CTO’s Practical Guide to Comply With CPRA Cybersecurity Requirements

Read this guide by a tech DPO to see how you can get your cybersecurity practices up to speed to comply with the incoming CPRA data privacy legislation.

If you’re not a privacy geek you may not have noticed that California recently voted to change its two letters in the name of its privacy law: from CCPA to CPRA. But that’s not all. The change in the name comes with an amendment that places more pressure on businesses operating in California to take consumer data protection more seriously.

Under the CCPA - Cybersecurity measures in California had to be applied to a specific set of sensitive data: social security numbers, drivers’ license numbers, other government identifiers, and medical, biometric, and other information.

Under the incoming CPRA - Businesses will be obliged to implement reasonable cybersecurity measures with respect to any information that is linkable to an individual or a household.

The amendment comes into effect on January 1, 2023.

While that may seem like plenty of time, understanding the legal stuff and getting to grips with what you need to do is no simple feat.

The law is not exactly clear on what the regulator wants you to implement. This means you’ll have to assess your risks and plan accordingly.

Warning: Legalese ahead; user discretion advised.

The CPRA includes an amendment to Section 1798.100 of the California Civil Code. According to the new subsection e:

A business that collects a consumer's personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.

In turn, Section 1798.81.5 of the California Civil Code, subsection (b) reiterates:

A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

Irritatingly, there are no definite requirements for security measures, such as encryption strength or a number of fallback systems. The security measures mandated depend wholly on the nature of the personal information processed.

The US is not alone in this. The same approach is taken by Art. 32 of the European GDPR.

The approach is called “risk-based”. To leave a perfect paper trail and prove their good-faith compliance, organizations typically conduct the risk assessment in several stages:

1. Listing possible threats which may lead to:

• Illegitimate access to data

• Unwanted modifications of data

• Data disappearance

2. For each threat, assessment of:

• Seriousness

• Likelihood

(on a scale: negligible, limited, important, and maximum)

3. Deciding to implement controls to address the risks taking into account:

• Current “state of the art”

• Cost of implementation

Such a risk-based approach is a trade-off: it creates uncertainty as to what shall be implemented. At the same time, it allows for flexibility, letting you decide for yourself what the most efficient way to address your particular situation is.

You should also take notice of the industry requirements applicable to you. For example, you may be required to encrypt your data under PCI-DSS. Ignoring these requirements can get you in trouble with your banks. The courts are also likely to be skeptical of your attempts to ensure compliance if you fail to implement security measures that are common for your field of work.

“All of this is pretty confusing,” Yeah — tell me about it. So let’s take a look at how you can make your first steps to being compliant.

So there are generally two approaches to getting compliant. The first one applies across the board for any type of compliance: trust your gut feeling and implement the security measures you feel are appropriate.

Pros: Quick.

Cons: Easy to overlook or forget things; hard to defend in court.

Alternatively, you can take a more balanced approach and rely on frameworks and standardized practices. A great example is the NIST privacy framework developed under the guidance of the US Department of Commerce.

Pros: Holistic approach to managing your risk profile; evidence of good-faith attempt to consider risks.

Cons: More time-consuming.

Make your own mind up, but for me: the speed of the former approach does not outweigh the risk of making mistakes and simply forgetting stuff. Creating a sustainable business means following a certain set of procedures. This makes following established frameworks for assessing the cybersecurity measures you need the viable option.

To do so, follow the three i’s:

• Identify your data

• Identify your risks and responses to them

• Implement security controls to address them

In order to adequately assess your risks, you obviously need to start by identifying the data you process. Since the CPRA extends the obligation to safeguard data to any personal information linkable to an individual, the scope of what is personal data is much larger than you would normally think.

The short cheat sheet below can be helpful in creating your data inventory:

ID.IM-P1: Systems/products/services that process data are inventoried.

ID.IM-P3: Categories of individuals (e.g. customers, employees, or prospective employees, consumers) whose data are being processed are inventoried.

ID.IM-P5: The purposes for the data actions are inventoried.

ID.IM-P6: Data elements within the data actions are inventoried.

ID.IM-P7: The data processing environment is identified (e.g. geographic location, internal, cloud, third parties).

While this cheat sheet is the requirements under the NIST Framework trimmed down to the very bone, it is a great guide to help you choose which section to apply and which to ignore. The above is a bare minimum that produces useful output.

Identifying your data is easy for startups before they launch as there is practically no data stored and it mostly stays in place.

However, once your operations commence, catching and identifying data can be a challenge. In accordance with a survey that we conducted, data discovery and classification is a challenge for 91% of CTOs.

Once you have completed your data map, it is time to assess your risks. There are no formal requirements on how the risks should be identified, so you are free to choose the format that is most appropriate for you and your business.

To do so, respond to each to the following questions:

• What could be the main impacts on the consumers if the risk were to occur?

• What are the main threats that could lead to the risk?

• What are the risk sources?

• How do you estimate the risk severity (negligible/limited/significant/maximum)?

• How do you estimate the likelihood of the risk (negligible/limited/significant/maximum)?

The risks identified elicit responses in the form of controls aimed at reducing the risk in question. While we will talk about specific technical controls in the next section, for the moment try to think of effective measures which could reduce the risk severity and/or likelihood.

The results of your efforts can be categorized and documented as per the classification below:

ID.RA-3: Threats, both internal and external, are identified and documented.

ID.RA-P4: Problematic data actions, likelihoods, and impacts are used to determine and prioritize risk.

ID.RA-P5: Risk responses are identified, prioritized, and implemented

Finally, cybersecurity measures have to be put in place in accordance with the risk responses identified in the previous step. Here’s another cheat sheet of what should be done as a minimum:

Identity Management, Authentication, and Access Control

PR.AC-P1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized individuals, processes, and devices.

PR.AC-P4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.

PR.AC-P5: Network integrity is protected (e.g. network segregation, network segmentation).

Data Security

PR.DS-P1: Data-at-rest is protected

PR.DS-P2: Data-in-transit is protected.

PR.DS-P4: Adequate capacity to ensure availability is maintained.

PR.DS-P5: Protections against data leaks are implemented.

PR.DS-P7: The development and testing environment(s) are separate from the production environment.

These measures should provide you with a holistic system to address your cybersecurity risk. Doing so in accordance with the NIST classification adds additional peace of mind and a solid paper trail of your compliance.

Please be aware that the above does not represent legal advice on compliance with the law. If you have any questions or doubts, be sure to contact a qualified attorney.

CIS Benchmark

System Hardening: An Easy-to-Understand Overview

Types of system hardening

What is some system hardening standards?