Guest Column | December 20, 2018

Countdown To Compliance

By Al Martinez, Fusion Risk Management

Regulatory Compliance Elevated Standards

The EU’s GDPR has shown that every day counts when meeting privacy regulations – making the countdown to CCPA crucial to businesses.

One Year. 365 Days. It might seem like plenty of time for a company to prepare for new compliance requirements. However, as we saw with the General Data Protection Regulation (GDPR) that passed in the European Union in May of 2018 – it’s never too early for businesses to get a head start on meeting regulations.

The recently passed California Consumer Privacy Act (CCPA) will go into effect on Jan. 1, 2020, giving consumers in California the right to know what personal information any company doing business in the state is collecting and/or selling, and why. The legislation is proof that countries and states are beginning to take consumer rights and privacy much more seriously.

What does this mean for retail? Let’s look at the holiday season rush that we are in the midst of, and all the data that goes into creating a successful retail experience. Retailers are under intense pressure to not only effectively advertise online and in-store sales, but they must make sure they are targeting the right audience when doing so – which requires consumer information. Retailers must also manage websites where orders come pouring in; and think of all the in-store register transactions that take place during this time. It all adds up to massive amounts of consumer data in the hands of the company, and it becomes their responsibility to make sure it is safe and secure.

With so many data breaches taking place every year, retailers certainly understand that they can lose customers, damage their reputations, and potentially even go out of business if they don’t have the proper protocols in place to protect sensitive customer information like credit card numbers, names, birth dates, addresses, and more. The CCPA is positioned to change how businesses process, store, share, and analyze data – holding them more accountable for all the sensitive information they have. But understanding the need for data privacy regulations, and actually taking the steps to ensure compliance, are two different things. And this is where many retail companies fall short.

By The Numbers

The 2018 Thales Data Threat Report, Retail Edition states that U.S. retailers lead the entire world in data breaches. The report offers some staggering statistics to back this up:

  • U.S. retail data breaches have more than doubled since the 2017 Thales report, rising from 19 percent to 50 percent. The global average of retail executives reporting data breaches is 27 percent.
  • U.S. retailers that have reported a data breach at any point in the past is up to 75 percent, with half of those occurring in the past year. Of global retailers, 60 percent have reported at least one breach affecting them at some point in the past.
  • U.S. retail is the second most breached segment analyzed by Thales, trailing only the U.S. federal government.
  • 84 percent of the U.S. retailers polled by Thales are increasing information technology security spending, which is up seven percent from last year.

The Thales report goes on to state that the money retailers are spending on IT security is “in all the wrong places,” and is spending most of its money on security measures regarded as the least effective.

These numbers are alarming for retailers and consumers alike. There is clearly a wide gap between the security needs of retail organizations and the implementation of effective security measures. But Garrett Becker, who is principal analyst for information security at 451 Research, states that this should not come as a surprise to retailers, noting that, “nearly 95 percent of retailers acknowledge vulnerability to data breaches.” That is a 30 percent increase over 2017.

From Awareness To Action

Admitting there is a problem is the first step in finding a solution. It is clear that consumer information is at risk now more than ever, which is why regulations like GDPR and CCPA have been passed. However, it’s not as simple as becoming “compliant.” Anyone who has been required to meet the standards of the GDPR can attest that meeting these extensive privacy regulations is a very involved, detailed and, at times, confusing process. In fact, many enterprises doing business in the EU are still working on catching up to GDPR obligations, even though it officially went into effect several months ago.

There are many different pieces that make up a successful “retailer puzzle” – and that in itself can make regulating data protection and ensuring privacy more difficult than normal. The most important action that companies doing business in California can do is start prepping immediately for CCPA, with these issues in mind:

  1. The Physical Nature Of The Business

In general, the retail industry has a strong focus on physical elements of security to protect merchandise, stores, warehouses, and corporate headquarter buildings. They have to put a great deal of thought, investment, and effort into physical security and physical loss prevention. This is certainly a good thing, as retail decision makers have become experts in physical security. However, as a result, many retail companies fail to fully consider the threats to their data and IT systems.

  1. A Widespread Employee/Vendor Network

Retail has one of the widest geographic dispersions of employees and vendors of any industry. Having remote touchpoints is not easy to govern and monitor. The further a touchpoint is, and the more touchpoints that exist, the easier it is to take an “out of sight, out of mind” approach. This, in turn, creates more risk.

  1. The Use Of Vendors For The Customer Payment Process

Payment transaction vendors are wholly responsible for any security issues or breaches to their payment processes when partnering with a retailer. Once again, the physical mindset of retailers (falsely) puts them at ease. It is very easy for a retailer to initially take the stance that, if they don’t touch the credit card, and they don’t deal with the transaction directly, and instead pay a service provider to manage the payments, any security breaches are the full responsibility of those third-party vendors. However, that is not the case.

When breaches occur, the retailer is held accountable by the customer, and their perception will always be that the store where the breach occurred is at fault. The CCPA has many of the same principals as GDPR, including the obligation of the business to appropriately safeguard data from a data breach. GDPR and CCPA are really only the first drops in what will soon be a flood of data privacy regulations both in the U.S. – at the state and federal levels – and throughout the rest of the world. A solution tailored to managing vendors and assessing the risk involved with their operations is essential to protecting the customer data that they handle.

The Keys To Compliance

Companies that underwent a GDPR program, and have already implemented procedures and processes to meet this existing obligation, will already be ahead of the curve for CCPA. However, many U.S.-based companies that were not impacted by GDPR are now in the position where it is not an option to comply with the privacy regulations within CCPA. As California is the largest state by population in the U.S., almost all businesses of scale have at least one customer there.

Retailers can ensure they meet every obligation that comes with CCPA, along with future obligations, by deploying a risk management system to run their privacy programs. A comprehensive system provides the scalability, consistency, and security that is required to meet these ongoing regulations. Companies must be able to track all elements of their preparation – including who is responsible for which action items, when deadlines are coming up, who is collaborating, etc. A full risk management program makes this much easier to manage and control.

One of the biggest issues businesses faced when trying to meet the deadline for GDPR was that they could not efficiently track and manage the entire process of meeting the guidelines. One survey, conducted by law firm McDermott Will & Emory and the Ponemon Institute during the weeks leading up to GDPR found that 40 percent of respondents said their companies would not be compliant until after the deadline, and eight percent said they weren’t sure when their organization would be compliant. Retailers do not want to be similarly unprepared when CCPA goes into effect.

The retail industry will continue to be the center of attention in discussion around data privacy regulations because the volume of valuable data and personal information is so large, and CCPA will certainly not be the last of bills passed in the U.S. regarding these issues. The evolution of data privacy is forcing companies do more to safeguard themselves and their customers – and comprehensive plans that are easily shareable and collaborative is an important step in preparing for the countdown to compliance.  

About The Author

Al Martinez is Senior Advisor for Fusion Risk Management.