October 2, 2019

Last Updated on January 12, 2024

Cue Celine Dion, because I’m going to make a bad Titanic analogy (although thankfully it isn’t a “king of the world” one).
The visible portion of the iceberg that sank the titanic stood about 75 feet above the water. When you consider that the total mass of an iceberg that is typically visible above water is only 10% of the iceberg’s total mass, the Titanic sinking makes a lot more sense.
Unfortunately, IMHO, the California Consumer Protection Act (CCPA) is only the visible part of the “privacy” iceberg we’re all steaming towards.
I have previously noted that GDPR was largely a non-event for non-Fortune 500, US-based companies without an office in the EU. Call that the first iceberg in the iceberg field and the one most of us skirted.

Now we come upon the iceberg marked CCPA.

For the nearly 500,000 US companies that meet the criteria for conformance, there is no skirting it. For the rest of us, it’s hard rudder right and “Whew, looks like we are going to clear it!”
Unfortunately, I think the reality is very few companies are going to skirt the 90% of the privacy iceberg most of them don’t yet see. (And even if they do skirt it, there is another one coming right behind it.)
Instead, it’s time to cut the engines, round up the crew and make the necessary preparations to minimize the unavoidable impact. Damage is an option for your organization but sinking isn’t.
So what is it that lies below the surface ready to knock companies off course? There are three interrelated dangers:

  • Looming regulations
  • Looming guidance
  • Looming expectations

If this sounds familiar, it should.

It’s the information technology/security pattern that we have been following for the last fifteen years: significant public event(s); government/industry responds with regulation(s), you need to prove conformance. Here are some examples:

  • Enron, et al.; Sarbanes-Oxley (SOX) regulations; public companies need to prove compliance with 404 and external audit attestation.
  • Card Systems, et al.; PCI DSS regulations; companies processing credit cards need to file a self-assessment questionnaire (SAQ) or undergo an audit and issue a Report on Compliance.
  • AOL et al.; numerous security regulations; companies processing sensitive data need to prove to their clients they are secure via ISO 27001 and SOC 2 attestations.
  • Experian et al.; GDPR/CCPA and “looming guidance;” companies processing sensitive data need to prove they are compliance via ISO 27018, SOC 2 Privacy criteria, and other looming attestations.

As far looming regulations: GDPR (EU), CCPA (California), LGPD (Brazil), and FDPL (Mexico) are visible. Just below the surface are dozens of other countries and US states that are developing their own privacy regulations.
As far as looming guidance that is just reaching the waterline: ISO has another notable framework that will augment ISO 27018 (which is already a growing expectation for companies processing Personal Information) labelled ISO 27552. While ISO 27018 largely augments the ISO 27001 Annex A controls, ISO 27552 (scheduled to be published Q3 2019) largely augments the ISO 27001 Clauses with the intention of ensuring that your Information Security Management System (ISMS) is also a Privacy Information Management System (PIMS).

…privacy conformance for your business is an eventuality.

NIST has also developed a Privacy Framework modeled on its cybersecurity framework, which includes its five core functions. Like ISO 27552, NIST is expecting to publish Version 1.0 of its new framework in Q3 2019.
Below the waterline there are literally dozens of other guidance frameworks being developed by CSA, OWASP, ISO, IAPP, etc.

As far as the looming expectations:

  • Your customers are going to expect you to conform—whether a regulation technically applies to you or not—because it applies to them or one of their customers.
  • Regulators (like the California Attorney General) will expect you to conform if you meet the criteria defined.
  • Individuals whose Personal Information you work with (your customers or your customers’ customers) are going to increasingly expect you to conform as this becomes the “new normal.”
  • Employees are going to increasingly expect you to conform as this becomes the “new normal.”

About 300 icebergs from the 40,000 or so that the Greenland ice shelf produces each year had reached the shipping lanes the Titanic was following. Had the fateful iceberg been avoided, it was just a matter of time before they encountered another.
Likewise, privacy conformance for your business is an eventuality. If it’s not with the CCPA iceberg, it will be with one that comes after that. Better to start preparing for that eventuality now, before its impact sinks you.