Doing business in California is vastly different from operating in other states. The state's stringent laws on privacy, cybersecurity, the environment, and social issues are among the strictest in the country. Additionally, California’s massive technology sector and its robust educational system for technology create a unique and challenging business environment. Khelan Bhatt, CISO at Palo Alto-based Plume Design, provides insight into what doing business in California is like from a CISO’s perspective.
Q. Privacy violations are a huge issue – approaching ransomware in the potential size of the potential payout. In states like California, where there are aggressive regulators protecting consumer rights, it can be even more challenging. What are the top 3 issues CISOs face when protecting personal privacy rights in California and what must they do to reduce the risk of a privacy breach?
A. First, CISOs must balance business needs with privacy requirements. This means challenging every decision, really getting into the nuances of the financial benefits of capturing and retaining certain PII, costs of safeguarding this data and complying with regulatory requirements, and factoring in costs of a breach.
Second, CISOs must communicate and advocate for their position with internal stakeholders, many of whom may view the CISO as a doom-and-gloom roadblock.
Finally, CISOs need to stay abreast of all the changes to California regulations. For example, the 2023 California Privacy Rights Act (CPRA), an amendment of the California Consumer Privacy Act (CCPA), introduced dozens of changes that impact California businesses.
Q. The CCPA is one of the strongest privacy laws in the US, having been built to emulate the EU’s GDPR privacy rights. For companies dealing with California customers, what must CISOs do differently than when dealing with customers from other states?
A. For decades, California has set the bar nationally in consumer, environmental and other regulatory protections. Our state leads the nation in privacy protections as well. California offers more stringent protections than other U.S. states in the Right to Know, where consumers may know what information businesses collect about them, the Right to Delete, where consumers have a right to have their personal information deleted by businesses, the Right to Opt-out of Sale, where consumers can dictate whether their information is available for sale by a business, and the Right of Action, which allows consumers to sue businesses for privacy violations of the CCPA. These protections naturally come at a cost to businesses. CISOs must take the lead in quantifying these costs so businesses can make determinations on dealing with customers in California versus other states. For practical purposes, it is generally better for a multi-state business to meet CCPA requirements today rather than to exclude the nation’s largest market.
Q. What should CISOs in California know about and do when it comes to privacy rights that they generally get wrong?
A. CISOs should realize how serious the California Attorney General’s office is when it comes to privacy rights and violations of the law. Reviewing the most recently published enforcement actions on its website, the CA Attorney General’s office lists fines of more than $1.2 billion assessed to Google, Anthem, DoorDash, Kaiser, Equifax, Uber, and others. What gets hidden behind these big names and numbers is that any business, even a relatively small one that meets the criteria of the CCPA’s recent amendment, is subject to these same laws — and potential penalties. Unlike in the past, when penalties were strictly a civil matter with monetary fines, every CISO or corporate officer must now also be aware that the penalties might also be criminal in severe cases involving an intentional breach, cover up, or fraudulent practice.
Q. California’s long history in the tech industry creates almost a mystique about how Californians deal with tech. Yet California has just as serious a problem with ransomware, social engineering, and other cybersecurity vulnerabilities as any other location – in fact, sometimes it’s even bigger. What are some of the employee training issues – be those employees entry level or corporate presidents and board members – that are uniquely Californian and how do you overcome it?
A. The adage that security is everyone’s responsibility seems particularly true for tech companies. It ought to be a safe bet to assume the California tech industry is beholden to this truth; however, tech as an industry is not monolithic. Organizations are at different stages of maturity and have vastly different business models with varying risk profiles.
Assigning the annual, generic cybersecurity awareness training video to an employee, ignoring their function and organizational level, and irrespective of company maturity, business model and risk profile, is a very common issue. Ebbinghaus’ famous 1880s “forgetting curve” experiment, replicated recently in a publication by the United Kingdom’s National Institute of Health (NIH), states that 70% of learned, new information is forgotten within 24 hours, and 90% is forgotten within a week.
The bad habit our industry as a whole is guilty of is failing to embrace science and offer more routine security training, reinforced at regular intervals, with appropriate content targeted to specific functions within an organization. I have yet to see a cyber insurance policy questionnaire ask more nuanced questions such as frequency of training offered, variety of content based on employee role and industry risk, or other relevant factors.
Q. Aside from the regulatory requirements from the CCPA, what are some of the unique challenges CISOs face when doing business in California?
A. Doing business in a state as vast and dynamic as California, with our $4 trillion economy comprising not just the tech sector but also agriculture, manufacturing, real estate and entertainment, means encountering a diverse set of customers, suppliers and other stakeholders.
These stakeholders have various views on social issues, tech and non-tech aspects, regulation, taxation and competition. Some of them will be a CISO’s strongest ally, because they are well-informed, tech-savvy, early adopters of best practices and understand regulatory frameworks. However, a CISO will also occasionally face a misinformed stakeholder who might be wary of what a changing security and privacy landscape means for their business opportunities.
One example is the current buzz around artificial intelligence. An AI service provider from another region might assume that since its target customer is in California, they would be first to embrace the latest generative AI offering. However, that service provider might not find the warmest reception if their offering is not privacy conscious due to the higher costs associated with regulatory noncompliance in California.