Pub. 5 Issue 1

32 The CCPA requires businesses to enact “reasonable se- curity procedures and practices” to protect consumer data. The California Attorney General has defined “reasonable measures” as compliance with 20 critical cybersecurity con- trols recommended by the Center for Internet Security (CIS). 2. Consumer data notification and removal Dealerships must proactively notify consumers about the type of data that’s being collected about them and who that data is being shared with. They must also make it easy for consumers to opt out of third-party data sharing, and delete all personal information at a consumer’s request. Consumers must be able to make their requests via at least two methods; the most common will be telephone and website. Therefore, receptionists and/or BDC agents will need training on what information to collect, and to provide consumers when they call. A process must be established to comply with all consumer requests. Also, all websites will need to display a clearly visible opt- out message on the home page. Be sure to include a form with updated text about data collection policies and CCPA rights. When it comes to prioritizing compliance with these two provisions, consider the source of potential lawsuits. While important, the data notification and removal provision does not grant consumers a private right of action. However, if a dealership fails to take “reasonable mea- sures” to secure consumer data, and that dealership experi- ences a data breach, every consumer affected by that breach will be allowed to bring a lawsuit against that dealership. Therefore, the first provision to address is the one that has the greatest source of legal liability for your dealership. Take “reasonable measures” to secure your customers’ data. What does it mean to take reasonable measures? There’s a lot more to securing data than installing antivirus software and calling it a day. Enterprise-level cybersecurity requires a multi-layered strategy. The 20 CIS Controls are divided into three categories: Basic, Foundational and Organizational. Basic controls address the inventory, control and secure configuration of all hardware devices and software; as well as the controlled use of administrative privileges and analysis of audit logs. Foundational controls address higher level defenses such as email and web browser protections, malware, network ports and protocols, firewalls, routers and switches, data recovery and wireless access. Organizational controls address internal policies and procedures, such as required security awareness training for employees, the creation of an incident response plan, penetra- tion testing and red team exercises. One example of how many dealerships are currently out of compliance with CIS controls is the widespread usage of the Windows 7 operating system (OS). In January 2020, Microsoft will end support for Windows 7, which means no more software updates will be released. Failure to update (aka patch) your OS is a known security vulnerability and will automatically disqualify a dealership from compliance with the CCPA’s “reasonable measures” provision. To ensure compliance, dealerships will need to upgrade to Windows 10 OS prior to the January deadline. This is just one example out of many potential changes that California dealers will need to make to their information technology (IT) infrastructures, prior to the January deadline. Steps to take today To comply with the CCPA, the first steps to take include: 1. Understand where your current IT environment falls short of CIS 20 controls. Order a gap analysis, also known as a Risk & Vulnerability Assessment, from a recommended IT services provider. 2. Create a prioritized remediation plan that fills gaps identified. 3. Implement the plan. Seek help if you are shorthanded. The clock is ticking and time is of the essence. 4. Maintain compliance with ongoing management. IT isn’t static and it’s easy to fall out of compliance if things aren’t routinely managed and monitored. Compliance with the CCPA by the January deadline requires a sense of urgency and a detailed plan of action. If your dealership hasn’t yet taken steps to protect consum- ers’ personal information, you may be vulnerable to a data breach and subsequent flood of lawsuits in 2020. Don’t delay, inquire today.  DEALERSHIPS MUST PROACTIVELY NOTIFY CONSUMERS ABOUT THE TYPE OF DATA THAT’S BEING COLLECTED ABOUT THEM AND WHO THAT DATA IS BEING SHARED WITH. THEY MUST ALSO MAKE IT EASY FOR CONSUMERS TO OPT OUT OF THIRD-PARTY DATA SHARING, AND DELETE ALL PERSONAL INFORMATION AT A CONSUMER’S REQUEST.