The regulatory and compliance environment is becoming increasingly complex at a time when the IT industry is undergoing massive disruption. Oomnitza’s Arthur Lozinski offers several regulatory considerations that need to be taken in managing the IT estate.
The enforcement period for the new California Consumer Protection Act (CCPA) started only on July 1 of this year, and there are already a half-dozen class-action lawsuits in motion against California companies. The law may also apply to companies that are not doing business explicitly in California but are serving customers located in California (and given California’s population, this is a huge expansion in applicability).
Then there is the new Lei Geral de Proteção de Dados (LGPD), Brazil’s version of the CCPA. Europe’s General Data Protection Regulation (GDPR) continues to evolve, even as each state in the European Union continues to enjoy considerable leeway for deciding what is a violation and what fines should be for GDPR violations.
As if all of this weren’t confusing enough, a patchwork of law in the U.S. is now starting to generate class-action lawsuits or regulatory enforcement, often against out-of-state companies. On July 21, the New York State Department of Financial Services announced its first-ever cybersecurity enforcement action against First American Title Insurance, a publicly traded financial services company based in Southern California, for allegedly failing to patch known vulnerabilities. This exposure allegedly resulted in over 800 million sensitive financial records being exposed on the public internet over the course of five years.
Without Accurate Cross-Silo ITAM, Compliance is Slow and Painful
This puts companies without an effective IT Asset Management (ITAM) system that automatically updates all IT asset inventories (hardware, software, cloud, etc.) at a distinct – and potentially expensive – disadvantage.
All of these laws have their own nuances around coverage, liability and expected corporate behaviors. IT departments and the audit and compliance teams now face a confusing landscape; a lawsuit or enforcement action can come from almost any direction. Across the CCPA, the different country-specific approaches to GDPR, the impending LGDP in Brazil, other state laws in the U.S. and now New York’s own enforcement, complying with an ever-growing web of IT compliance regulations is rapidly becoming expensive, complicated and mandatory.
Knowing – or being able to quickly find – where an asset is located, who owns the asset and the state of security controls on the asset is becoming a critical piece of complying with legal requirements to demonstrate best efforts for security. This requirement is common among the various privacy laws, but it is particularly broad with the CCPA. While there are various endpoint management tools that validate controls, these tools cannot replace ITAM as a backbone for understanding the ownership, status and location of an asset. Ownership as well is key to attestations that are the core of compliance with SOC2 and other compliance standards that are legally required with increasing frequency for provision of technology services from one business to another.
Few Companies Are Prepared for CCPA. COVID Has Set Them Back
If your company is prepared even for just CCPA, it is in the minority. In a survey of general counsels released in June 2020 by the data privacy firm Ethyca, only 31 percent said they are prepared for the California law. For the other 69 percent, it’s reasonable to assume they are also not prepared for the Brazil law or the newly aggressive enforcement posture of New York.
The Ethyca survey further found that while the majority of companies are planning to dedicate more resources to compliance with CCPA, the COVID crisis has pushed out these efforts. Meanwhile, it’s clear that the pace of class-action suits is accelerating in this vacuum, as class-action attorneys seek to test the boundaries of this expansive law with a raft of litigation.
At the base of all compliance efforts with CCPA and other privacy laws is a rock-solid, real-time accounting of all the IT assets that an organization has in place and confidence that all IT assets are properly accounted for. Ask the following questions for a quick, back-of-the-envelope test of your compliance capability for an IT department, CIO or CISO:
- How confident are you in the accuracy of your IT asset inventory?
- How confident are you that there is no overlap between different static ITAMs?
- How quickly can you associate a breach with an asset and an individual?
- How fresh is your IT asset inventory?
- Do you know the geographic location of every asset?
- What percentage of assets have security controls installed?
If you can’t answer these questions quickly, or if your answers are not ones you would be comfortable sharing with an external audit team or an opposing attorney, then think about whether CCPA and the thicket of other laws can be a positive catalyst to finally get your arms around more effective and efficient ITAM. There is a vast host of regulators and attorneys looking for the slightest excuse to extract millions in fines from your company. A fully integrated ITAM can help mitigate or eliminate this risk – and at a price point that is substantially below the potential fines. The growing legal and financial risk makes this the right thing to do.