It’s Time to Prepare for California’s Consumer Privacy Act, So You Can Sleep Better At Night

I love listening to all kinds of music when I’m working. Growing up, I bought vinyl records, listened to compact discs, and downloaded MP3s from Napster. Today I stream my music on my smartphone. The other day, I got on this nostalgic kick to create a mixtape compilation (playlists to you Millennials and younger) of my favorite tunes about California. I’m not sure why. Maybe it’s because we’re in the middle of summer? Or maybe I read this New York Times article about favorite California-influenced songs. “Raise your hands up in the air, and wave them like you just don’t care!” I know, I’m so old school.

I realized though that to complete my playlist, I had to purchase a lot of the songs I liked from an online music store because I didn’t have them. I used my stored credit card information on my smartphone to make the song purchases and I was happy as a lark! Everything from The Mamas and the Papas to the Beach Boys, LL Cool J, the Eagles, Tony Bennett, the Red Hot Chili Peppers, and finally Tupac. Aww yeah! Now I had all my favorite songs to listen to on my commute to and from work every day. And I also use the same smartphone for work.

This instantly reminded me that I use my smartphone for everything! It’s my Swiss Army knife –  from my flashlight and wallet to SMS and email messages, and oh yeah, telephone calls! I freak out if I walk out of my house without my smartphone. I have so much personal and work information stored not only on my smartphone, but also on several internet retail sites, my preferred airline site, and at my workplace. This brought out my paranoid side! What would happen if my personal or work information were stolen from my mobile device or from the Internet site I was surfing, or my workplace suffered a data breach and employee records were stolen? What recourse would I have? I would certainly lose sleep and probably a lot of time cancelling credit cards, but then what long term effects could happen? Would I need to have my credit monitored for the rest of my life? Would I have to go back to listening to CDs?

With 12% of the US population and the 5th  largest economy in the world, California is a land of opportunity for many businesses. But California is also the home of the most data breaches and personal information exposed, more than any other state in the Union for the past decade. Threat actors seem focused on preying on customer and employee data from my home state. Most of these same businesses consume, process, analyze, store, and sometimes sell substantial amounts of personal information from and for customers, employees, and partners. This data can be either on the device or in the on-prem and cloud services the business’ employees access from the device. Not just on the device. At the same time, the explosive growth of mobile devices within these businesses allows employees to access enterprise data and resources anytime, and anywhere.

All of this makes securing enterprise data stored on or accessed from mobile devices a critical business need. As noted in the 2019 NSS Labs Enterprise Intelligence Brief for Mobile Security, more than half of all respondents in the study reported that mobile threats were a higher risk to organizational assets than other cyber threats. And 37.4% of respondents reported user bypass of security policies as a frequent or very frequent occurrence. On average, respondents with mobile security rated their protection as 76.1 (out of 100) against mobile threat vectors. Not bad, but that leaves a lot of opportunity for exploitation!  And in the 2019 Verizon Mobile Security Index, they reported that 1 in 3 businesses suffered a data breach from mobile devices.

The Equifax breach, which exposed the personal information of 147 million people around the world back in September 2017, is only one example of today’s cyber threat landscape. In another high-profile security breach announced at the end of July 2019, a former systems engineer of a cloud hosting provider allegedly exploited a web app firewall configuration vulnerability to exfiltrate 106 million records containing unencrypted government ID numbers and consumer bank account numbers. And seventy percent of businesses are more frequently seeing insider threats as a growing source of both inadvertent and malicious data breaches. So, it begs the question, “What’s in your wallet?” Stopped into a church I passed along the way. Well, I got down on my knees and I pretend to pray…”

It’s not surprising that legislation followed in the wake of well-publicized attacks and security breaches. The advent of the European Union’s GDPR focused attention on the state of data protection in the United States. A month after GDPR became enforceable in May 2018, California’s governor signed the California Consumer Privacy Act (CCPA) into law.

In a new white paper, MobileIron’s Data Protection Officer explains how the CCPA removes a key barrier to data breach litigation and shares her perspective on what businesses can do to protect and defend themselves and the personal information within their control.

Now is the time to prepare for CCPA. This issue will take on new urgency when the California Consumer Privacy Act takes effect on January 1, 2020. At the end of the day, I can sleep soundly at night knowing that the company I work for has implemented reasonable security in safeguarding my work and personal information on my smartphone! And now I wake up to that California tunes mixtape that I’m using as my alarm in the morning. “You can check out any time you want, but you can never leave.” Aww yeah! They don’t make songs like they used to!

James Saturnio

James Saturnio

Senior Lead Technical Market Adviser at MobileIron

About the author

James Saturnio is a Senior Lead Technical Market Adviser at MobileIron. He immerses himself in all things cybersecurity and has over 25 years’ experience in this field. He has been with MobileIron for over 6 years, and previously worked at Cisco Systems for 19 years. While at Cisco, he worked as a TAC Engineer, and then as a Technical Leader for the Security Technology and Internet of Things (IoT) business units. He was the main architect for the IoT security framework that is still being used today by Cisco’s IoT customers.