Rhand Leal
October 16, 2018
In the wake of the increasing concerns over privacy protection, the U.S. state of California passed a new regulation at the end of June of this year to ensure the protection of Californian consumers. Coming into force by January 1, 2020, this law requires new levels of commitment by organizations regarding the handling of information, including severe penalties for noncompliance and security breaches.
This article will show how ISO 27001, the leading standard for Information Security Management Systems (ISMS), can be used to ensure compliance with the clauses of this new regulation.
The California Consumer Privacy Act (CCPA) is a U.S. regulation, from the state of California, related to the processing of personal data of California residents. This regulation has some resemblance to the European Union General Data Protection Regulation (EU GDPR), but while it doesn’t have some of the EU GDPR’s most onerous requirements, in other respects it goes even farther.
Broadly speaking, the CCPA introduces:
If your organization falls under any one of the three thresholds described below, it must comply with the CCPA:
Fees for failure to comply with the CCPA may vary from $2,500 per unintentional violation up to $7,500 per intentional violation of any provision of this regulation. Regarding data breaches, the fee can be between $100 and $750 per California resident per incident, or actual damages, whichever is greater.
ISO 27001 is the ISO standard that describes how to manage information security in an organization. It consists of 10 clauses in the main part of the standard, and 114 security controls grouped into 14 sections in Annex A. ISO 27001:2013 clauses from the main part of the standard are:
ISO 27001:2013 Annex A covers controls related to organizational structure (both physical and logical), human resources, information technology, supplier management, etc.
For detailed information, read: What is ISO 27001? and An overview of ISO 27001:2013 Annex A.
The requirements of the CCPA can be related to the following ISO 27001 clauses and controls:
CCPA requirement | ISO 27001 clause / control | Rationale for application of ISO 27001 to comply with CCPA | For more information |
1798.140(o)(1) – Definition of “personal information” | Controls A.8.1.1 -Inventory of assets, and A.8.2.1 – Classification of information | The identification of all data defined as personal information, as well as information sources, storage locations, usage, and recipients, is needed to establish proper access control and data exchange. | Information classification according to ISO 27001 How to handle the Asset register (Asset inventory) according to ISO 27001 |
1798.135(a)(1) – Requirements for Internet Web pages | Control A.14.1.1 – Information security requirements analysis and specification | The organization’s web pages need to consider requirements such as allowing consumers to opt out of the sale of their personal information. | How to set security requirements and test systems according to ISO 27001 |
1798.130(a) – Methods for submitting requests for information | Clause 7.4 – Communication | Organizations must provide, at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address. | How to create a Communication Plan according to ISO 27001 |
1798.135(a)(2) – Requirements Update of privacy policies | Control A.18.1.1 – Identification of applicable legislation and contractual requirements | New privacy requirements must be included in the organization’s current, relevant policies and systems. | What is privacy by design & default according to GDPR? |
In short, ISO 27001 can help produce and organize the information needed by organizations to comply with the CCPA and show regulators the effectiveness of the implemented controls.
Although the CCPA resembles the GDPR, just expanding your coverage of EU GDPR measures is not enough to ensure compliance with the CCPA. These are some examples:
First published in 2005, and revised in 2013, ISO 27001 is a seasoned standard with successful cases of integration with other laws such as Sarbanes Oxley, U.S. DFARS 7012, and the EU GDPR, with this last one being the most similar to the CCPA.
By adopting ISO 27001 practices to support CCPA compliance, organizations working with California citizens’ data can benefit from a systematic way to ensure and demonstrate the effectiveness of the security controls and procedures related to privacy protection. They can also benefit from review activities to improve security measures when and where necessary.
To learn how ISO 27001 is used in implementing the European privacy regulation, see this free webinar: How to integrate GDPR with ISO 27001.