Data Privacy Day Part II: Passwords and the CCPA

Just moments ago, we shared expert commentary from identity and access management experts for Data Privacy Day. We shared their insights into consumer privacy and enterprise identity management efforts to protect it. In fact, we shared quite a few interesting quotes and best practices for identity management. 

However, this event—an international celebration of security awareness on privacy—generated a lot of commentaries. As we sorted through the insights, we found two common themes: passwords and the California Consumer Privacy Act (CCPA). 

Therefore, we decided to share those expert commentaries as well. Here they are! 

Data Privacy Day Part II: Passwords and the CCPA  

Laurence Pitt 

Laurence Pitt is Global Security Strategy Director at Juniper Networks

“Data protection affects all of us and this will not change. We share more online than ever before. What this means is that while the burden of responsibility for protecting online data resides with the vendor, we (as consumers and users) also need to step up and ensure that our online activities are well-protected. Many breaches still occur where the basics, such as weak or reused passwords, are a root issue.”

“If I were to give a single piece of advice to help people be better protected, it would be to make sure to use the best password you can. Believe it or not, ‘password’ and ‘123456’ are still the most commonly used passwords in 2019.” 

“There are many ways to create strong passwords manually. My personal recommendation is to use a password vault…Not only will these store passwords and automatically share them across devices, but they are also able to create new and strong passwords automatically. This means every site you access can easily have a strong and different password and you only need to remember the single strong password created to access the tool.”

Ido Safruti

Ido Safruti is the co-founder and CTO of PerimeterX

“A less-known but critically important piece of the CCPA is that liability for breaches extends to third-party services that web application publishers and operators use. This includes information security companies, payment processors, chatbot operators, and any other provider of third-party services. Your organization may be responsible not only for security problems and breaches affecting your own code but also for code that is not even operating on your site.

“This is true as long as that third-party code is included in your user experience or exposed to your users in the web application. Nearly all web applications (including web, mobile web, and hybrid mobile applications) use third-party JavaScript libraries and services to add functionality and improve performance.”

“Now is a good time to protect yourself from liability, to ask all third-party service providers for detailed answers to the following questions.

• Do you capture any of our user data?
• How, where and when? Please explain the mechanism.
• If you do capture our user data, what is your own CCPA policy and database access structure?
• Can you provide an easy mechanism for us to access any user data you collect and provide it to our end users as part of a comprehensive CCPA report?
• What are you doing to monitor data privacy laws that other states are likely to enact?”

“In addition, demand certification information and make it a condition of ongoing business.” 

Jonathan Deveaux

Jonathan Deveaux is Head of Enterprise Data Protection at comforte AG

“Use a password manager application and vault. Let 2020 be the decade you finally stop using yellow sticky notes to store passwords and user IDs.” 

“Always use a VPN. You probably use one for your work activity, so why not use one for your personal activity? Using a VPN is especially important when you connect to the Starbucks Wi-Fi, or airport Wif-Fi, etc. Don’t be the subject of wi-fi attacks – use a VPN to keep your data private.” 

Richard Bird

Richard Bird is CCIO at Ping Identity

Tips for businesses who are navigating CCPA requirements

“The fundamental hurdle in achieving CCPA compliance for almost all companies today is incomplete data classification within their enterprises. Companies have put a huge amount of effort into the operational implications of CCPA to allow consumers to exercise their rights for data to be directed for use or deleted.” 

“But, very few companies have really mined their organizations to see how much consumer data leakage has occurred. As California moves into enforcement mode it is certain that compliance audits and reviews will discover consumer data that has been exposed. Those companies will be found deficient not only in meeting the data control requirements for CCPA but also for not having effectively deleted data completely if a consumer had previously requested it.”

“Companies should plan on their third-party providers that process consumer requests related to CCPA data actions and deletions to fail. The CCPA landscape is new for everyone and early indications suggest that consumer requests for actions on their data are struggling.” 

How to Secure Your Passwords In the CCPA Landscape

Thanks to all of our experts for their time and expertise. Also, for more information, be sure to check out our Identity Management Buyer’s Guide. 

Widget not in any sidebars