ESET: Firms Need MSP's Help Around California’s New Data Privacy Law

“Companies are really out there looking for direction and looking for the solutions that you can bring to the table to help them protect their businesses from these potential risks,” said ESET’s Rachel Globus.

California businesses large and small are turning to MSPs for help around understanding the ins and outs of the state’s new privacy law, said ESET’s Rachel Globus.

The Bratislava, Slovakia-based security vendor said solution providers who’ve developed expertise around the California Consumer Privacy Act (CCPA) will really be able to add value and stickiness to their customer relationships, according to Globus, ESET’s senior marketing manager. Globus anticipates the CCPA will be the first in a wave of privacy legislation to sweep across the United States.

“Companies are really out there looking for direction and looking for the solutions that you can bring to the table to help them protect their businesses from these potential risks,” Globus said Thursday at NexGen 2019, hosted by CRN parent The Channel Company.

[Related: ESET Lands Ex-Ingram Micro Exec As North American President]

The CCPA takes effect Jan. 1, 2020, and provides California residents with greater ownership, control and security over their personal information, Globus said. The law applies to businesses that either: make more than $25 million each year; derive more than half of their revenue from the sale of personal information; or share the personal information of 50,000 California consumers, households, or devices.

As far as enforcement is concerned, Globus said the California Attorney General can fine businesses between $2,500 and $7,500 per violation, while data breach victims can sue for between $100 and $750 per consumer per incident. Enforcement actions by the California Attorney General won’t occur until July 1, 2020, though Globus said consumers are free to sue as of Jan. 1, 2020.

As the world’s fifth largest economy, Globus said California has a history of leading the charge around consumer rights. For instance, she said California was the first state in the country to pass a law mandating data breach notifications, which is now required in all 50 states.

But a survey of California business owners and executives found that 88 percent of them had no idea if the CCPA applied to them, Globus said, while 44 percent of executives surveyed hadn’t even heard of the law. And 40 percent of firms surveyed said they weren’t sure or weren’t at all confident that they were fulfilling the CCPA’s mandates around having “reasonable security” policies and practices in place.

“End users are going to rely on MSPs to have the knowledge to guide them to the solutions that they need to protect their businesses,” Globus said. “And they really do need your help.”

ESET believes that a number of their products would help businesses achieve compliance with the “reasonable security” mandate in the CCPA, Globus said, including the company’s endpoint protection, two-factor authentication, encryption, security awareness training, data leak prevention, and backup and recovery offerings.

And even though the United States typically has less regulation than its European counterparts, Globus said it’s apparent that more and more privacy legislation is going to be brought forward in new geographies in the years ahead.

“Companies really need your support. They need your expertise,” Globus said. “So this is an opportunity for businesses like yours to really become experts in this space and capture this demand so that you can deliver value to your customers.”

The CCPA has come up in conversations around data mining as well as in discussions about the exchange of data from one company to another, according to Helene Hopkins Eversbusch, an Atlanta-based private consultant.

“There has to be some precedent around who owns what data,” Eversbusch said.

Complying with the CCPA will require a combination of cybersecurity tools, clean backups, and understanding the contracts associated with the applications used by the business, according to Eversbusch.

For instance, an application designed to edit or manipulate pictures might have been given permission to see all the images on the mobile device, which Eversbusch said would have privacy implications. And a clean backup would allow businesses to avoid having to pay the ransom following an attempted ransomware attack, Eversbusch said.