Cybersecurity Implications to California’s Consumer Privacy Act: Why Everyone Needs to be Prepared

On Jan. 13, 2020, Visa announced the acquisition of Plaid. The technology integration firm provides the card network with new integration options and a treasure trove of data to create new products and services in the payments market. At the same time, Visa made an investment of an undisclosed amount in the security firm Very Good Security, which provides tokenization and data security features needed for data privacy and protection. Visa’s actions represent the yin and yang of 21st century corporations – the drive for data but the requirement to balance security.

Data privacy breaches have been perceived as the cost of doing business for the past 20 years, however global regulatory winds are changing how companies evaluate data storage, retention, and security. California enacted the California Consumer Privacy Act (CCPA) Jan. 1, 2020, which has technology companies scrambling to comply. In many instances the amount of data companies collect surpasses their needs, but when developing products quickly, it can be easier to “get all of the data” and then determine how to monetize the data later. This report reviews the existing privacy laws, identifies cybersecurity threats, and helps guide internal discussions on how to evaluate risks. 

Key questions discussed in this report:

• What cybersecurity risks do financial institutions have with the California Consumer Privacy Act?
• What is the difference between existing privacy laws, and why does CCPA have bigger implications?
• What do financial institutions need to do to protect their consumers’ privacy?