Henrik Dolle - Fotolia
As California cracks down on compliance, companies need to get their security in line to protect their content.
As of July 1, the state of California can start fining companies doing business in Europe or the U.S. that aren't CCPA compliant. U.S. companies can no longer ignore privacy and security requirements, as the goal is no longer to avoid headlines, but to avoid fines.
While the importance of protecting consumer data is clear, the trickle down to content is less obvious. Content containing personally identifiable information (PII) often resides further behind the company firewall. However, as content wraps that PII in a business context, if a hacker steals that content it can create more damage to customers and organizations -- and potentially cause larger fines.
GDPR vs. CCPA
When the General Data Protection Regulation (GDPR) took effect in 2018, it made organizations pay attention to the data of European residents, regardless of the location of the company. The GDPR requires organizations to disclose what data they store and how they plan to use it. Google, Facebook, Marriott and Equifax are some of the many companies that paid fines for violating the requirements of the GDPR.
While many U.S. businesses could ignore GDPR because they do not do business with Europeans -- or at least not enough of them to warrant the effort -- CCPA is different.
CCPA went into effect Jan. 1 and has many of these same requirements as GDPR, but there are two significant differences between the two sets of regulations. First, CCPA requires businesses to notify people of the intent to monetize their data and to give people the opportunity to opt out of that monetization. For example, if Facebook is going to potentially sell a person's data, they must explicitly inform that person that they may do so and offer the person a chance to keep their information private. Organizations cannot change the price of their offerings or restrict the level of service based upon the customer's choice.
Second, CCPA has a broader definition of personal data than GDPR. As the CCPA states, it covers anything that "identifies, relates to, describes, or is capable of being associated with a particular consumer or household." This includes information that a business infers about a customer, such as shopping preferences.
This means that CCPA covers a much broader set of data than the GDPR. However, the effect that most companies will feel is the shift in jurisdiction. It is hard to be an online company and not do business in Europe and California.
One of the key requirements of the CCPA is that businesses must have reasonable security to protect customer information that may live in a company's CRM system, ERP system, e-commerce site or website via cookies and analytics data. Reasonable security is the key requirement for organizations when thinking about how the CCPA affects content and the systems -- such as email, share drives and content management systems -- in which the business stores it. Organizations are not likely to sell content such as invoices, proposals, presentations and meeting minutes to other businesses. Content is bulkier than pure data and is not structured in a way to extract quick value from it.
Content is the placement of data into context. The contextual view is valuable. In many ways, content reflects a business's competitive advantage. However, this does make the content even more important to protect with reasonable security.
Many will argue that reasonable security is in the eye of the beholder. A business can measure specific actions, but defining what is enough security for a specific type of information depends on the value of that information. The company may have one opinion of what is reasonable, while the state of California may have a different perspective.
The state of California, the enforcing entity, could measure reasonable security by comparing one organization to its industry peers using either the percent of its security budget or the level of security protocols it implements. It may also determine reasonable security by comparing security procedures against available technology and how long businesses know about certain types of threats.
For example, if someone steals a company's content due to a security weakness announced two days before, the company could argue that having all systems patched in two days is not reasonable. If the breach was due to a security weakness that the business discovered a year ago, California could consider not having updated the organization's infrastructure during that as unreasonable.
Thinking about content
When it comes to content, businesses face two big risks. The first, and more obvious danger is a system hack -- where someone breaks into a system containing customer data, or a company's entire IT infrastructure, and downloads a massive amount of data and content. The other big risk is an employee leaving customer content -- such as invoices, proposals and bank statements, or any content that a human produces -- on an unencrypted laptop or thumb drive that they lose, or someone steals.
To protect content effectively, there are some common security capabilities that businesses need to deploy first:
- Encrypt content in transmission and storage. Organizations must not make it easy for hackers to read the content should they acquire it.
- Do not keep content with PII longer than necessary. Whether it is account statements or resumes, businesses don't want to spend resources protecting content they no longer need.
- Store inactive but important content in offline storage. If systems cannot readily access content on demand, it makes it that much more difficult for hackers to access it.
As businesses review these basic tips, they should notice a trend: most are capabilities of most enterprise content management (ECM) systems.
Software is not the answer
Simply installing an ECM system will not yield a secure content ecosystem. If there is one thing that all ECM experts agree on, it's installing an ECM system will accomplish nothing aside from consuming resources. People need to use the system to manage content -- and want to use it -- even after setting up the necessary security controls to meet the requirements of the CCPA. Deploying an ECM system that is so secure that people do not want to use it is a waste of resources.
The ECM system does not need to be complicated. Setting up a secure desktop sync of content is an important first step in ease of use and adoption. Instead of just rolling it out, companies need to work with each group using the software first. The business must help users organize their content and set up a basic structure for storing content so that the system doesn't become disorganized. Depending on the system that a business is using, setting up a basic structure may include a basic taxonomy, content types, standard metadata or a combination of any of these.
If a business implements its ECM system correctly, its largest challenge will be securing mobile devices and laptops. Securing these devices is especially difficult when employees own them, rather than when a company manages and owns the devices. Encrypting and securing those devices is important to prevent losing content. The organization may want to consider limiting the type of content people can sync to their devices to reduce that risk.
And above all else, businesses must train employees in secure content handling practices. The rules of secure content handling processes are universal; however, the level of training depends on the industry. Some basic handling practices include not leaving information unattended, recognizing phishing emails, deleting information that businesses no longer need and having security for devices. Organizations must train employees on risks and what they need to watch out for without relying on tech to save them.