The landmark California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) data privacy legislation is certainly good news for California consumers, who can now control how their personal data is collected and processed.
For companies doing the data collection, however, CCPA/CPRA is a wake-up call, alerting them to potential prosecution and crippling fines if they intentionally or inadvertently fail to inform customers of their right to know of, access, correct or delete personal data that has been collected and shared.
While most companies would surely want to comply, a high risk of CCPA compliance gaps exist because they often deal with third-party service providers and vendors that may collect and sell data to their own downstream dependencies.
Why Third Parties Cause Compliance Challenges
Companies often deal with third-party service providers, third-party vendors, and third-party components and microservices that make up today’s cloud-native applications.
Let’s deal with the CCPA/CPRA compliance challenges they pose one by one.
Companies that contract with third-party service providers to perform data processing must prohibit them from selling, using or divulging the personal data collected for any reason other than executing the agreed-to services. Moreover, this requirement should be explicit in their contract to limit liability.
Companies that partner with third-party vendors (i.e., those that purchase or share the personal information collected by the company) must inform consumers which third-party entities they're giving the information to. They must also uphold all of the consumer’s CCPA/CPRA rights across the entire data chain — or expose both the company and the third party to liability.
Companies that have cloud-native applications and sub-contract third parties (many of them open source) to perform user authentication, payments, analytics, database services, and other key application functions, must take steps to maintain full visibility and control of the flow of personal data.
These third parties often have their own downstream dependencies, resulting in fourth- or even fifth-party liabilities and increasing the company’s already tough third-party application compliance challenges:
- No control over the external domains with which the third-party applications communicate.
- No control over who embeds and configures a third-party script, iframe or application.
- No way to implement soft security controls on ownerless open-source scripts and applications.
- No easy way to detect breaches or changes to those third-party applications or their domains, such as no-longer-maintained and risk-posing legacy scripts.
How Threat Actors Are Exploiting Third Party-Induced Client-Side Vulnerabilities
While threat actors continue to attack server-side components, they're now also starting to target websites and web applications. These “supply chain attacks” use third-party applications to pilfer sensitive data — e.g., personal and credit card information on web payment pages — or, worse, to digitally perform credit card skimming.
If your company is doing business in California and uses apps with third-party components, ensure CCPA compliance by being able to:
- Trace the flow of personal data across your entire application runtime environment.
- Provide customers with a complete listing of all the third parties and their dependencies that have access to the customers’ personal information.
- Have an accurate picture of these third parties’ and their dependencies’ security situation.
- Discover blind spots that impair your ability to maintain customers’ CCPA rights throughout your data chain.
How to Get CCPA/CPRA Compliance Right: Solutions to Adopt
Achieving CCPA/CPRA compliance means deploying external measures like having a clear policy on how your company can uphold consumers’ data privacy rights; notifying consumers and getting their consent on the collection, use and sharing of their personal data; and providing them with an opt-out method by which they can prevent the sale of their personal data or the sharing of sensitive information.
Ensuring CCPA/CPRA compliance goes beyond that. Companies must adopt an advanced security posture management solution that not only manages security related to data flows between end users and hosts like firewalls and intrusion-prevention systems, but it must also cover security challenges that stem from data flows with third-party components, and ensure you know and see:
- what your third-party applications are so you can create an end-to-end digital inventory;
- the functions and behaviors of your third-party applications — and the security risk they may pose on your website or app; and
- the location of these third-party applications and what data they send to their domains.
Since applications operate in a dynamic environment, your CCPA/CPRA compliance solution must do more than give you a basic understanding of how to manage personal data across all the elements of your application. It must also continuously monitor changes so it can rapidly identify aberrant applications or user behavior in order to recognize and mitigate potential security risks in real time. The sooner you detect such risks, the better the chance of avoiding catastrophic financial damage.
Idan Cohen is CEO and co-founder of Reflectiz, which secures websites by providing comprehensive visibility and analysis into the ever-expanding attack surface and minimizing risk caused by integration with third- and fourth-party applications.