California’s CCPA an opportunity for security industry to do better

The California Consumer Privacy Act (CCPA) and a related internet of things (IoT) privacy law, SB-327, formally came into effect on 1 January 2020 in a landmark move that will strengthen cyber security protections for Californians and paves the way for more US states to adopt similar laws of their own.

Although similar in intent to the European Union’s (EU’s) General Data Protection Regulations (GDPR), CCPA contains a number of differences – set out in more detail here – and is somewhat less stringent in its scope, with some describing it as a “light” version of the European laws.

Paul Palmer, director of business development at F-Secure, said that while both CCPA and SB-327 were a positive step forward, people were still playing catch-up when it came to securing both user data and the many millions of connected home devices already sold – many of which were likely received as Christmas presents.

The advent of CCPA and SB-327 are therefore an opportunity for the cyber security industry to go one better, he suggested, with implications for users around the world.

“Clearly, internet service providers [ISPs] are in a better position to help secure consumers’ home networks and identities than regulators, especially considering that SB-327 sets minimal standards and deals exclusively with new devices for sale in California,” said Palmer.

“Many of our more than 200 operator partners worldwide are recognising that they’re going to be tasked with securing all of the so-called ‘smart’ devices that threaten the speed and security of their customers’ internet connections, whether they like it or not,” he said. “This burden is really an opportunity in disguise.”

F-Secure said its honeypot network of decoy traps now saw cyber attacks targeting unsecured IoT devices – most of them descendants of the infamous Mirai malware – than it did attacks targeting PCs or smartphones.

For enterprise users, the key to CCPA compliance will be for security teams to enhance their understanding of the data the organisation holds – particularly where it resides, how it is accessed, and who by, said Arxan’s vice-president of customer experience, Chad McDonald.

“Once your data audit is complete, look to see how sensitive data is being accessed. Organisations typically start at the database and add layers of protection from the datacentre out,” said McDonald.

“Don’t forget to look from the outside in. In today’s world, applications are often the first interaction between a consumer and a business – whether it is an app on a mobile device or a web app inside a browser – apps are everywhere and they are a primary collection point for a consumer’s personal information.

“Take a look at your apps. Understand what information is used or collected inside the app. See how the app interacts with your back-end infrastructure. Does it use APIs [application programming interfaces], user credentials or tokens to access back office systems? How is the app secured? How is the data secured at rest and in transit?”

F-Secure’s Palmer will be discussing data security and consumer privacy in a seminar at the annual CES tech jamboree in Las Vegas on 7 January at 10am local time (6pm GMT).