The latest edition of the SAPinsider benchmark report relea...
What is CPRA and How Data Masking Can Help You Comply
In November 2020, California voters passed Proposition 24, the California Privacy Rights Act (CPRA) (full text here). To be clear, the CPRA does not replace the existing California Consumer Privacy Act (CCPA). Instead, it’s more accurate to describe the CPRA as an amendment of the CCPA, providing additional context and closing some of the ambiguity and loopholes found in the original.
The CPRA goes into effect on January 1, 2023. Let’s review the CPRA and focus on what ERP customers need to know.
From CCPA to CPRA: What’s the Difference?
The CPRA builds on the privacy framework put in place by the CCPA and is being implemented as an amendment. The new law states that it amends the existing provisions of the California Civil Code, also known as the CCPA, to add new provisions. It also includes establishing a dedicated enforcement agency for consumers, tripling fines against companies that violate kids’ data privacy, and making it harder to weaken privacy laws in the future.
A couple of the more notable additions in the CPRA are that the law expands the right to opt-out of sharing of information and establishes new rights to limit how businesses use “sensitive personal information,” a new term defined broadly to include, among other things: information about health conditions, genetic data, race and ethnicity, sexual orientation, precise geolocation, and more.
ERP applications already store an abundance of personally identifiable information, such as Social Security Numbers, driver’s licenses, or passport numbers. This new data classification adds to the effort of identifying and classifying information necessary to remain in compliance.
How Pathlock Enables CCPA/CPRA Compliance
Successful organizations will invest in technologies that monitor user behavior around data access and usage. However, in today’s multi-application environment, where data is distributed and shared between applications, it can be challenging to implement data privacy policies consistently.
This is where Pathlock becomes an essential tool for compliance. It expands native ERP logging capabilities to capture contextual details like what data was accessed, where it was accessed from, user IDs, IP addresses, pages accessed, actions performed, and more – information paramount for compliance reporting. This contextual information can play a key role in helping security and compliance teams orchestrate policies controlling access to sensitive data.
Enhance CPRA Compliance with Pathlock’s Data Masking
Pathlock’s dynamic Data Masking module allows you to dynamically mask and anonymize data at the field level and the point of access, allowing you to easily enforce data governance policies beyond simple role-based controls. In addition, Pathlock offers a cross-application solution that enables you to enforce policies across multiple applications using a single interface.
The module’s dynamic masking capability provides organizations with fine-grained controls that can mask sensitive data fields based on the user and the context of the access, such as location, IP address, time, data sensitivity, and more. By implementing a full or partial mask to a data record, Pathlock minimizes the risk of a data breach and fulfills privacy mandates imposed by regulatory acts like CRPA.
Pathlock goes a step further to also provide granular controls like click-to-view and in-line multi-factor authentication at the field and transaction level. This allows you to grant access to essential sensitive data while ensuring that the access is logged. Security teams can also use this feature to set up alerts.
Cross-App Access Control is Key
In summary, the California Privacy Rights Act is a significant development in data security and privacy law that will have implications for businesses operating and doing business in California. Compliance with the act will require companies to implement appropriate measures to protect personal data, such as data masking, and to provide additional rights to consumers.
Businesses will also need to look at their entire application landscape as a whole and avoid using siloed app-specific solutions. Not only will it help implement policies consistently, but it will also simplify the audit process. With proactive controls in place, businesses can avoid risking exposure of sensitive data, implement fine-grained policies, provide a clear audit trail, and keep up with CRPA and future regulations.
Talk to our compliance experts to learn how you can use data masking to enhance your CPRA compliance.