Advancing Trust

Tracing Data Breaches under the CCPA

The California Consumer Privacy Act (CCPA) is a law designed to protect the personal data of California consumers. Personal data includes basic information such as your name and email address as well as sensitive information like your social security number, geolocation, and financial information. Without having protections in place, companies that we interact with have free range over our data. This means they can use it for targeted advertising, allow third parties to have access to it, and they could even sell it for money.

Under the CCPA, California residents have the right to request access to, or deletion of, their personal information, as well as the right to object to the sale or sharing of such information with third parties. Additionally, the law allows for recovery by individuals who have suffered harm as a result of a data breach.

If you are a California resident, and a company that you interacted with encountered a data breach that resulted in unauthorized charges on your credit card, then you may be able to recover under the CCPA. However, your recovery would depend on finding enough evidence to link the charges to that specific company.So, how do you identify the source of a data breach?”

There is no “one shoe fits all” solution to identifying a data breach. Due to the free flow of data between various organizations and the laxidasical security measures that many companies have in place, data breach identification can take years. For example, in 2014 hackers gained access to Marriott’s reservation system and four years passed before the breach was resolved, exposing the information of up to 500 million customers.

Data breaches are most often caused by weak or stolen credentials, application vulnerabilities, malware, malicious insiders, and sometimes by accident. When a data breach occurs, the stolen data may be sold on the Dark Web, which is the black market of the internet where cyberthieves buy and sell your personal  information for profit.  As of last year there were more than 15 billion username and password logins for sale on the Dark Web. With such a wide net of information exposed, data breaches can be difficult to identify on your own. One of the best ways you can trace a breach from a specific company is  when the company itself notifies you of the breach; however, this doesn't always happen.

State law varies on requirements for businesses to notify their customers of security breaches. While the CCPA does require disclosure of security breaches, the CCPA does not apply to all businesses. Therefore, if a California business doesn't fall within the purview of the CCPA, they may not be required to notify you in the event of a breach. 

The best way to protect yourself from security breaches is to implement your own security measures. This means changing your login credentials regularly, keeping your passwords in a safe place, purchasing antivirus software, and even switching to a more privacy-friendly web browser.