The Legal Brief

Complying With Regulatory Standards For Data Privacy And Data/Cyber Security (Fourth In A Series)

June 25, 2020

By: Adam Zaccari

Throughout this blog series we have communicated that the global COVID-19 pandemic has not halted compliance for two major regulatory provisions affecting hundreds of thousands of businesses – The California Consumer Privacy Act (the “CCPA”) and the Cybersecurity Maturity Model Certification (the “CMMC”). In this final blog post of the series, we will delve deeper into how your organization can take the necessary steps to comply with these regulatory standards.  

How to Comply with CCPA

We discussed various aspects of the California Consumer Privacy Act (the “CCPA”) in the context of the upcoming July 1, 2020 enforcement date in an earlier blog. To recap, businesses should consider and work through these aspects of the CCPA to ensure compliance: (i) provide disclosures to California consumers, including Terms of Use and Privacy Policies, to outline the types of data collected and the manner in which it stores, maintains, processes, and might share that data; (ii) obtain clear consent from consumers as to those types of data collected and intended uses for it; (iii) delete (and certify the deletion of) the data of any consumer who asks to enforce the right to be forgotten; and (iv) monitor data stored to ensure that it is not lost or improperly disclosed due to a data security or other breach but if it is, provide timely notices to any consumers whose data might be subject to such a breach. Thus, compliance with the CCPA is not only a data privacy matter but also a data/cyber security concern for subject businesses. The most effective approach in this regard is for a business to take a holistic approach across various departments and business units to create an overall corporate atmosphere that focuses on security best practices and resulting compliance.

How to Obtain CMMC 

First and foremost, there is no self-certification. Your organization must work with an accredited and independent third-party commercial certification organization to request and schedule the CMMC assessment. Your organization is responsible for specifying the level of the certification required based on your specific business requirements. Once satisfied that your organization demonstrates the appropriate data control and organizational maturity, the third-party assessor will grant certification at the appropriate CMMC level to your organization.  Once you obtain certification, the level will be made public; however, details regarding specific findings will not be publicly available. The DoD will only see your certification level.

Your organization should begin planning for you certification at least 6 months in advance of your anticipated start date of any DoD contract. It may help to engage with a CMMC-AB trained professional for guidance and prep work (if needed). To schedule, you need to go to the CMMC-AB Marketplace to find an available C3PAO, and that C3PAO will assign a Certified Assessor. All C3PAO’s must be ISO 17021 certified and adhere to a Code of Professional Conduct. The CMMC-AB will then review your assessment with Quality Auditors. Your organization then has up to 90 days to resolve any findings with your C3PAO. From there, your CMMC Certification Level is issued, and is valid for 3 years.  

Jackson Kelly is committed to providing knowledgeable counsel to help our clients navigate these pending requirements. We have partnered with SecureSky, a leading cybersecurity firm specializing in helping companies meet compliance demands while improving their security posture. Jackson Kelly and SecureSky actively engage with industry leaders that provide technology, tools, and resources enabling companies around the globe to ensure compliance in all facets of business, specifically including the ever-growing world of data privacy and security regulation. All of us at Jackson Kelly, and SecureSky hope that you found this series to be valuable as your organization embarks on this journey. Stay tuned for more to come from us as we dissect the legality inside of the cybersecurity industry.