California Consumer Privacy Act and Your Cloud Architecture
May 8, 2019
*This presentation is offered for informational purposes only, and the content should not be construed as legal advice on any matter.
www.dlapiper.com
This interactive webinar will provide an overview of recent privacy regulation, including the
California Consumer Privacy Act, and associated technical implications.
Our program is tailored for legal and compliance professionals within data-centric enterprises and
aims to bring professionals together to understand the importance of managing risk in shared
control environments in the era of rapid privacy developments.
California Consumer Privacy Act and Your Cloud Architectures
2
Introduction
www.dlapiper.com
Challenges for Cloud Architectures 4
California Consumer Privacy Act: Developing Legal Landscape 10
CCPA and Your Cloud: Managing Operational Impact of
Shifting Legal Landscape 16
Security in the Cloud: Managing Shared Control Environments 22
3
Contents
Attorney-Client Privilege
Presenters
Rob OttenSenior Manager
T: 212.335.4816
F: 917778.8816
Rena MearsPrincipal
T: 415.836.2555
F: 415.659.7366
Kate LucentePartner
T: 206.839.4854
F: 206.494.1809
www.dlapiper.com
Challenges for Cloud Architectures
4
www.dlapiper.com 5
Overview: CCPA in the Cloud
Third Parties and Nth PartiesIdentify and determine the role of third parties,
4th, and nth parties in the cloud environment
Consumer RequestInclude cloud environments when responding to
consumer access and/or deletion requests.
Incidents and BreachesBreach and Incident response teams
must work across multiple cloud
environments and technology stacks to
contain and analyze an incident
Know Your CloudInventory cloud environments as a
foundational step in the enterprise CCPA
compliance process.
Challengesof Cloud
Architectures
Know Your Data AssetsMap data asset lifecycles in cloud
environments in order to support compliance
with CCPA requirements
Security in Shared Control
EnvironmentsSecurity controls must also be
identified, implemented and maintained
in the enterprise and in the cloud
environment to be effective.
www.dlapiper.com 6
Cloud computing, enabled by virtual machines and the rise of the internet, has allowed organizations to
reduce costs and become more agile.
Cloud Adoption Has Occurred Rapidly
The first internet
service provider
companies were
formed.
Rise of Global
Internet
1980’s
Software as a Service
(SaaS) providers such
as SalesForce began
to emerge in the
market
Software as a
Service
1990’s
Amazon and Microsoft
launch platform and
infrastructure as
services
Public Cloud
Services
2000’s
Companies trust public
cloud services, moving
from on-premises to
cloud first strategies
Rapid Cloud
Adoption
2010’s
Innovation driven by
numerous integrated
cloud services
Hybrid Cloud
Enterprise
2020’s
Key Findings From IDG 2018 Cloud Computing Survey
• 73% have at least one application, or a portion of their computing infrastructure already in the cloud
• 42% of organizations are using multi cloud.
• The average cloud budget is up from $1.62 million in 2016 to $2.2 million in 2018.
www.dlapiper.com
Computing, storage, and networking resources
provided by another business as a service and
contains the following characteristics:
• On-demand self-service,
• Broad network access,
• Resource pooling
• Rapid elasticity*
• NIST 800-145 Definition of cloud computing
Common delivery models for cloud include
Infrastructure, Platform, and Software as Service.
7
What is the Cloud
Hosting
Storage
Platform
Development
Operating System
Application
Service
Cloud Provider Services
Company Managed Services
IAAS PAAS SAAS
www.dlapiper.com 8
A Hybrid Cloud Enterprise uses multiple cloud providers, both public and private, to provide services from
business administration to enabling emerging technologies.
The Hybrid Cloud Enterprise
DevOps Tools Source Code Repository
On-Prem Data Center
Ancillary Legacy Systems
Artificial Intelligence
Third Party
Developers
Storage Computing Environment Network Compute
Public Cloud Enterprise
End Users &
Employees
Public Cloud Business
CRM
Payroll ManagementAnalytics
EmployeesEdge Devices
www.dlapiper.com
California Consumer Privacy Act: Developing Legal Landscape
9Attorney-Client Privilege
www.dlapiper.com
Effective January 1, 2020 (though ahead of this date further amendments are expected and the
CA Attorney General is to issue draft implementing regulations)
• Data breach private right of action available from January 1, 2020
• Privacy provisions enforceable by CA AG sometime between January 1, 2020 and July 1,
2020
• Further amendments possible and AG regulations likely
Key Requirements
• Substantial new rights for CA residents (not identical to those offered to EU residents under
GDPR)
• Broad definitions and scope
10
California Consumer Privacy Act (CCPA)
www.dlapiper.com
Personal information: any information that directly or indirectly identifies, relates to,
describes or can be associated with or reasonably linked to a California resident or
household — explicitly includes, e.g., online and device IDs, search and browsing history and
other online activities, and activities from connected devices
Collection: Includes buying, renting, gathering, obtaining, receiving, or accessing any
personal information pertaining to a individual by any means, including active and passive
collection and observing individual behavior
Sale: Broadly includes selling, providing, or disclosing personal information in exchange for any
consideration or thing of value
Third Party / Service Provider: CCPA creates new defined terms for “third party” as distinct from
a “service provider”
Device: Any physical object that is capable of connecting to the Internet, directly or indirectly, or to
another device
11
CCPA Sweeping Definitions
www.dlapiper.com
Individuals Rights Introduces broad rights for individuals, including to access, deletion and portability of
their personal information. Businesses must disclose information about how it has
handled individual’s personal information in the preceding 12 months.
Mandatory Opt-Out Introduces mandatory, free of charge, opt-out right for individuals. Businesses must
provide a link to a specific “do not sell my personal information” page and a toll-free
number.
Notice and
Transparency
Businesses must disclose collection and use of personal information prior or at point
of collection. Website Privacy Policies require updates and certain disclosures.
Contract Terms Introduces mandatory contract terms for service providers.
Enforcement Risks Private right of action and statutory damages of $100-750 per violation in the event
of data breach of unencrypted or “un-redacted” personal information, if company did
not have “reasonable” security
Enforcement of privacy provisions by California Attorney General with penalties of
up to $2,500 ($7,500 if intentional) per violation.
12
Key Components of CCPA
www.dlapiper.com
United States
• 50 state+ breach notification laws
• varying (and expanding) definitions of personal information and breach
• varying notice requirements (timing, content, AG notice)
• CCPA Class Action Risks: Potential private right of action (statutory damages of US $100-750 per
violation + attorneys fees) for certain data breaches—
• unencrypted or unredacted personal information (as defined under CA breach notice law)
• company does not have “reasonable” security
Globally
• GDPR and GDPR-like laws: very broad scope of reportable breaches and short timing (72 hours)
• Multiple other jurisdictions (e.g., Australia, Canada, Korea, etc.) have breach notification
requirements that vary from EU and US
Managing risks in changing legal landscape
13
Data Breaches
www.dlapiper.com
• Inventory and understand – know your cloud environment and your assets
• Managing third parties – know your third parties and service providers
• Managing consumer requests – complying with consumer requests and rights
Key Activities
14
Managing Operational Impacts in Cloud Environments
www.dlapiper.com
CCPA and Your Cloud:Managing Operational Impact of Shifting Legal
Landscape
15
www.dlapiper.com
• Inventory your cloud assets—sanctioned and
unsanctioned
• Identify data elements and data flows to and
from cloud architectures
• Understand responsibility and accountability
within cloud services and providers (IAAS, PaaS,
SaaS)
• Ownership and governance
• Understand shared control environment and
security solutions available (default and optional)
• Assess role of third parties (third party or service
provider; controller or processor) and ensure
appropriate contract terms
16
Understanding your cloud architecture is the foundation of protecting and effectively managing cloud assets
Know Your Cloud Environment and Assets
Security OF the cloud vs Security in the Cloud
Hosting
Storage
Platform
Development
Operating System
Application
Service
Cloud Provider Services
Company Managed Services
IAAS PAAS SAAS
www.dlapiper.com
• Know Your Third Parties—third party or service provider? Sale? CCPA categories? Roles and
responsibilities? Uses?
• Manage Your Third Parties—due diligence, contractual requirements, monitoring;
responsibilities and accountability.
• Transparency and privacy notice requirements
• Ownership and use rights
• Understand and account for—
• Nth party risks
• Concentration of risk
• Community Development and Open Source
17
Third Parties
www.dlapiper.com
• Right to Know
• Categories of personal information collected about the individual
• Categories of sources from which the personal information is
collected
• Business or commercial purpose for collecting, disclosing and
selling personal information
• Categories of third parties to whom personal information has
been sold, and also disclosed
• Copy and Portability
• Specific pieces of personal information about the individual
• In a portable and, to the extent technically feasible, readily
useable format
• Deletion (business must also require deletion by service provider)
• Managing “opt-outs”
Operational processes to manage across entire ecosystem, including cloud environment
18
Managing Individual Requests and Rights
Response processes must be designed to identify all relevant data, resolve
any inconsistencies, and return complete response within the timeframe
specified in the regulation
Individuals may engage with the company utilizing
separate channels, various names, making different
choices, recording different attributes.
Name Source Attributes
Use Third Party
www.dlapiper.com
• CCPA
• Private right of action for data breaches—big class action risk area
• AG enforcement: penalties of $2,500 ($7,500 if intentional) per violation.
• GDPR: 2 – 4% global, group turnover
• Rapid development of global privacy and data protection laws
• Increased regulation for data breaches
• Managing risks depends on effective management of shared control environment
19
Heightened Enforcement Risks
www.dlapiper.com
Security in the Cloud: Managing Shared Control Environments
20
www.dlapiper.com
SecurityResponsibilities
Cloud Security Services*Company Cloud Provider
Access Control
Securing credentials to privileged
accounts, authorizing users, and requiring
the use of multi-factor authentication
Ensures only authorized personal are
able to configure platform security
controls, using multi-factor access
controls and a documented business
need.
• Directory Services
• DNS Web Services
• IAM Policies
• Secrets Manager
Software Security
Establishing and procedures for
hardening and monitoring compliance
with
Develops and monitors security
configuration standards for systems that
are consistent with industry-accepted
hardening standards.
• Web Application Firewalls
• Intrusion detection software
Data Protection
Use of strong cryptography when access
company managed resources and the
design of layered encryption strategies.
Use of strong cryptography when
accessing cloud resources
• Key Management Systems
• Hardware Security Module
• Gateways for APIs
Monitoring and Analysis
Deciding on configuration options,
maintaining and configuring logs within
customer environments, ensure coverage
of provider supplied tools to centralized
logging
Enablement of logging of services to
record user and security events
• Threat detection
• Identity managers
• Anti-malware protection
21
Sample of Shared Controls for Cloud Services
* Cloud Security Services are samples and provided for illustration only. Specific vendors may or may provide additional services not provide services to address specific control areas
www.dlapiper.com
Center for Internet Security’s Critical Security Controls
22
What is Reasonable Security?
Foundational Controls
• Email and Web Browser Protections
• Malware Defenses
• Limitation and Control of Network Ports,
Protocols and Services
• Data Recovery Capabilities
• Secure Configuration for Network Devices,
such as Firewalls, Routers and Switches
• Boundary Defense
• Data Protection
• Controlled Access Based on the Need to
Know
• Wireless Access Control
• Account Monitoring and Control
Basic Controls
• Inventory and Control of Hardware Assets
• Inventory and Control of Software Assets
• Continuous Vulnerability Management
• Controlled Use of Administrative Privileges
• Secure Configuration for Hardware and
Software on Mobile Devices, Laptops,
Workstations and Servers
• Maintenance, Monitoring and Analysis of
Audit Logs
Organizational Controls
• Implement a Security Awareness and Training
Program
• Application Software Security
• Incident Response and Management
• Penetration Tests and Red Team Exercises
Recover
Respond
Detect
Protect
Identify
NIST Cyber Security
Framework
ISO 27001/ and NIST 800 – 37 Rev 2 are
included by reference to the NIST Cybersecurity
Framework.
NIST published draft version number 5 in August
2017 with a planned finalization for 2019.
Version 5 is highly regarded as a measure
improvement with the integration of Privacy and
Security in a single framework
www.dlapiper.com
• Restricting access to system components and data based on job
requirements including limiting ability to create, modify, or delete
systems and cloud services.
• Specific policies for limiting access by unauthorized users include
the following:
• Federate company directory service
• Limit console level access
• Utilize multi-factor authentication
• Authenticate programming interfaces
• Extend account management practices cloud systems and
services for granting, modifying, and deprovisioning access to
systems and workloads
• Establish and enforce authentication standards including modifying
vendor supplied passwords for systems
• Consider adopting cloud access security broker to enforce security
policies for authentication, single sign-on, authorization, and
credential mapping
Limit access and manage authentication parameters and processes
23
Control of Access
Corporate
Endpoints
Consumer
Devices
Public
Cloud
Software
as a
Service
Platform
Services
Personal
Devices
Cloud Access
Security Broker
www.dlapiper.com
• Apply secure validation and operation of
software supplied through open sources and
third party development teams for common
vulnerabilities
• Continuously validate software and containers
for restricted permissions and alignment to
security standards
• Use cloud automation and management tools
to reduce human error
Examples of Common Vulnerabilities (OWASP)
• Sensitive Data Exposure
• Broken Access Controls
• Broken Authentication
• Security Misconfiguration
• Using Components with Known Vulnerabilities
Continuously validate Cloud Enabled Workloads
24
Software Security
www.dlapiper.com
• Establish strategy for encryption.
Considerations include client or server side
encryption and encryption solutions (e.g. bring
your own encryption)
• Utilize a hardware security module that can
work across multiple cloud services for
effective key management (compute, storage,
network, etc.)
• Develop process for managing keys including
creation, rotation, and revocation.
Adopt a layered encryption strategy
25
Data Protection
Layered
Encryption
Data
Disk
Application
Transport
www.dlapiper.com
• Configure audit logs to capture the user
activity, cloud service usage, and network
traffic to ensure proper business usage
• User permissions, groups, and activity
• Unused key pairs
• Activity for compute and storage services
• Network security flows
• Apply design standards for capturing data from
audit logs to improve interoperability within a
centralized repository
• Establish a procedure for the continuous
assessment of workloads by identified risk
26
Monitor Systems and Analyze Data
Hosting
Storage
Platform
Development
Operating System
Application
Service
Application Logs
Diagnostic Logs
Activity Logs
www.dlapiper.com
Extending incident response to multi-cloud environment
Responding to Incidents
Time to Respond
Detect
Triage
Respond
Notify
Mitigate
Improve
IncidentReporting
SecurityRisk
Assessment
Attorney-Client PrivilegeActivation
ActivateIncident Response
InitiateForensics
ContainThreats
NotificationRequirementsIdentification
NotificationPreparation
StakeholderInteraction
LegalAction Enforcement
Risk Assessment
Perform Post Incident Assessment
Improve BR/IR Capability
Breach
Notification Strategy
Security Posture Improvement
Jurisdictional RequirementIdentification
Risk Mitigation(Security)
Scope Boundary
Determination
RiskMitigation(Privacy)
PrivacyRisk
Assessment
Law EnforcementEngagement
EngageOutside Partners
Legend
BR/IR Team Core
Legal Team
BR/IR Extended Team
Optional only when potential of breach
has occurred
Activities not designed to be completed serially
27
www.dlapiper.com
1. Inventory your cloud environment—considered sanctioned and unsanctioned
2. Map your data across lifecycle (source, acquisition, use, storage, disclosure, deletion)
3. Manage third parties and Nth parties—identify, categorize and manage
4. Establish responsibilities and accountability in cloud environment
5. Document and understand ownership and use of data assets
6. Implement effective access controls and routinely audit permissions
7. Document responsibilities of all parties (user, cloud provider, MSP, etc.) in shared control environment
8. Develop and implement layered encryption strategy to protect data assets
9. Extend breach and incident response plans to cover cloud
10. Consider ability to respond to consumer requests
11. Establish governance strategy
12. Continually assess technical vulnerabilities for systems and cloud workloads
28
Key Takeaways: Managing Risk in Cloud Architecture
www.dlapiper.com
Questions and Answers
29
www.dlapiper.com
Thank you
30