If your company does business in the state of California and stores user data, you should be aware of two laws that could affect the way you store and manage sensitive information. The California Consumer Privacy Act (CCPA) took effect on January 1, 2020, but the lesser-known California Privacy Rights Act of 2020 (CPRA) built on the CCPA and will take effect on January 1, 2023. Both regulations will affect any business that wants to store and manage California user data, including the way you handle user requests to remove or disclose the ways that you use their information.
Introduction of CCPA
CCPA was heavily influenced by the ways European Union (EU) organizations manage data, so organizations familiar with GDPR will find that CCPA is similar. This Act requires organizations to disclose the way they store data, the type of data stored, allows users to stop organizations from selling their information, and gives users the power to require organizations to delete their information.
Businesses that have gross revenues over $25 million and buys, sells, and receives information of 25,000 or more consumers, households or devices must follow CCPA regulations. Because this ruling took effect in 2020, businesses that fall into this category and store California consumer data should already have tools and solutions to follow guidelines.
CPRA Builds on CCPA and Adds Stipulations
Shortly after CCPA took effect, another law was put into place. CPRA builds on the CCPA regulations, but it gives California consumers additional rights and provides new rights to users and the way that they can control their data. These regulations will not take effect until January 2023, but businesses should be looking at the ways that these laws will affect infrastructure. It takes time to build tools into business processes, so organizations should focus and budget for CPRA infrastructure now instead of waiting. Waiting could result in fines or failed deployments putting the business in non-compliance.
The new CPRA regulations require businesses to take cybersecurity very seriously. With the wave of data disclosure after numerous large data breaches, the CPRA puts more pressure on organizations to protect user data or risk hefty fines for being out of compliance. CCPA and CPRA create a pathway to litigation for consumers who lose data after non-compliant data breaches.
As an example, TikTok was ordered to pay $92 million to consumers after a data breach exposed user data. Several other companies were sued after data breaches in 2020 including Salesforce, Walmart, and Zoom. Litigation and the cost in reparations can greatly affect revenue and future sales, so organizations must be prepared.
In addition to CCPA regulations, organizations under CPRA must allow consumers to block sale of their data, requires companies to destroy data after it is no longer necessary to store, provide consumers with a link to request removal and information regarding the use of their data, and an audit trail that provides proof that all these regulations were followed should the organization suffer from a data breach.
Email Archiving is Necessary to Stay Compliant
Archiving email messages is just a part of cybersecurity and CPRA regulations. Messages contain attachments that contain sensitive data. File data could be contracts passed between customers and clients, intellectual property passed between employees, or documents containing customer information. All this data must also be archived and protected from malware and common threats.
Cloud solutions are often used to scale the storage necessary for large data archives. Providers who host cloud storage also give administrators all the tools necessary to protect data and ensure that archives follow compliance regulations, including CCPA and CPRA. Before an organization chooses a provider, it’s important to know the data stored, find out if California residents are included in that data, and ensure that the provider’s platform has all necessary functionality and infrastructure to keep it compliant.
Even with the best cybersecurity protocols in place, data breaches still happen. Risk cannot be reduced by 100%, but organizations can do their best to maintain security. Should an event happen, email archives can be used to review background information to determine the root cause. Backups can still be used to quickly bring systems back into order, but archives are necessary for investigations into what went wrong. Read blog: Archiving versus Backups
Searchable data is necessary, and archives give investigators the means to continue from disaster recovery into investigations. It can help protect the organization from litigation and defend it from possible compliance violations. Archives are necessary for compliance, so having them is one step further to create a compliant environment.
ArcTitan is a cloud-based email archiving solution that is compliant, with lightning-fast search speeds, legal compliance and integrates seamlessly with Microsoft Office 365. See how ArcTitan works, view demo.