Does the CCPA Require Penetration Testing?

As companies prepare for the January 1st, 2020 implementation of the California Consumer Privacy Act or CCPA, we have been fielding quite a few questions surrounding the new regulation and its requirement for “reasonable security”. One of the most often asked questions is “Does the CCPA require penetration testing?” Today we dive deeper into the CCPA and discuss what is required.

What does the CCPA Require?

Technically speaking, the regulation does not define what must be done, rather stipulates the following in section 1798.150:

(1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

Assembly Bill No. 375 , Chapter 55, Section 1798.150

Vague, we know….So what does this mean? At a minimum, we are recommending our clients complete a gap analysis utilizing an industry-recognized standard (such as the Center for Internet Security’s (CIS) Top 20 Critical Security Controls (CSC) if you don’t need to adhere to something more specific) to determine the organization’s ability to provide a reasonable level of security the privacy information they collect and store. As part of this gap analysis, we are also recommending a review of a number of internal policies including the incident response process and the data breach notification policy to ensure they reference the CCPA and the relevant requirements. Lastly, we are also recommending an end-to-end review of how data from California citizens is collected, transported, and destroyed to ensure all parts of the process are secure.

Is a Penetration Test Required to Achieve “Reasonable Security”?

Unfortunately, there is nothing definitive in the requirement that addresses penetration testing, so we cannot tell you yes or no until the legislation is updated or fines are handed out in the future that clarify the requirements. We can tell you that we would highly recommend a penetration test as part of your due diligence efforts in order to ensure that you are adequately securing your organization, your security controls are working as intended, and you are actively and periodically quantifying your risk. With fines of up to $750 per consumer, per event, this could add up extremely quickly. A penetration test should cost a fraction of even the low end of potential fines and will definitely help ensure you have taken proper measures to ensure reasonable security, with a signed validation from a third-party that this testing was conducted.

Have any questions on the CCPA from a security standpoint? Interested in learning more about our services and how we can help ensure you are meeting a reasonable level security? Contact us today and we are happy to help!