June 10, 2020 The Ticking Clock of CCPA Compliance for Manufacturers

Manufacturers face varied challenges in meeting the July 2020 CCPA compliance deadline to overcome privacy and security hurdles.

Establishment of a cross-functional CCPA compliance team is crucial for CCPA compliance.

By Jon Mendoza, CISO, Technologent

The Attorney General (AG) has mandated July 2020 as the date to begin enforcement of the California Consumer Privacy Act (CCPA). The challenge for manufacturers can be seen in a recent PricewaterhouseCoopers survey of 300 U.S. companies showing only 44 percent of them are confident they will meet the requirements of the law by the deadline. With data privacy and security a priority, meeting the looming deadline in a cost-effective way is a major challenge for the entire sector.

Manufacturers considered covered businesses under CCPA must have protocols, mechanisms, and technology in place for consumers’ right to data access, deletion, opt-in/opt out and other CCPA requirements. Civil penalties from the AG can start at $2,500 per violation and go as high as $7,500.

Businesses across all manufacturing sectors are subject to CCPA compliance due to online information collection, product use, upstream customer/government contracts or embedded technology such as medical or IoT devices or the use of personal information for design or testing.

Developing these data collection/retention policies and the technologies necessary both internally and ensuring they meet third-party supplier and even supply chain end-point providers can seem a daunting task. Meeting the tenets of the law can affect everything from product design/development to website and product support, cloud strategy integration, and the crucial workflow and systems creation for managing data rights requests. This sets up the need for a compliance strategy where manufacturers must:

• Show why they possess customer data
• Fully map where the information goes, including across their supply chain
• Keep the data safe at rest and in transit
• Conduct due diligence and then establish controls across the manufacturing supply and value chain
• Ensure vendors and third-party suppliers receiving data are compliant
• Enact monitoring to ensure their vendors are in compliance with those data controls

CCPA Compliance Challenges for Manufacturing Verticals

Manufacturers like other covered businesses under CCPA collecting and possessing consumer private information are the fiduciaries of that sensitive information. This means organizations must first account for, classify, and institute reasonable security controls to protect the sensitive information. That responsibility under CCPA goes from the network to the cloud as part of a data privacy and cybersecurity strategy.

To do this requires accounting for the location of every information asset with true visibility, access, and control. This enables fulfilling the key CCPA element of:

• Fulfilling individual and consumer privacy requests for purging or non-sharing of that data
• Demonstrating the ability to competently fulfill and communicate this request to their third-party partners and contractors

There will be an outsized impact on major manufacturing sectors such as:

• Automotive
• Medical device
• Pharmaceutical
• Biotechnology
• Those creating Internet of Things (IoT) enabled products

These and many other manufacturers collect one or more of the following data:

• Personally identifiable information (PII)
• Personal health information (PHI)
• Payment card industry (PCI) data.

This data has many sources and systems ranging from the product testing, development manufacturing and supply chain to the sales, marketing, and support portions of the product lifecycle.

IoT device manufacturers across the country are subject to CCPA requirements and those in California are also subject to SB 327. This California IoT law requires manufacturers of connected devices to equip the device with reasonable security features that protect collected or transmitted data from unauthorized access or disclosure.

Medical device manufacturers create devices that collect and transmit protected data, which requires additional safeguards and protocols to meet CCPA requirements. Auto manufacturers are essentially producing an electronic device collecting data sent back to the manufacturer via on-board diagnostics, telematic systems, infotainment and driver inputs.

Supply chain, sales, and marketing share a great deal of data that would be classified under CCPA. This is data at rest and in transit from the network to the cloud and beyond the network edge, in databases and shared among third-party providers and suppliers across the supply and value chain. Manufacturers can develop a holistic strategy approach to data privacy, security, and CCPA compliance that will continually adapt to evolving needs.

CCPA Compliance and Security Strategy Approaches

Meeting the CCPA requirements in manufacturing requires a strategy encompassing technology/IT changes, policy implementation, and cybersecurity strategies. This process starts with:

• Establishment of a cross-functional CCPA compliance team with clear, attainable goals aligned with organizational budgets
• Related process assessments
• Inventory of data you collect and use
• Determine data destinations and the purpose
• Conducting risk assessments and protocols for insights on all those handling this data
• Software solution implementations for automatic tracking, access, purging and end-user notification of requested personal data outcomes

CCPA compliance sits at the nexus of data privacy, cybersecurity, technology implementation, policy implementation and education. Having clear IT and security support partners can help create, implement, execute, monitor, and revise the strategy.

As the CCPA requirements evolve, manufacturers may best be served by having an expert partner in these areas to support revision of technologies and policies to keep up with the changes and address any audit needs.

Jon Mendoza

ABOUT THE AUTHOR
Technologent Chief Information Security Officer Jon Mendoza has over 24 years of experience in Information Technology and Cybersecurity. He has created security programs for businesses and organizations and has led a team of engineers from various IT disciplines and domain. He has a Bachelor’s in Computer Information Systems and is currently completing his Master’s program in Cybersecurity engineering. He lives in Southern California with his wife, two kids, 4 dogs, and his African Grey Parrot. Visit www.Technologent.com.

Subscribe to Industry Today