CCPA and email security: Three things you need to know

by Rebecca Bailey
Published on 14th Nov 2019

The California Consumer Privacy Act (CCPA) is an expansive data privacy regulation that significantly enhances consumers’ rights. Based on the principles of control, transparency, and accountability, under CCPA consumers have increased rights to know what information is being collected about them, and how this information will be used and shared. They will also be granted the “right to be forgotten” (i.e. organisations must delete all information about them), as well as greater control over who has access to their data.

CCPA also makes it easier for consumers to take legal action and sue a company if their personal data is exposed in a breach.

CCPA and email security

The deadline for CCPA compliance is fast approaching. The California Attorney General (CaAG) must publish the finalised regulation by January 1st, 2020, and will need to begin enforcement within six months of this date (by July 1st at the latest). Although some organisations believe this may offer “breathing space” for their compliance preparations against a hard deadline of January 1st, the reality that we saw from GDPR is that companies cannot be too prepared for these types of laws. Compliance can become a costly and time-consuming activity, so it's beneficial to prepare early and rigorously.

CCPA will impact organisations’ email security, as it opens them up to fines and legal action should consumers’ data be exposed in a breach. Email remains the most ubiquitous communication tool across all organisations. It’s unusual for an employee not to have access to email – and, as it’s a quick and easy way to share information, it often becomes the default mechanism for many people. As a result, email is frequently used to transfer sensitive personal information (PI), opening organisations up to non-compliance with CCPA and the consequences of this.

Written into the law, the maximum penalty the CaAG can issue under CCPA is $7,500 per intentional violation. This sum can be levied per individual whose data is affected by a breach – so the costs can quickly add up for breaches that include multiple people’s data. The penalty for non-intentional violations is a maximum of $2,500 – but, again, it doesn’t take many data records to be breached in one incident before the effect of this is felt.

CPPA also makes provisions for consumers to bring lawsuits against companies that expose their unencrypted or unredacted PI, regardless of the harm done. Under CCPA, consumers can be awarded between $100-$750 per incident (although if damages are higher, they may be awarded more).

We also know that on top of these potential costs, data breaches can continue to bite for years after the incident has occurred. According to Ponemon and IBM’s 2019 Cost of a Data Breach report, the US is the most expensive country to have a data breach in – with each incident costing an average of $8.19m. As well as in the financial outlay mentioned above, these costs come from a combination of immediate remediation efforts, plus more lasting effects such as damaged reputation and customer churn. And if the law is enforced as set out today, it’s likely that CCPA will only increase the average cost of a breach even further.

Three things you should know

When it comes to CCPA-compliant email security, there are three key areas to be aware of.

1. Are you able to prevent data breaches? Email data breaches occur for a variety of reasons but broadly divide into two categories: accidental and intentional.

Accidental email data breaches include incidents such as sending an email to the wrong person, attaching the wrong document to an email, or using the To/Cc field rather than the Bcc field. Intentional breaches are made up of reckless behaviour (i.e. not encrypting sensitive information because an email security tool is difficult to use) and malicious behaviour (anything from taking customer data to a new job, to leaking data for financial gain or to harm the organisation).

Traditionally, it’s been difficult to detect and prevent such breaches. However, these days, contextual machine learning can provide content inspection, and sender and recipient analysis to determine whether emails are being sent to the correct people in a compliant way. This technology can consequently be used to spot when someone is behaving in an unusual / non-compliant manner (whether that’s accidentally or intentionally), and provide a safety net to prevent breaches by alerting users and admins to this.

2. Are you able to protect data? As we’ve seen, under CCPA consumers can take legal action if their sensitive data is exposed in a breach, and the organisation hasn’t taken steps to protect it. Email encryption tools are of paramount importance for this. However, you also have to ensure these tools are being effectively used. This includes making sure everyone who really needs it has access to an email encryption solution, and that they’re actually using it appropriately.

When a solution is difficult or time-consuming for either senders or recipients to use, they typically cut corners and find alternative mechanisms (such as sending in plain text or using file transfer sites).

To mitigate this and ensure CCPA compliance, it’s important that sensitive PI shared via email is protected to the right level, taking into account the sensitivity of the content and the organisation’s individual appetite to risk. It’s possible to use machine learning to help make this as easy as possible – including automating security. This can cover checking whether TLS is set up correctly and sending via that mechanism when appropriate; making recommendations to senders to use third-party encryption; and enforcing encryption through third-party mechanisms.

Additionally, the third-party solution used must also offer enough functionality to keep both your employees working effectively and PI secure. This includes ensuring large files can be shared in a streamlined fashion, with security measures including message-level encryption, multi-factor authentication, access restrictions for recipients, and watermarking.

3. Can you audit information shared via email, including for DSAR fulfilment? Ongoing compliance is the final consideration for all CCPA security strategies. For email, this includes being able to audit and report on your entire email network to detect areas of non-compliance. This will help you identify individuals whose behaviour is putting PI at risk of breach under CCPA, so that remediation measures can be actioned, such as training or awareness-building programs. It also enables you to evolve your security policy as your organisation changes: one department may not fall under your CCPA scope today, but could do in 12 months’ time.

Additionally, as part of CCPA’s core principles of control, transparency and accountability, consumers are able to submit “data subject access requests (DSARs)”. This means that when requested, an organisation must be able notify a consumer about exactly what data they hold, and what this data is being used for – including whether it’s being shared with third parties (and why). As we’ve established, email remains a primary mechanism for sharing data – so it makes sense that your email system will play its part in DSAR fulfilment under CCPA. As a result, you will need to be able to rapidly search your email network to discover any relevant data, redact any non-pertinent information (such as another data subject’s PI), and provide the results of this to the original data subject. Without technology and automation to support this process, it can become rapidly unmanageable.

How Egress can help

Egress provides human layer email security. That means we’ve made it our mission to help people work securely and effectively on email, ensuring organisations can comply with regulations such as CCPA. Our eDiscovery software enables you to understand data flows and areas of risk, conduct SARs, and delete personal data across your organization's email network.

To find out more, you can visit our CCPA hub or get in touch to speak to a member of the team, who’d be happy to explain our offering in more detail.