California Consumer Privacy Act (CCPA) / CPRA

Applies to for-profit businesses meeting any one of: $25M+ annual revenue; collecting data on 100,000+ consumers/households annually; or deriving 50%+ of revenue from selling personal data. Grants California residents rights to know, delete, opt-out of sale, and non-discrimination. Amended by CPRA (2023) to add correction rights and establish the California Privacy Protection Agency as an independent enforcement body.

Penalties

$2,500 per unintentional violation; $7,500 per intentional violation. Private right of action for data breaches: $100–$750 per consumer per incident — creating significant class action exposure for large breaches.

Real-world example

Sephora settled with California AG for $1.2M (2022) — the first major CCPA enforcement action — for failing to disclose it was selling consumer data and failing to honor opt-out requests via the Global Privacy Control signal. The case established that failure to recognize automated opt-out signals is a violation.

Personal Information Protection Law (PIPL) — China

Effective November 2021. Applies to processing of personal information of persons within China, regardless of where the processor is located. Requires explicit consent for most processing, separate consent for sensitive data, and mandatory data protection impact assessments. Cross-border data transfers require either government security assessment, certification by approved institution, or a standard contract filed with authorities.

Penalties

Up to ¥50M or 5% of prior year revenue for serious violations. Business operations may be suspended. Responsible individuals can be banned from serving as directors or senior management.

Real-world example

DiDi Chuxing was fined ¥8.026 billion ($1.2B) in 2022 for serious violations of PIPL and China’s cybersecurity law — including illegal collection of user data and serious security deficiencies. Regulators had flagged the risks before DiDi’s US IPO; the company proceeded anyway. The fine was accompanied by suspension of new user registration for over a year.

Protection of Personal Information Act (POPIA) — South Africa

Fully effective July 2021. Applies to any organization that processes personal information of South African data subjects. Based on eight conditions for lawful processing: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. Established the Information Regulator as the supervisory authority.

Penalties

Fines up to R10 million (~$540K). Imprisonment of up to 10 years for certain offenses. The Information Regulator can also issue enforcement notices and compliance notices independently of fines.

Real-world example

The 2020 Experian South Africa breach exposed data on 24 million individuals and 793,000 businesses to a fraudster posing as a legitimate client. The Information Regulator issued an enforcement notice requiring Experian to notify affected data subjects and improve security. POPIA’s accountability condition was central to the regulatory response: Experian had processed data without adequate verification of the requester’s identity.

Criminal investigation

Conducted by law enforcement (FBI, national cybercrime units) to determine whether a crime was committed and to support prosecution. Security professionals play a supporting role: preserving evidence, maintaining chain of custody, and cooperating with investigators. Once law enforcement is involved, the organization should not independently conduct forensic analysis on the same systems without coordination — improper handling can contaminate evidence.

Standard of proof

Beyond reasonable doubt — the highest standard. Evidence must be collected with strict chain of custody. Digital forensics must follow validated methodologies (write-blockers, hash verification of forensic images).

Real-world example

The 2014 Sony Pictures hack was investigated by the FBI as a criminal matter. North Korean state actors were attributed. Sony’s internal security team had to coordinate evidence preservation with FBI agents while simultaneously trying to restore operations. The tension between forensic preservation (leave systems intact) and operational recovery (restore systems quickly) is a defining challenge of criminal investigations involving the organization’s own infrastructure.

Civil investigation

Conducted to support litigation between private parties — typically a breach of contract, negligence claim, or trade secret misappropriation. Discovery in civil litigation can compel the organization to produce emails, logs, security policies, audit reports, and forensic evidence. E-discovery obligations activate as soon as litigation is reasonably anticipated — a legal hold must be issued immediately to suspend normal data destruction schedules.

Standard of proof

Preponderance of evidence. But the scope of discovery is broad — opposing counsel can demand virtually any document, log, or communication relevant to the claim. Security records, incident reports, and internal audit findings are all discoverable.

Real-world example

After the 2013 Target breach, Target faced hundreds of civil lawsuits from banks seeking to recover card reissuance costs. Discovery required Target to produce internal security assessments, Trustwave QSA reports, and FireEye alert logs. Internal documents showing Target had received security warnings it did not act on were central to the civil liability argument. Security documentation that seems routine becomes litigation evidence in civil proceedings.

Regulatory investigation

Conducted by a regulatory authority (FTC, SEC, ICO, HHS OCR) following a reported breach, complaint, or routine audit. Regulators have subpoena power and can compel document production. The organization must cooperate fully and cannot destroy potentially relevant records once a regulatory inquiry begins. Regulatory investigations often run in parallel with civil litigation, creating complex legal obligations.

Standard of proof

Varies by regulator and jurisdiction. Regulators typically need to establish a violation of specific regulatory requirements — negligent security, failure to notify, inadequate safeguards. The burden is often on the organization to demonstrate it met the standard.

Real-world example

Following the Anthem breach (2015), HHS OCR opened a regulatory investigation under HIPAA. The investigation found Anthem had conducted an inadequate risk analysis — the foundational HIPAA Security Rule requirement. Anthem settled for $16 million. Critically, the settlement was not because Anthem was breached, but because the risk analysis process that should have identified and addressed the vulnerability had not been performed adequately. The breach was the trigger; the regulatory violation was the underlying failure.

Industry standards investigation

Conducted by industry bodies or their designated assessors (QSAs for PCI-DSS, auditors for SOC 2) following a suspected standards violation. PCI-DSS forensic investigations, for example, are conducted by PCI Forensic Investigators (PFIs) — qualified third parties who follow specific methodologies and report findings to the card brands. These investigations can result in fines from card brands, increased compliance requirements, or loss of ability to process card payments.

Standard of proof

Contractual and standards-based — not a legal standard. The question is whether the organization met the requirements of the standard at the time of the incident and maintained appropriate documentation.

Real-world example

Following a card breach at a restaurant chain, Visa initiates a PCI forensic investigation through a PFI. The PFI determines the POS systems were running out-of-date software and cardholder data was stored unencrypted after authorization — violations of PCI-DSS Requirements 3 and 6. The card brands levied fines and placed the chain in a remediation program with quarterly QSA assessments. The restaurant faced both the standards investigation and concurrent civil suits from issuing banks.

PASTA — Process for Attack Simulation and Threat Analysis

A risk-centric methodology in seven stages: define business objectives → define technical scope → decompose the application → threat analysis → vulnerability and weakness analysis → attack modeling → risk and impact analysis. PASTA explicitly ties technical threat analysis to business risk — making it particularly suitable for organizations that need to present threat modeling outputs to non-technical stakeholders.

Key advantage

Business-aligned output. The final stage produces a risk-prioritized list of threats with business impact quantification — directly usable in board-level risk reporting and security investment decisions.

Real-world example

A financial services firm uses PASTA when onboarding a new customer-facing payments application. Stage 3 (application decomposition) reveals a data flow between the mobile app and a legacy back-end processor that was not in the architecture diagram. Stage 5 identifies that this undocumented flow lacks encryption. The finding is prioritized in Stage 7 as high-risk (business impact: PCI-DSS violation, cardholder data exposure). It is remediated before go-live. Without PASTA, the undocumented flow might not have been discovered until post-launch audit.

DREAD

A quantitative risk rating model used to prioritize identified threats. Each threat is scored 1–10 across five dimensions, and an average score drives prioritization. Originally developed by Microsoft but since deprecated in favor of STRIDE for design-phase use; DREAD is now more commonly used for scoring and prioritizing a list of already-identified vulnerabilities.

The five dimensions

Damage potential — how much harm if exploited? Reproducibility — how easily can the attack be repeated? Exploitability — how much skill/resources are required? Affected users — how many users are impacted? Discoverability — how easily can the vulnerability be found?

Real-world example

A penetration testing team identifies 23 vulnerabilities in a web application. The client needs a prioritized remediation plan with limited budget. DREAD scoring on each finding produces a ranked list: an unauthenticated SQL injection affecting all users scores 9.2 (critical); a reflected XSS requiring user interaction affecting single sessions scores 4.8 (medium). Budget goes to the top 5 findings. DREAD makes prioritization explicit, auditable, and defensible to management.

Attack trees

A graphical, hierarchical representation of ways a goal (root node) can be achieved by an attacker. Sub-goals branch downward, with AND nodes (all children must be achieved) and OR nodes (any child is sufficient). Attack trees are valuable for communicating complex attack paths to non-technical stakeholders and for identifying which defenses break the most attack paths simultaneously.

Key advantage

Visual and intuitive. A single attack tree for “attacker achieves unauthorized admin access” makes the full range of attack vectors visible in one diagram — helping decision-makers understand why controlling a specific chokepoint is high-value.

Real-world example

A bank’s security team builds an attack tree for “attacker transfers funds without authorization.” The root has two major branches: compromise customer credentials (OR) and compromise internal banking system. The customer credentials branch has sub-nodes: phishing, credential stuffing, SIM swapping, malware. Analyzing the tree reveals that multi-factor authentication (MFA) breaks every credential sub-branch simultaneously — making it the highest-value single control in the tree. The tree made the investment case for MFA unambiguous to the board.