HITRUST has incorporated the CCPA standard into HITRUST CSF version 9.3, providing businesses with a strong basis for measuring CCPA compliance as part of their existing assessment and certification processes. Organizations can assess against the CCPA to conclude quickly if they meet the new requirements identified in the law or if there are any gaps that must be remediated.
Given the number of consumers and size of the California economy, the CCPA will have a significant impact on the market as almost every for-profit business in the United States will have to comply with the ruling to “implement and maintain reasonable security procedures and practices” to protect consumer data. The law is serving as a model and has created an expectation among consumers that they can have access to their data, ask for it to be deleted or corrected, and limit its uses.
Businesses that are required to comply with the law due to go into effect on January 1, 2020, can perform a CCPA assessment by including the CCPA as a regulatory factor in the MyCSF assessment tool.
The HITRUST CSF includes comprehensive privacy controls as well as mappings to both the CCPA and the GDPR. The CCPA is just different enough from the GDPR to create confusion in terms of compliance. HITRUST has helped businesses manage GDPR compliance and will help organizations doing business in California to minimize the impact of new regulatory requirements.
“The CCPA requires American organizations to look at data in a new way, as we are not used to data subjects having the type of rights granted them under the CCPA,” explains Anne Kimbol, Chief Privacy Officer, HITRUST. “By including leading privacy standards and principles, including the European Union’s General Data Protection Regulation (GDPR) and the CCPA mappings into the HITRUST CSF, we help our customers identify and mitigate gaps and risks in their existing programs that help them meet not just the growing compliance requirements but also customer expectations.”
Even though many companies have tried to get their heads around GDPR, there are differences between the GDPR and the CCPA which leaves much confusion in the market about what the CCPA compliance means. HITRUST continues to be committed to helping organizations translate privacy laws into actions, first with the GDPR and now with the CCPA. HITRUST has looked holistically at information risk management, working beyond what organizations are required to do, and bringing to light what they should be doing by addressing both security and privacy controls across their internal infrastructure as well as throughout their third-party supply chain. Organizations already utilizing HITRUST to identify and implement their applicable privacy controls will need to devote fewer resources to adjusting their programs to meet the CCPA requirements.
HITRUST’s privacy team worked to ensure that the HITRUST CSF v9.3 includes mappings and related information on the CCPA reflecting not just the original act, but also the amendments made during the recent California Legislative Session. HITRUST will continue to enhance the CCPA language in the HITRUST CSF and, as appropriate, other elements of the HITRUST suite of information risk management and compliance tools by monitoring changes to the law.
For example, performing a HITRUST CSF Assessment can help your organization gain insight into what action items need to be prioritized to meet regulatory compliance requirements. Giving prescriptive control requirement statements and granular illustrative procedures to simplify and streamline an organization’s journey to information risk management and compliance.