Data Compliance

The Cost of CCPA Noncompliance Is Steeper Than You Think

Implement solutions like data masking to secure your data today and protect your company well into the future.

Matthew Yeh

Jan 28, 2020

The new year is upon us, and with it, the strongest consumer data protection law in the U.S.: the California Consumer Privacy Act (CCPA).

For months, survey data has shown that few U.S. businesses are ready to comply with CCPA. Now, a month into 2020, not much has changed—meaning, if the January 1 deadline snuck up on you, you’re far from alone. For many, the costs and resources associated with becoming CCPA compliant is a major hurdle. Others, thanks in part to a legacy of spotty GDPR enforcement, don’t see the value. After all, if Facebook isn’t making changes, what’s the rush?

Procrastination may be the popular approach to this new piece of legislation, but the fact is that the consequences will only snowball the longer companies wait. As of January 1, individuals can bring suit for an alleged violation of the law, meaning the companies impacted by CCPA—any firm with gross annual revenues over $25 million and handles personal information for 50,000+ consumers in California—are already exposed to litigation. Enforcement begins on July 1.

The cost of noncompliance extends far beyond hefty legal fines, and could result in damage to a company’s reputation. Moreover, since CCPA signals the beginning of more data security regulation across the U.S., failing to invest in a data strategy now—even for those organizations not immediately affected—means jeopardizing the long-term health of your business.

Non-Production Environments: Taming the Beast

Most companies that collect sensitive data, like birth dates, credit card information or even social security numbers, already have proper security measures in place when it comes to highly-visible production environments.

It’s the data living in non-production environments that is so vulnerable. Non-production environments are for development and testing, using copies of real customer and company data. These environments are numerous—for every production instance of an application, there are at least 10 copies of a non-production environment—and they have many users. What’s more, non-production data is sometimes moved across different systems, whether on-premises or to the cloud, introducing further security risks.

In 2016, for example, hackers infiltrated Uber’s third-party cloud servers, where the company stored sensitive consumer data for use in non-production environments. The hackers’ entry point was an access key posted by an Uber engineer to a code-sharing website. With it, they downloaded unencrypted files containing personal data of millions of Uber customers.

CCPA, GDPR, and the like are designed to protect consumers from instances like the Uber hack. But playing catchup with new legislation is ultimately more costly and leads to more instances of non-compliance.

Instead, since data collection is a constant reality for most businesses, data protection should be a standard practice. Whether it’s customized or based on existing regulations, companies can take a policy-driven approach to dictate which data is sensitive and how to protect it. This is critical, since CCPA is almost certainly the tip of the regulatory iceberg in the U.S. More states are sure to follow with their own legislation, and regulation at the federal level may not be far behind.

“This [CCPA] isn’t a one and done,” Jennifer Rathburn, a compliance expert and partner at the law firm Foley & Lardner, told WIRED. “This is an evolving area that’s pretty new to the US. In sum, privacy is here to stay.”

The Real Costs of Noncompliance: Lawsuits, Fines, Consumer Distrust

At the time of this writing, CCPA suits are still in their infancy. But according to Dominique Shelton Leipzig, partner, and co-chair of ad tech privacy & data management at Perkins Coie, they’re coming—particularly once the Attorney General’s office is able to begin litigating in July. The office has indicated that it will “aggressively” pursue enforcement.

“In California, we have a culture of privacy class actions,” she says. “It’s a highly litigious state, so it’s not going to be like GDPR where people are waiting for regulators to enforce in different jurisdiction.”

Beyond lawsuits, companies that fail to comply with CCPA regulations could also jeopardize customer relationships. Already, in the wake of GDPR and the growing number of reported data breaches, consumers are more aware of their rights. They also have higher expectations for  companies when it comes to data privacy. One survey found 65 percent of consumers consider a company’s data-sharing policies when deciding whether to do business with that company. Businesses that fail to protect personal data may begin losing consumers—along with the revenue and data insights they bring.

Think of the fall-out from the 2017 Equifax breach: The company still hasn’t fully recovered. In addition to the millions it owes after a massive settlement last year, Equifax is struggling to get back in the good graces of its customers. Its ratings outlook has suffered and sales have stagnated.

Take a Policy-Driven Approach to Compliance

Achieving compliance is no small undertaking, involving the entire business to collaborate, implementing policies, technologies, and human practices for the secure management of personal data. While no single technology will entirely satisfy the requirements of CCPA and other regulations, integrating a data masking solution is one way to implement a policy-driven approach—and here is where Delphix can play a pivotal role.

Data masking, simply, ensures the privacy and security of sensitive data—without impacting the information’s integrity or usefulness. This is a valuable tool when it comes to securing data across disparate non-production environments. If businesses were to manually remove this sensitive data from non-production environments, they might spend an average $1 million just to secure just 15-20 applications. With data masking, the data is protected without impacting the application behavior. Delphix is simple enough to allow business users to create enterprise-level masking policies for CCPA that define what data should be masked, where, and how. Users can then consistently deploy those policies across different data sources and locations (e.g. on premises and in the cloud).

Finally, masking data not only neutralizes the risk of a breach in these environments, but it also eases the burden of complying with several key CCPA provisions, including the “right to deletion.” The key, therefore, to maintaining compliance with CCPA and other emerging regulatory legislation is to think beyond it. Rather than tackle the problem and piecemeal with compliance or security strategies, address all possible issues with a holistic data strategy. By leveraging tools like data masking and enlisting partners like Delphix, companies can take full control of their data to seamlessly respond to new regulation and more—leaving room to focus on innovation and growth.