All organizations have to balance insider risk management and employee privacy. Organizations should aim to monitor activity while maintaining employees’ trust and privacy based on organizational risk appetite, culture, and compliance needs. Despite the lack of a comprehensive, federal privacy regulation like the European General Data Protection Regulation (GDPR), states such as California are instituting their own privacy mandates. State-based protections can have wide-spread impact, causing many organizations to rethink or change their insider risk management practices.

This blog post reviews the general framework of the California Consumer Privacy Act (CCPA), describes specific implications for insider risk management, and provides recommendations to prepare insider risk programs to mitigate concerns before the CCPA takes effect.

California first enacted the CCPA in 2018 to provide the state’s consumers a variety of privacy rights to protect their personal information collected by businesses. The act gives California residents the rights to

• know what personal data is being collected about them
• know whether their data is sold or disclosed and to whom
• prohibit the sale of personal data
• access their personal data
• request a business to delete their data
• not be discriminated against for exercising their privacy rights

The act applies to any organization that does business in California and satisfies at least one of the following:

• annual gross revenue of more than $25 million
• buys, receives, or sells the personally identifiable information (PII) of more than 50,000 consumers or households
• earns more than half of its revenue from selling consumer PII

California extended these consumer rights to employees in the passage of the California Privacy Rights Act in November 2020. This act goes into effect on January 1, 2023. As a result, CCPA protections will be extended to include California employees, specifying obligations regarding data collection and usage by employers:

• notify, at the time of collection, employees, contractors, and applicants of the categories of information they collect and how they use it
• use reasonable safeguards to protect employee data

CCPA includes contractors in the employee protections, but to a lesser extent. It is unclear right now how contractors will be factored in. For now, California and federal labor laws govern the contactor and trusted business partner (TBP) domain. That said, third-party vendors are subject to the same CCPA requirements with employee data: Organizations that give their employee data to third-party vendors should notify the vendors of their responsibilities under CCPA and periodically remind them of requirements. Contractual notices, newsletters, and periodic trainings can all help safeguard employee data in the care of third parties.

As of January 1, 2023, employers subject to CCPA will have to demonstrate compliance with CCPA privacy protections. CCPA has implications for general employee data collection, background checks, and monitoring programs used by organizations, such as the monitoring practices used by most insider risk programs.

Employees will have the right to access data that is no longer in use or required for the scope of employment and have that data deleted by employers. As of January 26, 2021, California labor law crosscuts the CCPA and allows employees to access personnel records.

Most of the CCPA does not apply to background checking companies, which is governed by the Fair Credit Reporting Act, with two exceptions:

• notice at collection
• reasonable safeguards for data

Organizations governed by the CCPA and its regulations will have to apply notice-at-collection for background checks and ensure reasonable safeguards for the data the checks obtain.

CCPA implications for monitoring are not explicit. Most of the impact on monitoring will involve transparency on the employer side as to what data is collected and how it is used. The CCPA defines the categories of data that are protected, and the most relevant to insider threat are

• network usage
• geolocations
• inferences (trends in user activity, used to predict things the individual might do/buy/watch)
• biometrics

Organizational transparency about data collection and usage serves two purposes: (1) it brokers trust between the organization and the employees and (2) it notifies employees of the organization’s practices. Information on the ways the organization collects and uses data for its insider risk programs should be delivered to all employees. Awareness campaigns, such as with white papers or periodic newsletters on employee privacy practices, help to keep the organization transparent and the employees informed.

Trust is also built with notice. Policy notifications should begin with employment contracts and onboarding. Afterwards, periodic trainings should be circulated throughout the organization to keep employees notified of the organization’s policies. Newsletters with policy reminders and plain-language breakdowns of any policy changes are an efficient, documentable way to notify employees.

Privacy regulations like the CCPA reinforce the importance of having resources from an organization’s ethics, compliance, and privacy groups included as key stakeholders in an insider risk program. These experts should work with internal communications and the insider risk program manager (IRPM) to message what data is captured, how is the data protected, and what rights employees have to audit or opt-out of monitoring.

The spirit of CCPA and related state-based regulations is to incentivize organizations to provide reasonable protection of personal data. Reasonable is the keyword here, and a matter that IRPMs need to discuss candidly with internal counsel. But what are some publicly available resources to support the selection and prioritization of data protection controls? First, insider risk program privacy experts should review the new NIST Privacy Framework and identify what controls are appropriate for their needs.

Second, insider risk program privacy experts should get involved in communities of interest to stay engaged with practitioner and scholarly guidance on privacy risk management best practices. Some popular and resourceful communities of interest include:

• Open-Source Insider Threat (OSIT) - Privacy Special Interest Group (PSIG) (Contact us at insider-threat-feedback@cert.org for more information.)
• NIST Privacy Workforce Public Working Group
• International Association of Privacy Professionals (IAPP)

By leveraging collective expertise from these public forums, IRPMs can streamline the process to deploying reasonable, low-cost solutions to protect employee data.

The best way for organizations to respond to changing privacy requirements or policies is to design systems that allow for configurability and follow the principles of Privacy by Design. Ann Cavoukian’s principles advocate for the proactive embedding of privacy controls. This framework should be applied to build-or-buy decisions to ensure flexible and configurable design patterns throughout the lifecycle of a system.

This Privacy by Design framework positions organizations to address new and changing privacy requirements and stay ahead of privacy expectations for consumers and stakeholders.

Change management is costly and time consuming. Organizations need to begin preparing today for potential impacts from new privacy regulations, such as the CCPA. As a risk management function, insider risk programs should be able to consult with their internal stakeholders, such as privacy, compliance, and legal, to identify what changes, if any, they must make.

For more insight on change management, please see best practice 17, “Institutionalize system change controls,” in the CERT Common Sense Guide to Mitigating Insider Threats, Sixth Edition.