January 7, 2020 | IBM i

CCPA Compliance and the IBM i

image

The California Consumer Privacy Act of 2018 (CCPA, California Assembly Bill No. 375) went into effect on January 1, 2020, adding another layer of compliance requirements for the average organization doing business with California residents

But what do IBM i shops need to be compliant with CCPA? Here’s some information you need to know about what CCPA is, who it covers, and how it affects IBM i shops.

What does the CCPA do?

In 1972, California enshrined the right of privacy as a legal and enforceable right for all Californians. CCPA was passed in 2018 to provide additional privacy rights for California residents to:

  1. Know what personal information is being collected about them, and the categories and specific pieces of personal information that have been collected
  2. Know whether their personal information is being sold or disclosed and to whom
  3. Say No to the sale of personal information (the right to opt out)
  4. Access their personal information
  5. Allow Californians to request businesses to delete any personal information the business has collected
  6. Outlaw discrimination against consumers when they exercise their rights under the CCPA

The first five rights require new notification, inquiry, and updated IT systems, allowing Californians to access and control their personal information. The sixth right guarantees that California residents exercising their rights will not face discrimination, in the form of unequal prices and services, after asserting their rights.

There are many other requirements and obligations in the CCPA that support these rights. You can read the entire CCPA text by clicking here.

When does the CCPA take effect and who does it affect?

CCPA became effective on January 1, 2020. While the California Attorney General’s (AG) office will not start bringing enforcement actions for CCPA violations until July 1, 2020, the AG office has stated it will enforce violations that occurred starting January 1, 2020.

CCPA compliance applies to any entity doing business in the state of California that collects and processes consumer personal information and meets one or more of the following requirements.

  1. Has revenues in excess of twenty-five million dollars ($25,000,000)

Or

  1. Buys, receives for commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices, alone or in combination with others

 

Or

 

  1. Derives more than 50 percent or more of its annual revenue from selling consumer’s personal information

In addition, any entity that controls or is controlled by a business (as defined by one or more of these conditions) or an entity that shares common branding (shared name, service mark, trademark) with a covered business is also covered under CCPA.

Personal information covers data that identifies, describes, relates to, or could reasonably be linked with a particular consumer or household. This data includes:

  • Identifiers (real name, aliases, postal address, email address, IP address, account number, social security number, driver’s license, passport, or other identifiers)
  • Categories of personal information and other protected classifications under California law
  • Commercial information (property, products, services) purchased, obtained, or considered, along with purchasing and consuming histories and tendencies
  • Biometric information
  • Internet or other electronic network activity (browsing and search histories, as well as information on interactions with Web sites, applications, or advertisements)
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information

Consult the CCPA legislation for the complete list of information that’s covered.

CCPA for IT departments and IBM i shops

CCPA compliance is comparable to GDPR compliance. If you’ve already changed your systems for GDPR, you should have a start for compliance but will need to add more pieces. Table 1 shows some of the key areas you’ll need to focus on to satisfy CCPA requirements. Consult the CCPA or legal counsel for more guidance.

Table 1: Some of the key areas to consider for CCPA compliance

Who’s covered by CCPA in your network
Personal information database discovery, mapping, and inventory
Managing consumer access and deletion requests
Security considerations
Changing your front-end and back-end systems for CCPA

 

Who’s covered by CCPA in your network

While CCPA only covers California residents, it may be more cost-effective to offer CCPA privacy options to all your customers, whether they reside in California or not. Offering CCPA protections that cover California and other states will reduce the overhead in creating and maintaining two sets of privacy options, one for California and one for everyone else. It’s also probable that CCPA-like standards will continue to be implemented in other states or be used as the basis for other standards. Allowing for different consumers to enjoy CCPA standards will better prepare you for if and when these standards become effective in other jurisdictions.

The first key area is to decide whether your CCPA compliance efforts will only focus on California residents or whether they will apply to all your customers.

Personal information discovery, mapping, and inventory

Inventory what covered personal information you’re collecting and retaining on your CCPA-covered customers. CCPA requirements specify disclosure to consumers of what information is being collected and the purposes for which it’s collected, as well as the categorization of that information.

Above all else, CCPA disclosure and removal is a database project. You need to understand what information you’re collecting, where it resides, and how it needs to change to meet CCPA requirements.

At the very least, you’ll need to know the following about how personal information is being collected, tracked, and managed.

  • Where the information comes from and what purpose collecting it provides
  • Where and in what forms does personal information reside (databases, replicated copies, transmissions, reports, backups, etc.)
  • How personal information is categorized
  • Which third parties provided what personal information to you
  • Which third parties are you sharing personal information with and what information is being shared
  • How the information is processed and whether the information also exists in transitional forms
  • Retention periods for the information (how long you keep information)
  • How personal information is secured

For IBM i purposes, you’ll need to know the specific databases personal information is stored in; whether the information is encrypted; information back up, storage and replication, retention and removal periods for the information; and how the information is transmitted or reported to and from third-parties and other entities.

Managing consumer access and deletion requests

California consumers must be able to submit requests to obtain, access, and delete their personal information from your systems. They also have the right to opt-out of selling their personal information. Any CCPA-related consumer request must be verifiable that it came from the consumer or their representative. CCPA requires at a minimum, two or more methods for submitting verifiable consumer requests. The first method is a toll-free number. The second method is a Web site address, if the organization maintains a Web site.

Businesses will need to disclose and deliver the required information, free of charge, within 45 days. The disclosure can be delivered through the customer’s account with the business. However, the customer doesn’t need to have an account to submit verifiable requests. The business can also deliver requested information either electronically or through the mail, if no account is available.

There are also requirements to post notices at or before the point of personal information collection, informing the consumer about the categories of personal information that will be collected and the purposes for which their personal information will be used.

CCPA requires you to change the interfaces through which the user interacts with your organization (including toll free numbers, kiosks, Apps, green screens, Web sites, personal device interfaces, etc.) to provide the following information and more, at the time of collection.

  • Notices about the collection of personal information
  • Verifiable processes for which the user can request personal information disclosures, can request to have their personal information removed, or opt out of selling their information
  • Mechanisms for delivering personal information through either the consumer’s personal account, electronic delivery, or mail.

These interfaces will reside on your IBM i systems and on companion systems that feed information to your IBM i. A complete inventory and plan for changing consumer interfaces to their personal information is critical for CCPA compliance.

Security considerations

The CCPA specifies that nonencrypted and nonredacted personal information that is subject to ”…an unauthorized access and exfiltration, theft, or disclosure as result of the business’ violation of the duty to implement reasonable security procedures and practices…and to protect the personal information may institute a civil action…” (emphasis ours).

You will also need to review and tighten security surrounding your CCPA-protected information. For the IBM i, the following items should be evaluated and updated as needed.

  • File and fieldlevel encryption—The IBM i operating system and several third-party products, such as iSecurity Encryption, provide file and field-level encryption to protect personal information against disclosure. Encrypting personal information stored on IBM i is an important requirement to avoid civil action during a data hacking incident, as noted above.
  • Firewalls—Determine whether the current firewall setup is adequate for CCPA standards. Consider adding an IBM i-based firewall such as iSecurity Firewall, to provide an additional element of security for CCPA information.
  • Application security software—IBM i application security packages such as iSecurity AP-Journal can monitor and audit your databases for suspicious activity or modification. These packages can be used to track whenever personal information is accessed.

Changing your front-end and back-end systems for CCPA

Once you know what personal information you’re collecting and where it resides, as well as what interfaces the consumer uses to interact with that information, you’ll be ready to determine what IT systems on your IBM i and companion systems need to be modified for CCPA compliance. Here is a partial list of the IBM i and other IT modifications you’ll need to consider and put in place for CCPA compliance.

  • Implement new security features for your IBM i, as needed, for encrypting data, firewall protection, application security, and auditing
  • Define and institute database modifications for separately tracking where consumer personal information is coming from, the origin and age of that information, whether that information came from or is being transmitted to a third-party, whether the consumer opted out of sharing or selling personal information, and whether you had collected and deleted personal information for an individual consumer or household.
  • Ensure any backups, replicated copies, transmitted copies, and other transactional versions of personal information are also protected.
  • Update your back-end processes to process and track consumer disclosure, opt out, and deletion requests; consumer request responses; and personal information movement to and from third parties
  • Create or modify your auditing system to track and report on the movement and deletion of personal information.
  • Create or modify front-end systems for each interface where users surrender their personal information. These systems will need notifications before and at the collection point stating that your business is collecting personal information, the categories of what you’re collecting, and the purpose for the collection.
  • Create new interfaces where the consumer can opt out (say No) to the sale of their personal information
  • Create new interfaces where the consumer can request personal information disclosures or request to have their personal information deleted
  • Create new interfaces for delivering the results of a consumer’s personal information request to the consumer, either through the user’s account, electronically, or through the mail.

With this post, we’ve attempted to give you an overview of CCPA compliance and what’s needed for the IBM i. Please consult the text of the CCPA law and legal counsel for more information.