Key things you should know for developing compliant applications and bringing current applications into compliance
Privacy legislation is heating up
The European Union's General Data Protection Regulation (GDPR) came into force in 2018. Not long after, the state of California followed suit and set a U.S. precedent with adoption of the California Consumer Privacy Act (CCPA). These two important laws underline a growing appetite for privacy regulation. There is a growing public concern about misuse of personal data, given numerous data breaches, inappropriate use of personal data for targeted advertising, and other areas of concern such as usage of personal data for political targeting as reported in the case of Cambridge Analytica.
With years of debate and vast preparation, the European Commission proposed a set of data protection rules for any organization that handles private data pertaining to EU citizens: the General Data Protection Regulation (GDPR). The legislation was created taking into account the rising number of data breaches and hacker attacks (especially attacks on web applications), with the intention of giving EU citizens more control and transparency over their data while also unifying data protection regulations for businesses.
Following the EU's example, California adopted the CCPA (Assembly Bill No. 375) in late June 2018, with an effective date of January 1, 2020. The CCPA is not quite as strict as its European counterpart, which is why some view it as more balanced between consumers' rights and businesses' obligations. But both the CCPA and GDPR introduce many of the same principles.
While these laws affect many aspects of business, this brief will focus on how the right approach to Application Security can help you be compliant with privacy legislation around the world, based on the example of GDPR and CCPA requirements.
Who must comply with the legislation?
In general, the GDPR has a wider scope: it applies to almost any organization outside or inside the EU that offers services, goods, or tracks any person in the EU. The CCPA applies to entities that do business in California or collect data of Californians, with some exemptions. While this might seem to be limited to the state of California, there is hardly any U.S. or international business that can guarantee it does not collect data from California.
GDPR | CCPA |
Any organization that controls or processes personal data, whether private or public, for profit or not, big or small, involved in processing in the context of the activities of establishments in the European Union. The Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union. The main responsibility lies with "controllers," with some defined obligations for "processors." | For-profit businesses who collect and control California residents' data, conduct business in the state of California, and meet one or more of the following requirements must comply:
An exemption applies if your company is compliant with other similar legislation such as California's Insurance Information and Privacy Protection Act (IIPPA) or a health provider under HIPPA. Similarly to the GDPR's "controllers," the CCPA defines those responsible as "businesses"; "processors" are defined as "service providers." |
How are the GDPR and CCPA enforced?
The definitions of personal data or personal information are fairly similar across the CCPA and GDPR. The CCPA contains a few more qualifiers and exceptions, however.
GDPR | CCPA |
Infringements are subject to administrative fines up to €20,000,000, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher. | The civil penalty for each violation of the CCPA is up to $7,500 for intentional violation and $2,500 for unintentional ones with a 30-day cure period. However, in addition to action from the California Attorney General, consumers also have the explicit right to seek statutory or actual damages if their personal data is exposed, stolen, or disclosed due to poor security practices. Up to $750 per incident per consumer in a given case. |
How do these laws define "personal data"?
The definitions of personal data or personal information are fairly similar across the CCPA and GDPR. The CCPA contains a few more qualifiers and exceptions, however.
GDPR
The GDPR governs personal data, defined as any information about any person living in the EU whose identity can be determined, directly or indirectly, by name, ID number, location data, an online identifier, or information relating to the physical, physiological, genetic, economic, cultural, or social identity of said person.
CCPA
Personal information is defined as follows:
- "Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers"
- "Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies"
- Biometric information
- "Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement"
- Geolocation data
- Professional or employment information
- Non-public education information
- Metadata, or "inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes"
- The act impacts all companies who handle this type of data of any California citizens
With these key concepts in mind, this brief will cover the following topics from an AppSec standpoint:
- Overview of GDPR requirements
- Overview of CCPA requirements
- Developing and operating compliant applications. A brief on requirements for developing secure applications and what to do with current ones.
- How PT Unified AppSec can help you make compliant applications. All-in-one solution to make legacy and new applications compliant with the GDPR.
GDPR requirements overview
The new GDPR supersedes Data Protection Directive 95/46/EC. The old law was ineffective in practice, as enforcement and implementation differed from country to country within the EU.
Additionally, with the explosion of uncontrolled data collection, big data, and the increase in data breaches and leaks, the former Directive could not keep up with the new reality. With enforcement of the GDPR beginning May 25, 2018, security has undergone a paradigm shift, as the focus moves from infrastructure to people.
The GDPR protects the fundamental rights and freedoms of EU citizens and residents by placing requirements and obligations on organizations to follow the principles of lawfulness, fairness, and transparency. Processing of any data may occur only after clear, explicit consent from users (no checkboxes-by-default) or in some other defined cases such as performance of a contract or legitimate interests. Moreover, information on processing of personal data should be explicit and legitimate, easily accessible, and easy to understand.
Communication to users must be completely clear with regard to:
- The fact that personal data is being collected, used, consulted, and processed.
- Risks, rules, safeguards, and rights related to the processing of personal data.
- The way in which one can assert his or her rights with regard to the processing of personal data.
- Data breaches if they are likely to present high risks to the rights and freedoms of individuals.
Additionally, the legislation gives some important rights to users, including:
- To request and obtain access to your personal data.
- To rectify and delete personal data concerning you.
- To request erasure (the "right to be forgotten").
- To not be subject to profiling.
- To restrict processing.
The GDPR also introduces important requirements such as designating a Data Protection Officer (DPO) for large-scale processing to ensure compliance with regulations as per Articles 38 and 39. Additionally, the GDPR requires notifying the Data Protection Authority (DPA) within 72 hours of any security incidents likely to affect personal data. Beside these organizational changes, there are also many technical measures for data protection: the GDPR aims to incentivize businesses to focus on securing data by means of encryption, pseudonymization, and protection by default and design.
If you plan for your applications to be compliant with GDPR requirements, there are four articles to which you should pay particular attention:
- Article 25: Data protection by design and by default
- Article 32: Security of processing and security assessment
- Articles 33, 34: Data Breach transparency requirements
What are the penalties for non-compliance?
The GDPR authorizes regulators to impose high fines: up to €20,000,000 or 4 percent of the total annual global turnover of the previous financial year, whichever is greater.
CCPA requirements overview
The CCPA expands upon Californians' right to privacy enshrined in the California Constitution since 1972. As stated in the bill itself, "Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information." Legislators in favor of the law cited past data breaches and manipulation of Facebook users.
Broadly speaking, the CCPA takes a similar approach to protecting personal data as the GDPR, but imposes fewer specific requirements and strikes a more balanced approach between the privacy rights of users and obligations on business.
The main goals of the law are to provide the following rights to Californians:
- To know what personal information is being collected about them.
- To know whether their personal information is sold or disclosed and to whom.
- To say "no" to the sale of personal information.
- To access their personal information.
- To receive equal service and prices, even if they exercise their privacy rights.
Some tips on complying with CCPA requirements
- Make sure to update policies and notifications
The CCPA requires specifying why are you collecting data, what kind of information is being collected, and for what proposes (to be shared, sold, processed, etc.). - Update your web applications
You now need to add a clear way for users to exercise their rights, such as opting out or requesting to delete all stored data. - Map your clients' information
You need to be transparent about how and where client information is stored. The CCPA grants greater opt-out rights for personal information sales than the GDPR. You likely will have trouble pulling this information together from different applications. - Inform your clients of privacy policy updates
- Reduce risks by getting rid of unnecessary or old personal data
- Update your internal policies
You need to be ready to inform about a breach in a specific format, with exact information about the nature of the breach, information affected, what you are currently doing, what the client can do, and a clear way for users to reach out for clarifications. In addition, you need to check how access controls are implemented throughout your applications. - Adopt security practices
CCPA requirements regarding specific security practices are less specific than the GDPR, with a greater focus on tracking, accessing, and storing data. However, you are required to keep client data secure by looking out for threats and vulnerabilities.
What are the penalties for non-compliance?
The state of California may bring actions for civil penalties of $2,500 per violation, or up to $7,500 per violation if intentional. However, the CCPA also grants businesses a 30-day cure period for violations that have been detected.
Consumers have a private right of action to seek the greater of actual damages or statutory damages, ranging from $100 to $750 per consumer per incident. Courts may also impose injunctive or declaratory relief.
Compliance requirements for Application Security
In the context of application security, GDPR has more explicit requirements for data security that organizations need to take into serious consideration.
If you have an application that processes personal data, then the GDPR requires that organizations follow security "by design and by default" for data protection (Article 25). Data protection considerations should be embedded into the application, which is much cheaper to do during the earlier stages of the application lifecycle. GDPR-mandated approaches (encryption, classification, etc.) should be embedded and discussed starting from the design stage. In later stages of the lifecycle, technologies for automating protection against attacks and testing for security vulnerabilities during development and deployment should be considered—they offer a way of operationalizing a protection-by-design mindset and approach.
When the application is operational, data protection and security of processing (Article 32) ensure that the application is handling data securely, and that no vulnerabilities threaten personal data. This same GDPR article (Article 32-d) also requires having a clear understanding of your current vulnerabilities by establishing "a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing."
GDPR Articles 33 and 34 require transparency in case of a breach, with notifications to the regulator and the end user. For example, it requires the controller to report a breach within 72 hours, which means you need to have 24/7 visibility into your applications.
The CCPA does not have similar data security requirements, as it is more focused on consumer privacy rights. However, one of the drafts of the CCPA mentioned NIST standards as a guideline for data security practices. So from an Application Security point of view, you can use NIST frameworks such as SAMATE (Software Assurance Metrics And Tool Evaluation) to make sure you are putting adequate security controls in place.
Additionally you can check our guide for securing web applications if you want to get a high-level understanding of the actions necessary to achieve integrated application security.
How Positive Technologies can help your app be compliant
Positive Technologies offers a range of application security services, which extend from uncovering current vulnerabilities (in both web and mobile applications, with an action plan for fixing these problems) to providing services for breach investigation. We also provide services to increase security consciousness inside your organization with hands-on workshops, phishing awareness, and other educational services to ensure security by design and default.
Automate vulnerability assessment and enforce security-by-design by embedding PT Application Inspector, our AST code analyzer, into your development process. PT Application Firewall safeguards your live applications in a complementary way. This solution has been specially designed to provide data protection and security of processing for your applications. Additionally, this solution greatly aids visibility to ensure that in the unlikely case of a breach, you have an idea about the type of attack, impacted data, and other key facts.
Solution—requirement mapping
GDPR article | AppSec requirements | Positive Technologies solution |
Article 25: Data protection by design and by default | Embed security in your development process and perform regular security assessments. | |
Article 32: Security of processing | Protect data processed in applications from any potential attacks. Ensure availability against L7 DDoS. | |
Articles 33, 34: Data Breach transparency requirements | For visibility and understanding of breaches, maintain full visibility and logging for apps. Deploy a web application firewall (WAF) to understand attack types and impacts (although having a WAF deployed in-line makes such attacks highly unlikely). |
Get in touch
will contact you shortly