Artur Marciniec - Fotolia
Organizations should be concerned with ensuring regulatory backup compliance. The first step is to determine which regulations -- such as the landmark California Consumer Privacy Act -- actually apply.
The California Consumer Privacy Act (CCPA) went into effect on Jan. 1, 2020. The CCPA is a state-level regulation, so it does not supersede other regulations but instead augments them. This means that in addition to CCPA, an organization might also be subject to federal data privacy regulations such as HIPAA and international regulations such as GDPR.
CCPA applies to any for-profit entity doing business in California that collects, sells or shares consumers' personal data and meets any of the three following criteria:
- has annual gross revenues in excess of $25 million;
- possesses the personal information of 50,000 or more consumers, households or devices; or
- earns more than half of its annual revenue from selling consumers' personal information.
CCPA is aimed at protecting consumer privacy. It has many similarities to GDPR in that it establishes guidelines for the collection and selling of customer data. Organizations that are required to comply with CCPA should begin the process by focusing on their core business processes and on making any necessary changes to line-of-business applications in order to ensure regulatory compliance. Organizations must consider how CCPA and other regulations impact backup processes.
Rethinking the way to handle backups
CCPA has vague guidelines regarding archive and backup compliance. It simply states that "if a business stores any personal information on archived or backup systems, it may delay compliance with the consumer's request to delete, with respect to data stored on the archived or backup system, until the archived or backup system relating to that data is restored to an active system or next accessed or used for a sale, disclosure, or commercial purpose."
The phrase "accessed or used" is open to interpretation. Regardless of how organizations ultimately interpret it, they must develop a method for purging specific records from their backup and archive systems. Otherwise, restoring a backup could end up undoing a record deletion request.
Suppose, for example, that a CCPA-covered company receives a request to delete data related to a particular consumer. The company complies with the request and removes the consumer's data from its databases. Soon after, the company suffers a data loss event and must restore a backup. If the backup was created prior to the deletion of that consumer's record, then that record is restored, thereby resulting in a CCPA violation. Organizations that are subject to CCPA must, therefore, come up with a way of handling these sorts of situations to achieve backup compliance.
CCPA's requirement that covered entities remove consumer data from backup and archive systems will force companies to rethink the way that they handle backups. In the days of tape backup, compliance with this requirement would have been relatively easy because tapes are periodically overwritten. However, the use of disk and cloud backup complicates CCPA backup compliance. Application and backup vendors must most likely develop better compliance products than those that currently exist.
Although CCPA is a state regulation, it will likely only be a matter of time before other states begin adopting similar regulations. Even companies not subject to CCPA should start thinking about how they would comply with a similar regulation.