The California Consumer Privacy Act (CCPA) came into effect in January 2020. Much like its European counterpart, the GDPR, the CCPA increases regulatory pressure around the use of personally identifiable information (PII). For many organizations, these regulations are seen as a burden—adding new requirements and additional work.
As a CISO, I am absolutely impacted by these privacy regulations. After all, my role includes ensuring compliance with external requirements. On one hand, this means more responsibility. On the other, I'm glad these regulations exist—and here’s why:
As a CISO, I’m responsible for protecting critical information. PII is simply another category of sensitive data that deserves the same level of protection. The reason this has become such a significant issue is that PII has historically not received the attention it deserves.
Privacy regulations give us an extra push to do what we should have been doing all along:
- Identify what type of information we’re processing
- Understand where it’s stored and why
- Protect it accordingly
All data should be classified according to its criticality. Organizations generate thousands of documents each week, often containing confidential information. Privacy regulations such as the CCPA help drive awareness and action around the classification and protection of these documents.
The requirement to identify what PII is being processed—and where it’s located—is a strong argument for implementing a solid information architecture. Protecting the confidentiality, integrity, and availability of sensitive data starts with visibility. If you don’t know where your critical data lives, how can you ensure it’s adequately protected?
For example, honoring the right to be forgotten under privacy laws requires knowing all the systems and repositories where that individual’s information is stored.
The threat of regulatory fines tied to PII breaches gives me an additional advantage when advocating for greater security investment. In risk management, we often conduct cost-benefit analyses. If the cost of protecting information outweighs the potential consequences, it’s often deprioritized.
But under regulations like CCPA, the potential fines change that calculation dramatically. Now, the cost of inaction may far exceed the cost of robust protection. As a result, stronger security controls become not only justifiable—but good for business.
It’s also important to note:
The owners of PII are not the CISO or members of the IT or security teams.
They’re typically in departments like HR, Finance, or Marketing/Sales.
Now, these business units must also begin to think about data security. And the more people thinking about data protection, the better it is for the entire organization—and for me as a CISO.
Final Thoughts
Regulations like CCPA help CISOs place a spotlight on information security and move organizations toward more secure data handling practices.
The threat of fines—up to $2,500 for unintentional violations and $7,500 for intentional violations—is real. Consumers may also claim between $100 and $750 per incident. These figures can easily climb into the millions, and should prompt every board member to take a renewed interest in information security.
Christian Olsen is the Chief Information Security Officer at Kriptos.
His experience includes roles as IT Audit Leader and Senior Security Architect at firms such as Ernst & Young and Sopra Steria.
To learn more about Kriptos’ Data Classification solutions, contact us to schedule a demo.
