Industry news

Report reveals less than half of businesses are prepared to comply with CCPA

by Egress
Published on 19th Nov 2019

Boston, Mass., November 20, 2019 – Egress, the leading provider of people-centric data security solutions, today announced the results of a comprehensive survey on the “Key Steps in Satisfying Your CCPA and Other Privacy Obligations”. The survey, conducted by Osterman Research, Inc., revealed the current state of security team preparedness and critical gaps in compliance with the California Consumer Protection Act (CCPA) before it comes into effect on January 1st, 2020. Key findings include only 15% of organizations report having a mature approach to data privacy, more than half (59%) have yet to allocate budget to CCPA compliance, and 58% are currently using or will look to implement machine-driven systems to improve manual processes for data security.

In succession to the EU’s landmark GDPR legislation, the CCPA is set to revolutionize data privacy and security within the United States, with major penalties and litigation slated for those unable to protect residences’ new privacy rights. To gain better insight into the state of preparedness for compliance with CCPA, Osterman Research surveyed 149 security professionals about the state of organizational compliance, the successes and challenges associated with satisfying compliance, lessons learned from GDPR, and the level of buy-in security professionals believe they’ve received from the wider organization.

“CCPA is a monumental piece of legislation in the United States that will drive forward data protection for consumers not just in California, but more broadly as it inspires other states into similar action,” said Tony Pepper, Chief Executive Officer at Egress. “The results from Osterman Research show clear gaps in compliance and preparation, including a robust email security strategy, efficient processes that can quickly respond to data subject access requests (DSARs), and measures to reduce the risk of email compromise or the accidental exposure of sensitive data.”

“Our research found that most organizations just aren’t yet ready for compliance with the CCPA, despite the fact that we conducted the survey less than three months before it becomes enforced,” said Michael Osterman, Principal Analyst at Osterman Research. “This is likely to present some serious consequences for non-compliant organizations given our view that the State of California will be reasonably aggressive in pursuing non-compliant organizations during 2020.”

Survey findings include:

  • Data protection is still not prioritized today, with only 15% of organizations reporting a mature approach to data privacy
  • More than half of organizations (58%) believe there is some overlap in compliance between GDPR and CCPA, but CCPA will require a fresh look at systems
  • Consent is a critical element of GDPR, CCPA, and other privacy regulation compliance, yet only about 50% of organizations have reviewed how they obtain consent from external parties, leaving them open to non-compliance problems
  • Most organizations are currently using technology to help with data classification, with 62% using rules-based systems for automatic classification 
  • Within two years, organizations predict that manual processes will move to more technology-based classifications. AI-driven systems will increase from 23% today to 58% in two years, and manual systems will drop from 55% to 36%
  • Fewer than two-thirds (36%) of organizations have conducted an audit to determine where corporate data is located
  • Only about two-thirds (69%) of organizations currently have a data breach notification procedure, despite the fact that data breach notification requirements have been established in most states for many years
  • Confidence levels in the ability to comply with privacy regulations are low; only about one-third (35%) of organizations are confident they can delete all information on a data subject, which would leave them vulnerable to non-compliance

With findings also showing that many organizations are holding off on actions, improvements, or compliance until 2020 or later, and less than half (41%) have allocated budget for compliance, it’s more important than ever for organizations and security professionals to understand the risks and implications of non-compliance. Email security, in particular, is a major component of data privacy that organizations need to consider when preparing for CCPA.

Findings of the survey were also presented on November 7th through a webinar hosted by Egress’s Senior Product Manager, Fahim Afghan, and President of Osterman Research, Inc., Michael Osterman. In the webinar, Afghan and Osterman outlined the state of compliance, the main challenges of satisfying compliance, primary ways CCPA affects email security, and considerations for building a robust email security strategy.

The full survey results are available in a white paper on CCPA authored by Michael Osterman, President of Osterman Research.

About Egress

As advanced persistent threats continue to evolve, we recognize that people are the biggest risk to organizations’ security and are most vulnerable when using email.

Egress is the only cloud email security platform to continuously assess human risk and dynamically adapt policy controls, preparing customers to defend against advanced phishing attacks and outbound data breaches before they happen. Leveraging contextual machine learning and neural networks, with seamless integration using cloud-native API architecture, Egress provides enhanced email protection, deep visibility into human risk, and instant time to value.

Trusted by the world’s biggest brands, Egress has offices in London, Sheffield, Cheltenham, New York, Boston, and Toronto. In April 2024 KnowBe4, the provider of the largest security awareness training and simulated phishing platform, entered into a definitive agreement to acquire Egress.