okay let's get started welcome everyone to today's webinar on achieving CCPA compliance with ServiceNow presented by the Cova state governance risk and compliance team today we're going to share with you some strategic insights and tactical tips on how you can leverage your investment in ServiceNow to comply with the new California consumer Privacy Act my name is Mike Dee and Ray and I'll be hosting today's session along with two of my colleagues Eric Smith and John goo bataya Eric and John would you please introduce yourselves Eric absolutely thanks Mike Eric Smith I run pre-sales here at Co bastok I've been working on ServiceNow for about 10 years most of that time as a solution architect or a business process consultant primarily around governance risk and compliance which is my chief passion area thanks for joining us today John thank you Eric good morning everyone my name is John Goethe I'm a Solutions Architect with Cova stick similar to Eric I've been working on the platform for about 10 years now and for the past three years I've been focusing in the customer service management area and thanks to everyone for joining us ok thanks John and Eric prior to joining Kovac I manage the compliance efforts of a large enterprise IT operations department and you service now on a daily basis for several years to ensure our organization remained continually compliant and audit ready now as the GRC advisory solution architect here at Kovac my focus is primarily on helping ServiceNow customers to better understand how they too can get the maximum value out of the platform when standing up and managing their regulatory compliance programs so we have quite a diverse audience here today so please submit your questions via the chat window we'll answer as many as time permits at the end of the session we're also recording this and we will send you a link to where you can download a copy and you should expect that sometime within the next 24 hours and last but not least just a quick disclaimer everything we present here today please consider it as technical information it should not be considered or construed as legal advice this seeps the CCPA is new and still somewhat fluid so best practice is to always you know collaborate closely with your legal and compliance teams as you move forward on your CCP a compliance program and with that said let's take a quick look at our agenda today so we're gonna start with a quick look at the CCPA then we'll talk about what's required to comply with the law and then we'll explore some capabilities of ServiceNow that you can leverage to ensure compliance then we'll talk a little about Co vesting who we are what we've done in this space and how we can help accelerate your compliance efforts and to help minimize your time to failure then we'll save some time again we'll wrap up with a question and answer session okay so a quick look at the CCP a so what is the CCP a well in a nutshell the California consumer Privacy Act is a new California state law that helps protect the privacy of California residents by giving them greater say in how businesses collect use and share their personal information and it does this by providing Californians greater transparency into what personal information is being collected on them by providing greater control over how that information is used and sold and by holding businesses accountable for safeguarding the personal information they collect and process so to enact these three principles the law of Grant's Californians specific rights and imposes penalties on businesses that fail to comply with the law so what rights does the CCP a grant to Californians okay so the law grants Californians three primary rights the right to know what personal information has been collected on them and whether that information has been sold to any third parties and if it has been sold to whom and it also grants them the right to say no or to opt out of the selling of their personal information and it grants them the right to request that their personal information bid be deleted so these are referred to as the right to access the right to opt out and the right to deletion so who has to comply with the law well the law applies to any for-profit business that collects processes or sells the personal information of any California resident regardless of where that business is physically located as long as that business meets any of the following three criteria if it generates at least 25 million in annual revenues or if it holds or sells records on more than 50,000 California consumers households or devices or if it generates more than half of its annual revenues from selling the personal information of California consumers then it is considered to be a covered business and must comply with the law and so what happens if you don't comply well the CCPA empowers the California Attorney General to levy fines up to $2,500 per incident for any violations that are unintentional and this goes up to $7,500 per incident for intentional violations and the law also gives Californians the right to bring civil claims civil actions for up to seven hundred and fifty dollars per incident in the event that their personal unencrypted data is exposed during a breach and they can do this without needing to show damages or losses and of course if they actually suffered losses and they can show damages they can sue for the amount of those damages in addition to the fines and the and the civil actions the law also enables consumers to participate in class actions and to share in any monetary awards that the courts grant as a result of those actions so while these individual amounts you know twenty five hundred dollars seven hundred fifty dollars even seven seventy five hundred dollars they may seem relatively small compared to large fines imposed by other regulations such as such as a GDP are these amounts of course can quickly skyrocket in the event of a data breach so when do you need to comply well the law was passed on June excuse me the law was passed on June 28 2018 and it became effective on January 1st 2020 and it becomes officially enforceable on July 1st 2020 when the new regs go into effect but I think it was in late December that the California Attorney General has already announced that since businesses were expected to be compliant on the January 1st date the law could be enforced retroactively late so what's what's required to comply with the law well the CCPA it's it's absolutely replete with detailed requirements but in general to comply with the CCPA your organization needs to develop three general sets of capabilities first you need to enable California consumers to exercise their rights then you need to safeguard the personal information you collect on those consumers while that information is in your possession and then you must ensure an evidence that your organization is continually compliant with the law so how can ServiceNow help you meet those requirements well ServiceNow provides three primary products that are very well-suited for standing up a CCP a compliance program customer service management or CSM can be leveraged to enable consumers to exercise their rights security operations management or som can be leveraged to safeguard consumer information and the governance risk and compliance or GRC suite can be leveraged to sustain and evidence continual compliance with the law so we'll take a close look at all these starting with the CC I mean this yesterday so John would you please walk us through how ServiceNow CSM can be leveraged to enable consumers to exercise their rights absolutely thank you Mike all right so as Mike was discussing the new California law provides the consumer three rights so they now have the right to you access their information they have the right to opt out and they have the right to delete so you know starting in about December and leading into the new your I was starting to get flooded with new email messages saying hey we're updating our privacy rights here's some new information and so that that was all kind of being generated by the new CCPA law that was coming into effect at the beginning of the year and you also noticed probably when you're logging and I logged in to Lincoln and the other day and front-and-center popped up this little message saying hey we've updated our privacy policy and here's some information about that new update and similarly we were also getting now a lot of the websites you go to I was going to Sacramento businesses a website the other day and front and center pops up this right to opt-out basically so don't sell or disclose my information so a lot of companies our course are coming into compliance with this and there ready starting to exercise those rights for Californians with this new interfaces that you're seeing so service now's customer service management can definitely help fulfill and enable those rights so through our request and take processing leveraging or service portal as well as our request fulfillment so leveraging our automated workflows and task fulfillment to help support these these different rights that consumers now have next slide please alright so under these new rights our right to access the rights opt-out and the right to delete all of these requests have requirements the first requirement is you need to provide at least two request vectors so most commonly if you're interacting with your customers through a web a website so like if you're a Facebook or Twitter and Instagram you need to provide them a means of requesting their rights to access information or opt out through your website another vector could be a phone call so you can provide them a phone number that they can contact to exercise their rights you can also provide them an email address to email you so I was looking at one site the other day and then said hey if you want to exercise your right to know please email us that you know privacy and the company's name so there those are the different types of vectors that you can use to satisfy the the rights and then another trick to the to the law is that you can't require the consumer to open or register an account so obviously if I'm telling you to delete all the information about me it doesn't seem fair that I'd have to create an account or register with you to get that information deleted from your from your from your tool or your applications so the law protects the consumer in that way and not having to to open up an encounter register and then the law also says you need to verify the identity so of course if we're going to be disclosing information about a consumer we need to ensure that that consumer is who they say they are and so under the law you can work with the third-party authentication like a knowledge-based authentication so kind of similar to what you do when you're requesting a credit report kind of asks you some questions about yourself you know you have a mortgage you have a car loan with this particular company so using a third-party application like LexisNexis or ideology you can use knowledge-based authentication to verify that requester additionally in the proposed regulations that came out in October they clarified that you could also the company can also verify the identity of the requester against any sort of information that they already have about that person so if you happen to have a user ID or a membership number with the organization and then you provide your your name and your and your address you know with those three data points that the company can also perform that request identity verification once we've submitted this request we're bound to provide them a unique ID and so fortunately out of the box customer service management of course provides a case ID so that's the unique request ID that the the California consumer can use to kind of track the request with the organization the law put into place that these requests need to be fulfilled within 45 days so again you know out of the box functionality with the service now leveraging service level agreements we can enforce you know that 45 day within the law there's also an option that if you the organization needs a little bit more time to be to fulfill that request of information or deletion they can also you know request a 45 day extension as long as the consumers notified that that extension has been has taken place and then similar to your credit reports you can only request so many requests within a 12-month period so a consumer can put in about two requests in a 12 month rolling period so that kind of hopefully limits the burden placed on your compliance and privacy offices kind of fulfilling this new law so now for more detail within the access request we're providing information that we've collected for you over the past 12 months so since that's a 12 month rolling period we kind of disclosed once that request comes in any information that we've collected about you within the past 12 months and then the law kindly put into place that that the disclosure needs to be human readable and electronically portable so PDFs of course were purpley perfectly for this so it's electronically Portable Document and then the other key factor here and the wording and the law is that it's human readable so your average California consumers should be able to look at this access or disclosure request and be able to decipher the information that you've collected about them so it's important to make that as you know human readable and presentable based on the different p.i categories so that they know what information you have about them and of course because this is information about a consumer it needs to be delivered securely so a lot of organizations are leveraging two-factor authentication so this is pretty common nowadays you know if you're logging on to your banking or brokerage account you know it'll send you a text message with a one time login code you type that code in and now we've essentially verified you for that transaction so we can securely deliver your disclosure access report to you okay the other one is like women like I mentioned a little bit earlier is the opt-out request so these are the ones that are popping up on all the websites again front and center you know don't sell my information hopefully they're making it easy for you to kind of click that button and immediately you can kind of opt-out of your information being sold and then the reason those are front and center on all the websites now is because the law says it has to be in a conspicuous location so in order to be in compliance with the law they need to draw that to your attention and so the law is kind of perfecting protecting California consumers because a lot of times these things were you know hidden away and privacy policies you have to drill down through multiple pages and then there just be this hidden little one-line link to actually start processing your opt-out or your privacy rights and so the law kind of protects California residents and says hey no you can't hide this stuff you need to make it front and center so that they're aware and it's easy for them to exercise that right and then lastly the type of request is a delete request so the law states that this has to be two processes right so if you're asking an organization to delete your information we need to verify with a second separate page or declaration that yes I'm affirming Who I am and I also want you to delete my information so that needs to be a two-step process to process that type of request and then this is a deletion or the Racing all the consumer information not just in the past 12 minutes so whatever you've collected from you know I've opened Facebook account years ago if I want all that information to live then from day one of me accesses your organization's services that information needs to be deleted and then the other tricky part to this is that you also need to notify third parties and so so an organization needs to recognize which data they've exchanged with third parties and if a California consumer comes in and says hey I need that information deleted it's the organization's responsibility to say okay hey third parties you know the information that we disclosed for you with this particular consumer that also needs to be deleted so maintaining that information of course within your ServiceNow system and all those relationships helps to kind of make sure that you're in compliance with the law and you're notifying those third parties based on you know the different business services or applications that are collected that's consumers information okay so let's dig in a little bit deeper and kind of look at the consumer request process of course the very first thing is the request intake form so this is where ServiceNow is rendering you know the consumer service portal so this is the web portal for them to fill out and request if they want a deletion or disclosure or drop out and the request form could also be leveraged by your service desk or compliance or privacy office teams to complete you know the form if it's coming in through a phone call and then some organizations might also do processing through mail so if they mail in a form you could also leverage the request intake process of a forms and service now to kind of process that information so once we've collected the information from the consumer the next thing we need to do is we need to verify their identity so again we're processing we're looking at the information they provide us on the form perhaps their membership number their address and their email address we check that against our information and if that matches up we're good to go we verified them alternatively you can work with like in LexisNexis one ideology to do that third-party verification and so they'll perform that perhaps with the lookup or collecting some information that you pass to them about the the consumer and then they verify that identity and they basically sign off and say yep that individual this information reconciles with our data and and we're providing you that you know this particular score rating that they say they they say they are who they say they are so once we've gone through that we've collected the information we verified their identity then we go ahead and create what ServiceNow customer service management refers to as a case so this is similar to those of you who may be using ITSM this is like your incident record so within CSM we create that case record we associate the type of request it is all the consumer information we've collected and then because of the beauty of ServiceNow the platform kind of takes over and we do step number four which is our auto tasking and so your workflows or your flow designers take over and they say okay this is a disclosure request for this particular consumer we need to go start looking and pull information basically about that consumer so if it's an access type request for step number five we go and we start harvesting our configuration management database so hopefully inside there we've got all of our business systems applications databases where all that private information is stored within our IT infrastructure and we start leveraging ServiceNow to pull that information if any informations been encrypted you know we kind of decrypt that information so that we're in a human readable format and then we package all that information up so that we can securely deliver it to them for that disclosure if it's an opt-out then we we collect where are where have we kind of stored information or added the minutes you know constant contact or any sort of mailing lists so we find that information and we basically flag in we say okay we're opting this particular consumer out of all these types of notifications and data shares and then finally if it's a deletion so that would be number seven here we check to see okay where are we storing data for this particular consumer and then we go through the the deletion or the erasure of all that information and so we're going kidding again we're leveraging the ServiceNow CMDB we're checking all our business applications saying okay this is where the data stored in these databases and these particular tables and we can and we can leverage automation and orchestration integration hub if we've got that set up to kind of automate the deletion of that information we delete that and then we notify our third party so again if we've got those relationships of this particular business service is sharing information with these third parties since the consumer what has information within this business service we automatically need to notify these third parties that they also need to remove that information about this consumer so to be in compliance with the law we get to step number 8 so we're logging all this fulfillment so the case record acts as our our top level record and then we've ServiceNow has what they call case tasks so we're tasking all the different application owners and business services with collecting or deleting that information we're tracking all that against the top level case request and then our case tasks for the individual tasking so all that information is being logged and collected so that we can show our compliance basically for CCPA for any sort of requests that come in from the consumer and then lastly once we've performed that disclosure we you know we notify the customer hey your disclosure is ready to go go ahead and use this one one-time password functionality so you can securely securely get you know you're human removal disclosure report or we let him know hey we've deleted your information so your request has been completed within that initial 45 days or 90 day extension so that kind of completes it out once we've notified the consumer all right so customer service management of course works beautifully with this external interacting with with those California consumers so we've got multiple channels that we can provide to those California consumers to come in so they can call us through our service test and the compliance team can you know use ServiceNow to create that request for them they can send an email in and we've got email inbound email actions that can process those emails and automatically create the case and set up set up the case for the compliance team to work on if you've already got the support portal out there you can leverage you know the consumer service portal chat functionality so that they can chat and say hey I want to open up a disclosure or deletion request so there's a lot of different omni-channel options within customer service management how the Box to provide a lot of avenues for however your consumers interact with the organization to to request and enable those rights again so we're leveraged that the consumer record information that they provided us and he sort of contact information that they've given us and then we're leveraging the out of the box case functionality case task functionality and then we have the whole plethora of the platform enabling us to come into compliance with the law so we can run our SLA is against the 45 days 90 days extensions we have access to all our CMDB so we've got access to all our business systems we've already got all you know we know the owners for those business systems you might be responsible for collecting that information about the consumer who's responsible for deleting that information for those particular systems so we've got the wealth of our existing CMDB data there to easily help us come come into compliance with getting rid of that or disclosing that consumer information so so it aligns beautiful Kleins beautifully for getting this the fulfillment of CCPA all right so this is just kind of couple screenshots of example of leveraging the Ala Box platform for customer service management so initially most most of them are standing up customer service management portal so these are your consumer portals this gives you the ability to you know select the request to have your information disclosed have your information opt out or have your information deleted so you can do that leveraging a service now as a consumer service portal again leveraging the Box SLA functionality this helps us the compliance office keep in compliance with the law so we're keeping track of okay this request came in we have 45 days to track it these are how many days we have left these are how many systems we have left to collect information from or these are how many systems we have left to delete information from or you know we have so many more days left to notify the third parties so the Ala box functionality of aeschylus helps us stay on track basically for for being in compliance with the law and then because of the platform's great functionality with workflows and then they were floated designers we can automate a lot of this tasking so we know if it's a if it's a type of disclosure request and we know which systems have information that need to be disclosed we can automatically create tasks to those business process owners with template and information so that they can the data and provide it back to us so that we can disclose it in a proper human readable format so again leveraging the out-of-the-box ServiceNow platform or automation strengths to kind of make sure that we stay within that 45-day window and it's all structured in an streamlined well again leveraging the case tasks we can we if if need be we can have you know your business process owners complete those manually and collect that information and delete the information but ideally in the best case in there if we've got a more mature CMDB and we've got service now's orchestration or integration hub platform capabilities available to us then we can leverage the automation part of it right so the automate the collection of that consumers information from the business service or automate the deletion of that consumers information and so this is the automation is where the great stuff comes into play because not only are you able to take that burden off here after your your IT department and such you may be responsible for removing or disclosing the information the automation within the platform really makes it a lot easier to come into compliance with the law make sure the consumer is getting their information or their informations to leave it and then we can package all that information up again into a PDF and then we can use one-time passwords authentication to provide that information out to the consumer and so we can then attach of course that report for our record-keeping to the case so it's all kind of kept together all the case tasks and all all the case information for the fulfillment of that request and again leveraging the Ala Box functioning within ServiceNow we have access to performance analytics and all the metrics and dashboards showing how we're doing with meeting the compliance so how many access requests are we getting how many delete requests are we getting how well our particular business application owners doing and responding to the disclosures for their desist or the deletions for their systems so you get this holistic view of how our how is our team our privacy office our compliance team doing fulfilling all these CCPA requests coming in and so a lot of visibility to compliance and upper management to kind of see what is the impact of CCPA for our organization and how's the experience basically for a California consumers exercising those rights so the platform kind of supports all the different aspects and scenarios for for enabling fulfillment of CCPA all right and with that I'll go ahead and pass it over to my colleague Eric on how customers are sorry how ServiceNow can help with safeguarding that information all right thanks John so let's go a little deeper on how ServiceNow can help you proactively safeguard customer information and prove that you're continuing compliant now to safeguard customer information the law requires you to implement reasonable security and to respond to data breaches as rapidly as possible this is codified in California law its words on a page as you see right here but what ServiceNow can help your organization do is support these words with meaningful action in a repeatable way with no manual edit effort added to the process alright next slide so while the law requires you to implement reasonable security it fails to define exactly what that means but fortunately the California data breach report published in 2016 by the Attorney General states explicitly that a failure to implement the CIS 20 controls shown here constitutes a lack of reasonable security now that sounds dire but what it does it gives us a base for action well these controls the ones you see here listed represent a minimum level of security most organizations will have already implemented more robust security frameworks such as NIST ISO or COBIT so that brings us to our first ServiceNow advantage ServiceNow GRC is built to help you test once and comply many will learn what that what that means a little more about that and also how certs now ensures continuous compliance with these frameworks in just a moment so another tool outside of GRC that can help here is the service now security operations management suite it consists of three primary applications security incident response vulnerability management and threat intelligence now since 85 percent the breaches occur via known vulnerabilities the vulnerable or response application adds the critical capability of preventing data breaches before they can occur the application identifies known vulnerabilities in your environment and helps you prioritize and resolve and as John mentioned if you've leveraged orchestration in some cases it can even automate shutting down those vulnerabilities the security incident response application integrates with your existing security products and it automatically prioritizes alerts that you're getting and it also draws upon threat intelligence that's the third piece those threat intelligence libraries to enrich incident data so that you can determine your optimal response action this all enables you to fill security gaps very quickly so by implementing adequate security controls managing vulnerabilities and responding to security incidents rapidly you can ensure that your organization is protect is actively safeguarding all this customer data and also reducing the risk of non-compliance with the CCPA as well as any other internal or external commitments that you have so now let's go a little deeper on how you can automate measure continuous compliance with the ServiceNow GRC suite so the GRC suite consists of policy and compliance management risk management vendor risk management and audit management the primary application you're going to be relying on is a policy and compliance application it lets you create manager policies around privacy compliance and information security and this is where you're going to implement a system of internal controls to monitor your CCP a compliance as well as any other compliance framework to regulations that are in scope for you now the risk management application allows you to link your control environment to corporate risks and it also helps you quantify the potential impact and likelihood of those risks as well as guide your organization through the steps to mitigate risks or respond if a risk comes into being and is now a present issue the vendor risk management helps you assess your vendors and make sure their security environment is adequate the target breach is a great example here it costs target hundreds of millions of dollars and the hackers gained access to targets computer gateway with credentials stolen from a third party vendor and once they had an access they captured a treasure trove of customer data full names phone numbers email addresses card numbers yeah and that's horrible but preventable with just a bit of rigor and then finally the audit management application allows you to schedule and automate self audits to provide to provide an extra layer of assurance that your CCP a compliance program is operating as intended now the application is intuitive to work with and it puts evidence gathering front and center and that in my experience that that helps you stay friends with all of your internal and external auditors so using the GRC policy and compliance application you can quickly set up your internal controls monitoring solution well how well at a high level I'll walk you through it the process starts by entering the CCP law regulations and relevant frameworks into ServiceNow as what we call authority documents you see that there on the left then you identify the elements or entities in your organization that the compliance apply to this allows you to identify your control objectives now once you map your control objectives to the in scope entities ServiceNow automatically generates your control environment and manages that environment for the lifetime of the controls now that your controls are generated you set up your monitoring activities to continuously monitor all those controls you want to make sure that their operating is intended and also provide an indication of how well your controls are performing dashboards once you've set all this up display up-to-the-minute performance metrics providing visibility into your overall CCP a compliance posture no that was high-level and I kind of you know blasted through it a little bit so let's reframe it with with some action steps and you see those listed here along the top so first import your authority documents such as CCPA next cite the sections of those documents that are directly applicable to your organization then create your control objectives that define how you're going to comply with all these mandates next we need to relate these external elements to your environment and we need to do it in a way that we can hopefully wash rinse and repeat so next what you're going to do now that we've defined our control objectives you define your control environment by mapping all those objectives to your in scope systems service now for this uses a condition based selection tool and it makes the scoping exercise very straightforward and also very flexible and scalable and once your controls are generated you can set up at a stations to ensure a control is in place as well as trigger indicators to continually test a modeler controls so you can gain back again if John mentioned for the CSM piece if your configuration management database is in place and you have access to some data you can automate some of this evidence gathering using these indicators so once you have all this in place from this posture your overall compliance can be tracked via dashboards to determine the percentage compliance with the law as well as all of your other policies and frameworks at a glance you know if you're having a good day or a bad day and also it prompts you to take meaningful action now all this was conceptual so if you'd like to see all this works in a real-time demo please let us know in the chat window we'll get that set up for you so now let's explore how best it can help you get a quick win and stay compliant so the high-level in Coe bastok we are founded in 2001 and we've assembled a world-class team we are 300 experienced consultants averaging over 15 years of consulting and IT experience we invest in continual training and education of all our team and all of our resources in the USA we've completed over 180 ServiceNow projects and we have an average customer satisfaction score of nine point six and cabeza we take a long view to our client relationships true partnerships the goal and this brings me to what I'm second-most proud of a better company and that's that ninety percent of our clients come back for repeat engagement we bring demonstrable value to our clients and they reward us by sticking around so what am i proudest of about Co mastic well we don't try to be all things to all people we specialize in specific areas such as CSM GRC and security operations that you heard about today but also IT Service Management IT operations management we focus where we're great and from that posture we provide end end real-world experience based solutions and guidance not just a tool implementation so here are a few familiar companies that have become our valued long-term clients hopefully you see similarities to your organization in one of these names and if you are one of these organizations we thank you for your loyalty and choosing us to guide your journey so I want to leave you just one thought in closing we want to help you stay ahead of the groundswell we've been very specific today talking about the CCPA primarily in consumer privacy and rightly so a concern for privacy is sweeping across the nation as well as the globe the CCPA is just a harbinger of things to come the European Union led the way in protection of this data in 2018 with the introduction of the general data protection regulation gdpr I'm sure all of you are familiar with it and it's been replicated by countries around the world here in the States it's not just California Nevada and Maine have already passed CCPA like laws and other states are getting ready to follow suit so wherever you do business privacy regulations are coming that are going to impact you at Quebec one of the things we focus on is tracking all these emerging regulations and conceptualizing how they might apply to our clients so with us on your team you can rest assured that ServiceNow will help your organization stay CCPA compliant our goal is to help you build a solution that's scalable and future-proofed so you can ensure that you can readily achieve compliance with all the new regulations coming at you as well all right so let's wrap up and get to your questions now any that we don't get to will answer via email so the first question is how long does it typically take to stand up the CSM solution for handling CCPA requests I'll give kind of a generalized answer and then I think let's get a let's get John sorry now let's get Mike involved I think you give us some some clarity here so in my experience it's about three months but it really depends on a few things it depends on the integration with your later repositories if there are other forms that you have internally so Mike if you could just share this what other variables might be might impact that duration yeah I think I think you hit on the main ones is the integrations with the with other third parties products have they come into play such as the identity verification also depends on the layout of your data estate and what types of tools you have that can locate for example can locate your consumer personal data PII type of data and so integrating with those type of solutions has to has a pretty significant you know has the largest impact on scheduling but typically you know three three to four months to in general and then I'm standing said that's that's that's a good you know that's a good tight duration we're not talking about a year or two here no so we have another question what if you don't have CSM are there any alternative ways to stand up a request processing solution and ServiceNow CSM and GRC to answer that or great together as we've seen but they are just options if you're familiar of platform at all you know that it's very flexible very robust it can do a lot of things so John I kind of want to reach out to you here when we address CCPA for a recent client just a few months ago there were several options that we helped them consider keep tell us more about that experience and what other ways they might be able to dress CCPA yeah sure so another option of course would be leveraging a custom application within ServiceNow so again ServiceNow is a platform so you could stand up you a custom CCP application but when we were doing the analysis basically between standing up a custom app within ServiceNow or leveraging the out-of-the-box functionality of customer service management targeted towards the consumer it just made a lot more sense to go with the out-of-the-box solution of customer service management because a lot of the fields tables you know your cases your case tasks your SaaS your agent workspace all that functionality was ready to go out of the box for for customer service management and so it made the recent project you know like we were able to hit that three-month timeline and come into compliance on the first utilizing you know a lot of the existing infrastructure of the Ala box customer service management so it made implementing the the application the CSM application and coming into compliance with CCPA within that three-month time window and hit and for this particular organization hitting that legal you know January 1st deadline so just aligns nicely basically to the out of the box of customer service management and again the advantages you already have your CMDB you already have your IT people in service now you already have your sec ops and hopefully your GRC so everyone's already in this platform working against this information and so the option of like going out and getting and you know another third-party application specifically for CCPA now your teams need to log into another system most likely that system is going to need the harvest information you already have within ServiceNow so it just didn't it didn't make sense to kind of go with those those other outside parties that kind of stand up request didn't take for CCPA it's like you've already got all the data everyone's already using the platform you can leverage all the different out-of-the-box applications for GRC SEC ops CSM and your existing ITSM infrastructure so it's just a perfect fit standing sir thank you so we got a little run of questions regarding the CCPA is pretty specific to the CCPA mic there's there's three questions right in a row imparting to be coming to you and again I want to reiterate that as Mike said at the top we we've gone deep on the CCPA we understand what it takes to comply with it but you should always backstop yourself with talking to your internal legal team talking to your customer team and understand what's being gathered so first question if companies have adhered to GE PR are they automatically compliant with CCP a - that's really that's that's really an awesome question the CCP a is very similar to the gdpr in some of the rights that it grants the consumers however the CCP a defines personal information more expansively than the GDP or does so part if you are GDP or compliant at this time I think an analysis needs to be done of looking at the definition of the data under the GDP are you know what constitutes personal information then look at the definition again under the CCPA and make sure that your processes that you have put in place for the GDP are or doing with the the full spectrum of information personal information as defined under the CCP a standing thank you sir another question if the company adheres to CCP a do you expect they will apply it across all consumers not just California consumers yeah another great question I think this just comes down to practicality I mean most organizations are not going to want to have to run two separate sets of processes one for California customers and one for non California consumers so I suspect that the the most prudent and most efficient solution is to adapt adopt your processes to meet the requirements of the CCPA across the board regardless of the type of consumer that you're holding date on and in reality the CCPA as Eric mentioned earlier it's really sort of the you know it's it's leading the way for the other states so regardless of what state you're in sooner or later there's going to be a privacy law that you're going to have to adhere to and if if those laws are sort of founded based on the CCPA by getting ahead of game and making sure all your processes or CCPA comply compliant you know like I said you'll be ahead of the game yeah and and that also you know it strikes me that you know I need to reiterate the test once comply many feature of ServiceNow so when you set up these control objectives to comply with CCPA you're probably already laying groundwork for these other states as well because they're gonna be based I'm sure pretty close to the CCPA so if you've got you know state of control objectives that do one thing and it does another thing for say Maine but it's the same control objective language you get to get that percentage score of how we're doing on the CCPA but oh by the way you know you're also taking care of Maine too in a lot of cases I so work oh yeah that's that's a really good point I think the focus is on privacy you know just yeah keep the focus on privacy regardless of the individual states yeah another question and and Mike I think there's a you know a process slash law answer for you here John if you feel like adding anything you know as far as the the technical solution based on Mike's answer please do so the question as does the ticket that records data being deleted also need to be deleted so that consumer request does it also need to be deleted if it's unduly request great questions my understanding is no you need to retain that record as evidence that you've first that you've you know that you've actually received the request you process the request and you fulfilled the request but check with your legal department on that for sure but that's my understanding is that no you don't have to delete the request I mean the record of the request is that the question yeah yeah Eric my understanding is consistent with mics and that's how a recent project that I worked on interpreted but of course like like Mike mentioned check with your own legal counsel but under the law you need to be able to prove that you met the requirement of the CCPA request and so maintaining that case and the case task information kind of Falls there's a little clause within the law that says yeah obviously in order to do your bookkeeping and record-keeping that you you met the law for this particular request you can retain that request record so the case tasks and the case request itself or or retain to prove that out basically to you for CCP a compliance though but but like meant like mention of course check with your own legal counsel on their interpretation and on your you're a little closer to the steel you know these days as they say John so you know want you to correct me here but also if there's a retention requirement I'm not speaking CCP a specific here I'm speaking you know compliance framework or regulation if there's a retention requirement of say seven years and you want to make sure you blow away that data after seven years ServiceNow has methods of automating that is that is that correct yep that's correct there yep yep so based on what your legal or compliance office determines they want their retention length to be then you know you can kind of reconcile that with the the ServiceNow platform maintaining that record and purging it as needed but I'm sorry and that's one thing we didn't really discuss in the slides is that the deletion the deletion request has a long list of exceptions that are you know provider right in the text of the law itself for example if product is under warranty or if there's a legal hold on the information you don't need to respond you don't need to actually do the deletion you can just inform the customer that a you requested this deletion but there's this legal hold on it and so we're unable to fulfill your request at this time and we've just got one more question in the hopper I want to point out that we've got time for more questions so anything you think of go ahead and chat it and we'll get you taken care of so the question is how scalable is the solution will it handle other regulations such as HIPAA sarbanes-oxley etc I think I think we might have opportunity for all three of us to chime in on this one it's very scalable there's there's multiple methods to set up these Authority documents Mike and I are well versed in all of them there's one of them built within ServiceNow the unified compliance framework it has advantages it has its disadvantages there are also other tools compliance forms as one of them and then there's just going out and finding the the guts of the framework or relation itself and importing it there's multiple ways to skin that cat so to speak but once you have again you can identify controls that address multiple regimes and begin to grow from that point so the the heavy-lift if you will is your initial deployment it actually kind of becomes easier after that so as far as scalability the solution will go Mike and then John anything you have bad yeah as far as scalability extremely scalable regardless of the number of regulations that you need to comply with speaking from the let's take upon the GRC perspective you can add all those different regulations into ServiceNow as Authority documents as Eric mentioned or you can I cite the different sections of those authority documents you can then define control objectives and this the way I'm describing it now is a manual process but like Eric said that there is a product called the unified compliance framework that can be leveraged to to jumpstart that effort and once you've done this and it's just the overall processes of of identifying the entities to which these these authority documents or these regulations apply that overall process of identifying them and identifying how you're going to test those to ensure compliance that those processes are all pretty much the same so once you've set up your GRC application for example it's just a matter of adding the regulations that come into scope yeah so of course customer service management is super scalable so it's another part of the ServiceNow platform and so you could start off you know with manual fulfillment for collecting the disclosure information and then you can mature into you know the automation through integration hub and orchestration platform again we were showing earlier the omni-channel so there's a lot of different ways through web portal phone chat different means for us to take in those requests and again a customer service management is just a particular application of the full service now platform so as you need to scale maybe your fulfillment your SaaS your tasking an email notification you have the full feature set of the ServiceNow platform to increase you know and scale out how your compliance or privacy team are gonna fulfill those requests and kind of automate that fulfillment and processing so so yeah I'm Steve thank you sir so we did get one more question I think we'll take this one and then get to our wrap-up John this was very definitely for you have you done data encryption at the column level if so how difficult is it or sorry and also what are some of the challenges yes so I have done encryption at the field level so field level encryption and then creating the encryption keys and securities it's not too difficult you just have to make sure that the security context is associated to the privacy team groups of the compliancy team groups so that they're able to see that information hopefully you're not collecting additional PII information through the request the last project I did didn't do that so that we don't pull more things into compliance so we're you know we were just collecting my hey what's your name what's your address what's your membership number but yes service now you can pull into play the data encryption at the calm level if need be if there is some additional PII information that you need to collect to kind of fulfill those requests but hopefully you can you can avoid that if possible but there's also the the platform level edge to edge encryption if you need that so that that encryption capabilities there if needed yeah and thank you for that last piece I was actually going to add that that depending on the precise encryption requirements there are multiple methods available to you in ServiceNow including that into end encryption of the data in in-flight ah alright I don't think we have any other questions Mike go ahead and wrap us up today okay great hey those are those awesome questions okay so that concludes our presentation for today so if if what you saw here today resonated with you whether you are an existing ServiceNow customer or if you're new to the platform we would be more than happy to set up a more customized and interactive demo for your team so just reach out to us at ServiceNow mystic comm also yeah just don't forget be sure to keep an eye out for that email from us with a link to a copy of this recording it should go out within the next 24 hours and that's it so thank you again for your time and we hope circumstances will allow us to further explore how we can help you achieve your CCPA compliance goals so thanks again for joining us and have a great day