Note: This post was created prior to the implementation of the CCPA. The law is now in effect as of January 1, 2020. Keep reading to learn more about CCPA compliance and how your dealership may be affected.
By now California dealers are aware of the California Consumer Privacy Act (CCPA), which takes effect in January, 2020. This law requires businesses to take “reasonable measures” to secure consumers’ personal and identifiable information (PII), such as names, addresses, social security numbers, credit card numbers, credit scores and bank account numbers.
The California Attorney General defines “reasonable measures” as compliance with 20 controls established by the Center for Internet Security (CIS). The amount of work required to get a typical dealership compliant is more than 1,200 hours and approximately six months, so if your dealership hasn’t started you’re unlikely to be compliant by the January deadline.
However, there are steps you can take to demonstrate that you’re working towards compliance, if you should need to do so for legal reasons. The first step is to order a GAP analysis.
GAP Analysis/Risk Assessment
A GAP analysis from a qualified vendor will determine the current state of your IT infrastructure, and where it falls short of CCPA requirements.
This process involves security experts who will inventory and assess all of your dealership’s hardware, software and network equipment to find areas of vulnerability.
Upon completion of this step, you’ll receive a remediation plan that identifies the gaps between where your dealership’s IT is now compared with the CIS Controls’ best practices. The remediation plan is basically a list of recommendations that include new hardware, software, policies, procedures and processes.
Depending on the current state of your IT it’s always possible that no new hardware, policies or procedures are needed. However, in most cases some updates will be necessary.
Since the CCPA wasn’t just written for dealerships, remediation steps won’t be required for all 20 CIS Controls. For example, CIS Control 18 relates to software development best practices, which don’t apply to most dealerships. As for the other controls, it’s important to know there’s some leeway in the interpretation of the CCPA’s “reasonable measures.” What’s reasonable for an auto dealership might not be reasonable for another type of business, and vice versa. This is why it’s important to hire professionally trained and certified IT security experts with knowledge of both the CCPA requirements and of the car business.
Once your GAP Analysis and remediation plan are complete, it’s time to start working on the controls. If you’re starting late, a reasonable goal is to complete the first five CIS controls:
Step 1: Inventory and Control of Hardware Assets
This control requires businesses to inventory, track and manage all hardware devices that connect to your network so that only authorized devices are given access.
Step 2: Inventory and Control of Software Assets
This control requires businesses to inventory, track and manage all software on the network so that only authorized software is installed. Additionally, you’re required to maintain an up-to-date list of all authorized software that includes the name, version and install date. Also, install and use a whitelisting tool to ensure that only authorized software can execute.
Step 3: Continuous Vulnerability Management
Information technology (IT) isn’t static. The CCPA requires that all businesses continuously acquire, assess and take action on new information in order to identify vulnerabilities and minimize opportunities for cybercriminals.
Step 4: Controlled Use of Administrative Privileges
To prevent hackers from gaining access to your system, the CCPA requires the use of tools designed to ensure that only authorized individuals have privileges. Additionally, multi-factor authentication and encrypted channels for all administrative account access are required.
Step 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
The default configurations on new hardware devices and software are geared towards ease of deployment, not for security. But many businesses never change these configurations, making it easy for cybercriminals to gain access to your system.
The CCPA requires businesses to develop secure configuration settings using configuration management tools. Once configured, these settings need to be continually monitored to prevent security decay as new vulnerabilities are reported.
These five controls are only a fraction of what needs to be done to protect your customer data, but the good news is they can be accomplished relatively quickly so that you can demonstrate your dealership is making the effort to become compliant.