Many businesses still clueless concerning CCPA
A new report by cybersecurity & privacy education company MediaPRO, has shone a spotlight on the desperate need to create greater awareness of the looming California Consumer Privacy Act (CCPA).
MediaPro’s 2019 Eye on Privacy Report has exposed a worrying gap in the understanding and implications of the impending data privacy law, which will affect all companies that provide products and/or services to consumers and businesses located in the state of California, regardless of where that company is located.
MediaPro’s research revealed that almost 50 percent of US-based employees had never heard of the CCPA, which sets specific requirements for the management of consumer data for companies handling the personal data of California residents. The Act comes into effect on January 1, 2020.
As of next year, residents of California will have a legal right to require any company in the United States to declare what personal information it holds on them, and what is being done with their data. Companies will be legally obliged to respond within 45-days of receiving an “access request”. It is expected that the new law will apply to at least half a million US businesses, and possibly more.
In order to find out how prepared businesses are for the new consumer privacy legislation, MediaPro surveyed more than 1,000 US-based employees, to assess their degree of understanding on data privacy practices and privacy regulations. The research found that, in relation to the CCPA's credit card information guidelines, almost 60 percent of respondents admitted they had never heard of the privacy requirements, which are based on a global set of payment card industry (PCI) guidelines governing the handling of credit card information.
Other findings from the MediaPro report include:
58% of employees said they had never heard of the PCI Standard, a global set of payment card industry (PCI) guidelines that govern how credit card information is handled.
12% of employees said they were unsure if they should report a cybercriminal stealing sensitive client data while at work.
Technology sector employees were least likely to identify and prioritize the most sensitive information. For example, 73% of those in the tech sector ranked Social Security numbers as most sensitive, compared to 88% of employees in all other industries ranking this type of data as most sensitive.
Employees were more comfortable with a mobile device app tracking their device’s location than with an app accessing contact and browser information, being able to take pictures and video, and posting to social media.
Employees were unsure about whether IT staff installing monitoring software on work computers should be reported as a threat to sensitive data: 35% said yes, 35% said no, 30% were unsure.
Theft of login credentials was considered the most serious threat to sensitive data, with disgruntled employee stealing data and phishing emails coming next.
The findings of the report give considerable weight to the vital role played by employees, for maintaining robust and effective data privacy practices. It also demonstrates the need for ongoing privacy awareness training in order to protect the personal information of all concerned.
Data privacy best practices should be at the forefront of all employees’ actions, whether in customer-facing, or back-office administration roles. This is increasingly becoming a must-have for businesses of all sizes.
MediaPRO's Chief Learning Officer Tom Pendergast said:
"We're at a pivotal time in history for privacy, and more people than ever are paying attention to privacy and data protection, … Some of our survey results might make you think that people are starting to get it - but until everybody gets it, we in the privacy profession really can't rest. In today's world, protecting personal information really is everyone's responsibility, and that's why it's up to us to champion year-round privacy awareness training programs that aim to create a risk-aware culture."