September 19, 2019

Are You Ready for CCPA?

In effect as of January 1, 2020, the California Consumer Privacy Act (CCPA) is the first regulation of its kind introduced in the United States aimed at protecting consumer data. Businesses that are not fully prepared to comply with this Act, face severe financial penalties.

So where do you begin? To effectively protect customer data, you must know where it is and control access to it – in other words, start with identity governance.

Watch SailPoint and Merrick Bank explain:

  • The 5 steps needed to achieve CCPA compliance
  • How CCPA is impacting organizations, such as Merrick Bank, and what they’re doing to prepare
  • How to easily maintain compliance with the vast majority of regulations that exist today

Video Transcript

Shae Mann: Welcome, everyone, and thank you for joining us for today’s webinar: Are you ready for CCPA best practices for CCPA compliance?
I’m Shae Mann, and I will be your moderator today.

Joining us today is Lorelei, Assistant Vice President of Information Governance at Merrick Bank. Lorelei is overseeing the development of a bank wide information management plan to include a new privacy program to address state privacy law regulations and the data environments. She has over 20 years experience in information and process management in healthcare and financial sectors. Lorelei is the recipient of the AIM International Corp and Action Leadership Award and as a nominee for the 2019 as seen media reboot top Leadership Award for holistic approach information management and cybersecurity. She is also currently studying for a graduate law degree with the concentration on data privacy and cyber security.

Also joining us today is our own Jackie Brinkerhoff, Senior Director of Product Marketing here at SailPoint. And with that, Jackie. We’ve got a lot to cover today, so I will pass it over to you to get us started.

Jackie Brinkerhoff: Thank you Shae. It’s great to be here and thanks to Lorelei for joining us as well as we get started, let’s take a look at the topics will be addressing today. First will be walking through a review of the CCPA and what it means to you and your business. Then we’ll look into what you need to know to be ready to be compliant with CCPA. And we’ll dive into the five key areas, you’ll want to consider as you go on your CCPA journey. And finally, looking forward beyond CCPA will cover what you should know as this data privacy terrain actually continues to grow. So to start it off, let’s break down CCPA and some of this might be a little review for you, but we’re going to just get everybody on the same page, to start with.

So CCPA stands for California Consumer Privacy Act and it was adopted last year as the United States first major consumer privacy law. And what has really driven these data privacy laws such as CCPA and as well as GDPR, which came online last year, has been the numerous data breaches that have been occurring and the impact that it’s really had on consumers.

In fact, there’s a lot of research out there and one recent research study that was done by the Pew Research Center found that nearly half of Americans believe that their personal information is actually less secure now than it was just five years ago. And those are some pretty staggering numbers there. So CCPA basically just grants California consumers, the right to see their personal information that companies are collecting about them. But also stop it from being sold. And while this law applies only to residents in California, you’re going to see very quickly how this will impact businesses not only just in California, but all across the globe, similar to how GDPR has as well. And especially if you do business online, you’ll certainly be impacted. And so since this law was written in a fairly short amount of time. There are things that are still getting worked out and things may still change after the law goes into effect. And speaking of that, the law is slated to go into effect this January 2020 and enforcement starting July 1, 2020. So as you can see all of this is moving quite rapidly.

So many have been asking the question, if they are GDPR compliant, does that also mean that they’re also covered for CCPA?
And the good news is that if you’re currently adhering to GDPR you’re a lot of the way there. And the big difference with CCPA is that there’s a much more detailed definition of what PII or personally identifiable information is when it comes to the consumer and you’ll have to know what and where that data is. And this also includes information that you may not have been even aware about such as including things like geolocation data. Any kind of biometric type of information, just to name a couple, but also this also could include things as common as Web History. If you’re tracking customer usage, for instance.

So CCPA will enable consumers to just take a more proactive role in monitoring protecting their personal information. Which is a bit different than GDPR and these consumer rights can be bucketed into some high level categories. As you can see here. So first of all businesses need will need to inform consumers of their intent to collect personal information. The consumers also have the right to know what personal information, a company has collected and where the data came from how it’s going to be used and who it’s even going to be shared with. And they also have the right to prevent businesses from selling their personal information to third parties, for instance. And consumers can also request businesses to remove their personal information that the business has on them, as well as if that person may or consumer may want to move their data. If so, they may desire to move to another provider, and businesses are prohibited from charging consumers different prices or refusing services, for instance, if the consumer exercises their privacy rights.

And as I mentioned earlier, and even if your organization or business isn’t located in the Golden State of California, you may still be on the hook to comply. So some questions to ask yourself, would be: “Does my business have customers or potential customers in California?” And if you answer yes to that question and you meet one of the following criteria, your company must conform to CCPA.

So that criteria includes: Do you have an annual gross revenue of more than $25 million or does your organization receive share or so personal information have more than 50,000 individuals? And consider if your company earns 50% or more of the annual revenue from selling personal information of consumers.

And what’s staggering is the number of companies that are or perhaps I should say are not currently compliant with, CCPA, and this may include yourself. So according to a recent research report, it appears that just 14% of companies say their business is CCPA compliance, 16% have not even started the process and the remaining 72%, they’re just in various stages of progress right now.

So what’s creating the holdup? Well some report that they’re waiting to see how the regulation will be enforced. Some don’t think their organization is large enough to face fines and for some, the law is so new to them that they’re not really even sure of the requirements and then you just don’t think the law will just even apply. But the most common challenge that is being faced is the costs involved in becoming compliant and according to an article in Martech Today, more than 70% of the respondents expect to spend more than $100,000 on CCPA related compliance expenses this year, and nearly 20% plan to spend more than a million dollars.

So, however, if you consider the fines and penalties if found to be in violation. You may see these investments to just be a drop in the bucket and certainly worthwhile.

You see, you don’t have to have a breach to be out of compliance. You only have to be violating the customers privacy and then they can file a lawsuit. And then you could be charged $750 per violation. It doesn’t sound like a lot, but this means that you’re not only dealing with potentially state prosecutors, but now, regular lawyers who appear to be seeing big dollar signs. Now, and a new if I could quote — air quote — that business opportunity for them since anyone like any consumer can sue.

And so, Lorelei. I know we were talking a little bit about this the other day and it seems that the cost of becoming compliant can actually result with some sticker shock for some people but what is your take when it comes to weighing out the cost of being compliant or getting compliant versus, perhaps just taking the risk and paying the fine if you’re found to be out of compliance.

Lorelei: I think it’s not a matter of whether you’re compliant. It’s bigger than that. If you are not compliant that also opens you up to breach laws which exist in all 50 states. Those violations, the private right of action on top of that. So you put all of that together. It’s bigger than CCPA. CCPA is one piece of that. But you would still be opening yourself up to breaches and private right to sue.

Yeah, and those costs can kind of spiral way out of control. And I think there’s a lot of other costs involved too. We’ve seen with breaches, such as customer loyalty and brand recognition. And so it just kind of kind of starts creating a big laundry list of costs. So in addition to your reputation as a company, it would affect your reputation in that your company is then saying, perhaps it would be perceived that a consumers private right to their data and the direction of their data is not considered valid to that company. So it’s also an excellent opportunity, a marketing opportunity, to say that yes in fact we are concerned about the privacy of an individual’s data. We do realize that inherent right and as a result we are protecting your data. And one way that we are protecting that and adhering and acknowledging that right, is that we are compliant with the CCPA.

Jackie Brinkerhoff: Yeah, I like that because it’s opening up a new opportunity for organizations to be able to have a conversation with their consumers and demonstrate that. And I think more and more consumers as they’re taking on more of their, their rights of their personal information, they’re probably going to start looking towards companies that honor that and work with them on that. So I think it’s a great opener and a great opportunity for organizations to start moving down.

Lorelei: And I think that works well with what you had said previously, Jackie, that consumers have more distrust of companies and protecting their information. So if companies are adhering to these laws and that means, in fact, that you were acknowledging that she would right to privacy. That will instill that trust that right now is decreasing.

Jackie Brinkerhoff: Yeah, definitely. Thank you. Thank you for that. So how are organizations taken on compliance with CCPA and how they’ve been doing it with GDPR and all these others?

Well, there’s a lot of different various points of entry and ways to approach it. However, as you look at it, it really comes down to the data. Knowing where the sensitive data is and knowing who has access to it. Should they have access to it? And how, how would they gained access to it? And the way to accomplish this is through implementing a comprehensive identity governance program and we like to consider this.

The strategic linchpin, if you will, is to ensuring compliance because it really allows organizations to manage the link between their entire user population and the applications that they use. And the systems and also the data that may be floating around in file storage for instance.

So without further ado, let’s let’s go ahead and dive in and really get into the five steps that we see for achieving compliance here.

So starting with step one. This really is about uncovering where your sensitive data resides. So if you think about it, you can’t protect what you don’t know that you have. So in other words, data that’s floating around in your organization is currently a huge blind spot and can create a big security and compliance gap if not addressed. And what’s interesting is that much of a company’s data may be in managed and protected systems. But more importantly, what we’re seeing is workers are creating reports and presentations and they’re extracting and exporting data from these protective structures system and the sensitive information is then getting put into things like, you know, reports, presentations, Excel spreadsheets, PDFs… you name it. And they’re stored in collaboration portal, such as SharePoint and cloud storage like Box and Microsoft OneDrive. And so there’s, it’s kind of like you’ve taken information from a protected system. And I call it feathers in the wind. Because once you start distributing it through email and such. And there, everyone saving a version of this. These files that may have sensitive information in these different locations. It is kind of like feathers in the wind. It’s like, where did it go, and they keep getting distributed and such.

And so this is why it’s become such a big blind spot for people, in fact Gartner actually had a report. And they said, upwards of 80% of enterprise data is actually now comprised of this unstructured format in the form of PDFs and Word documents and such. So we’re like, I know that you and Merrick Bank have been very focused on addressing CCPA. So a good place to start here is asking, “do you know where you’re sensitive data?” That and “can you share with us how you been going about tackling this first step in identifying sensitive data?”

Lorelei: Well, and I will have to answer that was absolutely not. We do not know where all of our sensitive data is. And first of all, we have to define what sensitive data mean. And what how we’re doing that is looking at the privacy laws and then compiling all of those data points. So that could be name, address, telephone number, IP address, geolocation. Any of that type of data and we don’t know where it all is. And all of it. That is located and unstructured file share.

Is mostly duplicated as well. If not, triplicated. So that’s the first step at all of this. Where is it, what is it, and then where is it, and the only way we can. The only way we can determine where it is, is to first implement an auto classification system. And in conjunction with that we are interviewing business units to then let us know what those business processes are and where that data flows. But the auto classification system will give us a graphic visual that we can then present to the individual business units. And show them where that data is and show them where that sensitive data is moving through their process and then we can base a business decision on that information, otherwise we would be going backwards. We need to be able to see it show that to people and then we can revise our systems accordingly.

The other piece of that which has been interesting for our company is the backup process. So for example, we use backup tapes. And we will keep those stored for a number of years. We are now in the process of creating a retention policy to only keep them one to three months. And the reason for this is they cannot be searched by content. So a backup process just restores that tape to a certain point in time. And that’s everything. And if it’s a legacy system, in some cases, it is impossible. So we’re looking at an archive system. So once you auto classify that data, you find it. You can you can label it with PCI data pan data — CCPA, GL, BA — whatever that type of data is. Once it’s classified and we can see it, then we can make a business decision, “shall we move this to an archive system then rather than all in a backup tape?” Once it’s in an archive system, then we can apply retention. And then we can apply disposition or purging.

So, that is the beginning of the beginning stages of this. This is foundational for our company. And in that process, as we gather that information we will then populate an information map that will show all of the applications that we use and for our companies in the hundreds. It will also show all the databases and will show the servers, they reside on. It will show the applications and how they talk to the systems and how that information moves through our processes. But in order to inform that information map and provide that comprehensive graphic display. We have to gather all of this information first.

But I will say this is extremely exciting for us and we’re very enthusiastic about it, because these are foundational processes that not only help us or ensure that we roll up to CCPA and are compliant, but these are things we would want to do anyway for efficiency sake, so that we make good use of our data and we can use our data for insights later and not be storing information that is unnecessary and in doing so that unnecessary information is then exposed to a potential breach that could have been prevented. So just the CCPA initiative alone is providing a fantastic leverage to get our house in order.

Jackie Brinkerhoff: Yeah. It’s kind of like a forcing function for many of us, and so it’s nice to hear that it’s not just for the CCPA efforts, but it’s going to be feeding a lot of all of your other efforts and and I’m glad that you brought up, you know, really getting rid of a lot of the debris, because we are seeing that as well. And it actually segues very nicely into what I was just going to bring up next.

With our step two is it’s really about minimizing the data that is being stored and especially with the organization starting to migrate file storage to cloud, ou know, resources, for instance, like Box or Google Drive and and SharePoint. Many organizations
I’m seeing are just doing the lift and shift to the cloud without really taking time to know what’s really being included in that migration and I like to think about it as a storage unit. For instance, I know many people that have storage units and they get them because they don’t have enough room in their own house for it so. And they just keep storing away possessions in there. And eventually, it’s like, oh, we want to upgrade to something bigger and better, and they don’t necessarily take the time to understand if what they’re storing is still relevant. So in the case of data, it’s it’s really necessary..

It’s necessary to stop and ask yourself, is it necessary to move everything, especially if there is again old information that may contain sensitive info data that could come back to bite you. So many security experts do advise organizations to lower their risk of data breaches by incorporating the data minimization practice, and this really means instead of saving all the data you gather about consumers, you should identify and remove data that you don’t need for particular business purposes.

So Lorelei this is an important step, and obviously you just brought this up. What are you finding is the best way to start minimizing your exposure here, besides finding where the sensitive data is.

Lorelei: That would be also examining the business processes on, “do we need that data and what we mean by that is?” and that’s a tricky question. Because if you were to survey everyone in the company now, they would all say, “I would imagine, I do need it.”

But it’s beyond that. It is, “is there a specific reason a specific business reason for maintaining it?” And then beyond that is all of us and most businesses have some type of regulations… regulatory requirements that we have to adhere to in saving certain types of information retaining it and then disposing of it at a certain period in a certain period of time. Well, beyond that, are you actually disposing it, do you actually need it because retaining it, beyond the regulatory requirement, is a violation.

So that’s the other piece. It’s not just that we would like to have it, but then beyond that, have you disposed of it? And do you have a certificate of destruction. Do you have proof of that. And do you have procedures and documentation showing what you do with the data. And as you mentioned earlier, the problem was that as people are duplicating it, they are triple locating it and saving it in other systems and again with the auto classification will show us where that is.

Then we are developing policies for data minimization. Now data minimization is a big effort of the Federal Trade Commission and they have enforcement actions, all the time and a lot recently just in the last few years, and the millions of dollars… Holding on to data that was not necessary for business and not a regulatory requirement and therefore breaches had happened, and this this data had been access so if you are holding on to data that is not required, you are opening yourself up to a pretty scary situation. But the other things that we’re doing is to maintain the retention and disposition schedules. That is a different that is a very difficult task because you think that it’s one person that has to look across all the departments and provide oversight and then determine what type of disposition methods, you’re going to apply to that type of data.

And you mentioned the cloud. We are moving to O365 and in order to accommodate the data minimization principle and policy that we are incorporating. We are bringing in information governance and security as part of that O365 team. We want to be sure that we are instilling best practices for data minimization at the get go. And that means imposing limits on that collection and that retention of consumer data and will we even have consumer data in that system, we’re not sure.

The other piece of that is automation. We want to be sure that whatever processes, we’re putting in place any business decisions we make. Based on our determination of where sensitive data is that if there is not an option for automation now, that we have an eye to automation.

The other piece of this is tools like Canopy, where there are certain features that when people try to save particular types of sensitive data or duplicate data or data that is not considered the single source of truth or system of record, it will prevent people from saving it in that particular file share a pop up window will be there explaining why.

So along with training. I think having a tool that provides that feature will be very advantageous because we’re all human and we will we will automatically try to save it in different areas. That makes sense. And our own personal workflow..

Jackie Brinkerhoff: Of course, because you never know if you’re going to need it right so you save it off. And I think that’s just a human nature. I’m just going to keep this just in case. And then you forget about it..

Lorelei: Exactly… We all do it.

Jackie Brinkerhoff: Yes, we do. And I know that I put things in “safe places” and never can find where that they place the app afterwards. So I completely understand.

So our next step is about identifying who has access and who should have access, which is the aspects of identity governance..

And this includes controlling access to data, regardless of where it’s stored, including applications. As I mentioned earlier, systems and even the file storage platforms and those platforms could be running either in the cloud, but some are still running on premises as well such as, a NAS device. So literally, I know you guys are also very focused and you have this strong focus on identity governance, and as you’ve been establishing these controls, can you walk us through some of the important aspects that people should consider as they’re going about the same process?

Lorelei: Yes, and reviewing roles per department. We’ve actually had a discussion. Just the other day about this where we will go to the business units and the department heads and ask which roles should have access to these certain systems or these applications. But that’s really just one layer because you as a business unit leader, you will assume that people should have access to all of these different applications and systems, but do they? It’s a great opportunity to evaluate that. Should they have read and write access? Should they have read only? What type of access? And part of that is that whole least privilege concept only have the type of access that is absolutely necessary to perform your job function. So a lot of this is a wonderful opportunity for education and training at all levels.

It has been assumed as that, you know, as a business leader you hire someone, someone comes in on your team and you give them access to these certain systems and these certain applications. But as a business leader, you may not understand least privilege and what that means and and why that concept is important. How that rolls up into compliance with the CCPA and also in protection of that data. So that is one of the things we’re working on right now is training and understanding what least privileges.

And then in addition to that, of course, without knowing what all of our applications are and all of our systems are which we don’t, we laugh about it. But there’s a lot of shadow IT where people have, in order to do perform their job or they feel it helps them increase their efficiency, they have acquired applications that it may not know about or you may have parent companies or sister companies where you’re sharing certain applications and systems.

And who has access to that and why. And do we have logs, showing that access. And do we know how to terminate that access when someone leaves the company or someone leaves the team. What does that mean, and then how do we determine who has current access do we do a quarterly access review, which is one of the steps that we are in the process of creating. We use SailPoint’s File Access Manager Tool to enable us to produce a quarterly review report that we will send out to all the business leaders to validate who has access, and then the next step is, what type of access and then the next step is, should they have that type of access? How do we then evaluate and create types and that map to their role? So again, that is very important. And then implementing a tool so that we can take action on the spot, a lot of these processes as they’re being faded.

Are quite manual. But then you want to bring that again into some type of automation and then an identity access tool where we can take action. We can show the department heads. They can log in and see who has access and then quickly approve or reject. I think that, again, is just so important because involves that integration of that type of tool. Get all of the business involved and it also provides them the level of understanding and training and awareness that they have not had to date on. So again, we’re very, very excited about this. We see this as another foundational piece.

Jackie Brinkerhoff: Yeah, I can imagine getting all of the business units and business managers involved in that process also helps you know from a security standpoint to lessen the burden on them because obviously those lines of business managers would have more context, whether it should or shouldn’t have access which strengthens you know your efforts.

Lorelei: Absolutely. And then in addition to that, it is a thing to know who has access, then again in doing forensics. If there is a breach, you can see where that may or may not have happened. It’s an excellent forensic tool.

So again, not only does this enable us to address the CPPA, because who has access to those documents, we’re going to have to aggregate those documents or that type of information at some point in order for customers to invoke their rights to their information, but at the same time, you know, it’s an excellent way for security again to apply forensics, if that occasion arises.

Jackie Brinkerhoff: Yeah, especially with all being automated because everything has been documented as part of the workflow process and so either forensics situation or even if an auditor comes around and wants to see the documentation. It’s nice to have it all, you know, being able to be pulled up as a report so it makes the world go a lot faster. And that way, the one thing that I remember we were talking about as well the other day was the co-mingling. Having a parent company and a lot of data actually being super important, not only for insights and analytics, but just kind of some of the things that you’ve been starting to notice there in that particular use case. Can you touch on that a little bit?

Lorelei: Yes. So yes, was a parent company and sister companies there is, you may not know, that there’s a commingling of data. So information is being transferred back and forth, or they may have access. And this is very important and at the forefront of our discussions in our company today because moving to 0365, our parent company, had suggested that they have access to the email accounts or they should be able to. Well, we’re not so sure. And if they should, then what are those parameters and we should all have that documented all the way around so that everyone’s clear who has access to what and for what reason. And I will say that again, this has brought to the forefront that that exact topic is the co-mingling of data, where before we may have thought, okay, do we even need to know? IT is important that we know who’s looking at all of that data or not even looking. But who could have access if they made that decision to get access? So again, this is a wonderful opportunity to delineate where that data access begins and ends and why and with whom.

Jackie Brinkerhoff: Excellent. Thank you. I’m going to move us on to our next step and Lorelei, you talked about least privilege and so you know, it’s really about enforcing those controls. And once we’ve reconciled, who should and should not have access, it really does come down to enforcing that least privilege model that’s been implemented. So could you just take us further now, if you don’t mind, into what this looks like at least that your organization and some insights that you can share?

Lorelei: Well, and again, with least privilege enforcing that you would. And I had mentioned that there has to be a way to auto disallow the storage of sensitive data. I think that’s very important because you can train and train and we will, we can all forget. And we may not all be aware and then sometimes we’re a little nervous once we are aware, and we are trained. Can we save it there? Should I have just saved it in this particular location? Did I deleted, and if I deleted it, where did it go? So I think it gives people a level of comfort knowing that there is a tool that will not allow them to save it and that particular file share to begin with but then give some an explanation of why that is so.

Then you have an opportunity for training at the same time and providing that level of comfort. I think that and again in every one of these steps it involves evaluating your business processes because we, you know, we’ve been in business for years, and as we all know, we do what’s familiar and what’s been done over and over again. And without looking at our business processes, we may be opening up vulnerabilities or maintaining vulnerabilities that are not necessary, and we don’t even realize that we have them.

So by looking at that, that gives us an opportunity to then say, shall we change our business model? Do we really need to collect all that information in order to get to get the end result we’re looking for “is that necessary?” And I think part of this too is, you know, as we mentioned earlier, all of this rolls up into an information management plan and that directly involves IT infrastructure it involves security and involves information governance. And by looking at all of these avenues, which includes the identity access management tools and providing awareness. But then, what are your list of security tools?

When I first started working here, I thought what are all the security tools that we’re utilizing, and exactly what do they protect, and is this information coming in, is this information going out, and in what form, and do we mean an application? So I think once we know that we can at least make sure everything’s being protected, but then let’s examine the business processes and see where that information is. Can we change that business process? And then in changing that business process, if we do need to save it. If we do need to store it, if it is being transmitted, how can we change that? And how can we produce this and have this happening in a particular environment where security can apply the most protection, rather than all across the board, just in case?

I think and putting all of this together provides that comprehensive plan. And I will say it has, it is fun to look at all of this and figure out, “hey, we’re working with the business units and pulling in all of these pieces and we draw these huge diagrams and say, “Okay, it’s this. It’s that. You’re doing this. You’re doing that.” Again, it’s awareness and we all come up with these great ideas once we have that training and awareness. And then everyone’s bringing in their tools. “How can we integrate them or will these tools integrate them or do we even need these tools? Do we need other tools and then how can we automate this?” And then in addition to that, that then gives us efficient insight into the data that we do have. How can we use that data to better improve our business or offer a new product line?

Jackie Brinkerhoff: Yeah, that’s, that’s exciting and I don’t know if I’ve ever heard anyone refer to it as fun, but I love that concept. I think it’s great.

Okay, and let’s move into our last step, which is really about, you know, once you get everything established. It’s really about compliance and maintaining compliance and this is an ongoing task employees partners contractors and suppliers. They all need access to data. They come and go. And it’s important to ensure that the access controls track with them. So, how would you recommend that organizations, think about the long term process of getting compliant? But more importantly, staying compliant.

Lorelei: I think in my opinion, the main piece is to have some type of framework for that. And here we have started an information governance framework and an information governance program where inside of that we have roughly, I would say 30 different elements to that program. So as a result, we are starting a privacy program in January. And another avenue of this is looking at tools for automation and that means working with infrastructure/ That means working with security and the business unit leaders. We are also forming a digital ethics committee that I am personally very excited about. This will be a committee that will include our parent company as well because as we mentioned earlier about the co-mingling of data, and how does that work and should that be done in that digital ethics committee? We will include stakeholders from our sister companies and our parent company. And then we can look at the ethics of moving that type of data through those mechanisms or co-mingling them and make those decisions. And as a result, then we will produce policies and procedures to enforce and guide both companies.

The digital ethics committee will bring that awareness about and also it will instill that the importance of that data that is private, that is an inherent human right. That to me is very important. And that’s the main overall overarching concern of this entire CCPA initiative. And I think in addition to that, the data flow maps and the system diagram maps. If we can’t see where all of that is, and we can’t see it in near real time, then it will quickly get out of control. And so what we’re going to do here inside the privacy program, we will have someone that that will be their job.

They are going to be looking at the data flow maps, they’re going to be looking at the system diagram maps, we will have a couple tools that will inform those that will scan the systems, that will show where the applications are talking to the systems, and do the databases and servers. How is it moving around so we will work very closely all together with it and security and enforcing the policies and procedures? What has worked very well here too is when we develop the policies and the procedures, we will involve infrastructure leadership as well as the security team leadership, and all of us will come together and inform those policies and procedures. Getting that perspective brings a very comprehensive understanding and a policy that worked for everyone.

And again, that brings that training and that awareness across all teams and then everyone feels they have an interest in protecting that information, and I think, looking at all of this, when I look at this cross the board. I think of, you know, it used to be where companies, when they acquired people’s data, they owned it, and we did whatever we wanted with it. We started where we wanted. We stored it in duplicate. We started in whatever methods we use. But the shift now is away from company ownership, but it is the human ownership of that data and that individual’s right. So now we look at ourselves, we have a cultural shift in our company where we consider ourselves the custodian of that person’s data and being the custodian of it and not the owner of it gives us an additional responsibility to take care of their data.

Jackie Brinkerhoff: Yeah, and I anticipate, we kind of said this earlier, but I anticipate consumers are going to start gluing into that more and more and expecting that. Businesses do hold some type of responsibility and how did they, you know, how did they demonstrate that to their consumers? So more and more, I see that there is a big shift also happening, so I agree with you on that, and it’ll be interesting to see how, you know, over over time, this perception, or just at least the way that consumers value their own data, becomes more important to them. Because I think at this point, it has felt like it’s out of my control. You know, I don’t know where my information is, and it’s just kind of out there in the ether. So you just kind of roll over. But I think more and more we are all going to participate in having some type of responsibility.

So, thank you..

So Lorelei. This was a lot of valuable information. And I think we’ve provided a great deal of information that helps provide a good foundation for not only addressing the CCPA, but also, this could very well be applied to GDPR and the other regulations that has been in place for some time. And as we look forward, CCPA is just beginning. CCPA is the first law of its kind to, you know, come to the US and it really has been starting to be the butter, if you will..

I think we were just speaking earlier today, Lorelei, and you were mentioning that data is coming online and there’s all these other states that are starting to model after CCPA. I don’t know if you want to do a quick plug for what you learned about in Nevada today.

Lorelei: Yes, Nevada’s bill SB220 was active on May 29 and goes into effect October 1 of this year. It’s more narrowly focused than CCPA, but it’s there. And although they don’t have a private right of action. They do have a $5,000 penalty per violation, so it is important to review these privacy laws.

Jackie Brinkerhoff: Yeah, I know, Vermont, Colorado, Texas, New York, Washington… I mean, there’s a lot of pending states out there that are just coming on the heels and I was talking to Lorelei and I didn’t even known that it was so close. And here you know, I think CCPA has been getting all of the spotlight, but you know, again, there’s a lot of other states coming online. And interestingly enough, conferences, also weighing a number of privacy proposals on the national level. So it’ll be interesting to see what happens on that particular level as well.

So becoming compliant with CCPA is going to give you a head start when it comes to addressing these regulations. And by leveraging an identity governance program, we’re really seeing organizations are able to really take on these data privacy efforts, and you can kind of think of it as the foundational piece and that common denominator that really just helps you.

Do you cover a lot of the things that we talked about today? Which is, you know, identifying where the data is stored across the organization and assessing the risk of improper access, and strengthening your access control, and being able to automatically perform audits and access monitoring and creating those detailed reports that are going to prove your compliance, whether it’s CCPA or GDPR.

And there’s a big alphabet soup out there of all the different compliance regulations, but fundamentally, it just comes down to, you know, covering those main points that we talked about today. And by following, you know, best practices and standards will be moving towards compliance and also showing that you’ve chosen particular control to protect this consumer data. That’s definitely going to put you on the right track. And as you do this, you’ll be able to move from a world of what felt like chaos, honestly, to a state of compliance. In fact, we’d like to think of making compliance, a state of being, as opposed to an activity that you have to do every six months or so. And the bottom line, as you know, more and more consumers are going to want to do business with companies that protect their data privacy. You can also use that to start helping market your dedication to customers and their privacy. And that, in turn, will come back and help boost sales and potentially not only sales, but definitely customer loyalty.

Find out how SailPoint can help your organization.

*required field