businesses, which means data protection should be standard practice.
“This [CCPA] isn’t a one and done,” Jennifer Urban (formerly Rathburn), a compliance expert and partner at the law firm Foley & Lardner, tells WIRED magazine. “This is an evolving area that’s pretty new to the U.S. In sum, privacy is here to stay.”
Achieving Compliance Is No Small Undertaking
The key, therefore, to maintaining compliance with emerging regulatory legislation is automation. Rather than tackle the problem manually, enterprises can adopt a programmable data infrastructure platform that automatically profiles sensitive data and irreversibly masks it by replacing the original value with a fictitious but realistic equivalent. The masked data can still be used for development, testing, or reporting purposes, but the risk of personal data exposure is eliminated.
This is a valuable tool when it comes to securing data across disparate non-production environments. If businesses were to manually remove sensitive data from non-production environments, they might spend an average of $1 million to secure 15-20 applications. With masking, the data is protected without impacting the application behavior. And if the data is de-identified, it’s no longer considered personal data under regulations, including the GDPR and CCPA.
The Real Costs of Noncompliance: Fines, Lawsuits, Consumer Distrust
While CCPA suits against companies such as TikTok, Salesforce, and Zoom are still in their infancy, businesses can not afford to wait for those results to determine their compliance initiatives. According to Dominique Shelton Leipzig, partner, and co-chair of ad tech privacy and data management at Perkins Coie, more are coming—and the California attorney general’s office has indicated that it will “aggressively” pursue enforcement.
“In California, we have a culture of privacy class actions,” Shelton Leipzig says. “It’s a highly litigious state, so it’s not going to be like GDPR where people are waiting for regulators to enforce in different jurisdictions.”
Beyond lawsuits, companies that fail to comply with privacy regulations, including the CPRA and CCPA, could also jeopardize customer relationships. While the pandemic has forced more people online than ever before, customers are increasingly sensitive to how their data is being used. One survey found 65% of consumers consider a company’s data-sharing policies when deciding whether to do business with that company.
Businesses that fail to protect personal data may begin losing customers—along with the revenue and data insights they bring. With programmable data infrastructure, companies can automate a range of complex data operations, including compliance with privacy regulations, ultimately embracing and securing data in a way that supports innovation and growth in a world where every company is becoming a data company.
Read more stories about data-driven innovation in the 2020 issue of Data Company Magazine.