The big data grab drove companies to stockpile data, with little thought of how to use it, and even less thought about how to properly secure it. People everywhere are growing more conscious of the data they share, who collects it, and how it is handled. This rising awareness has sparked legislation designed to safeguard sensitive data, but these new laws aren\u2019t just boxes to tick off, they represent an important trend that businesses need to get on board with.Like the EU's General Data Protection Legislation (GDPR), the California Consumer Privacy Act (CCPA) is a far-reaching attempt to enshrine new rights for people around their data. Everyone should be able to see what data is being collected, for what purpose, and to decide that they don\u2019t want to share data without penalty.You could study what the CCPA means for your business and work out how to comply in fire-fighting mode, then wait for the next piece of data legislation. But that\u2019s short-term thinking, and it will cost you more in the long run. The smarter move is to use the CCPA as a springboard to re-examine your data security efforts, fundamentally change the way you collect and use sensitive data and get your house in order.There are three key areas to consider: how you collect data, how you store data, and how you distribute data.Interrogate your data collection\u00a0\u00a0\u00a0The tide has changed on sensitive data, and the GDPR and CCPA are just the first couple of waves. It would be safe to assume that regulations will continue to tighten, and more laws will follow. By re-examining the data your business collects and thinking critically about the value it represents, you can decide how much of it is necessary. You may find it is better to stop collecting some kinds of data.Talk to all key stakeholders about the data your business is collecting. Identify the critical data for your business processes and cross-reference that with all the personal data you collect on people that falls under the CCPA. Consider that any personal data you collect about people and their habits, from email addresses to browsing history to specific preferences, is data that you\u2019re going to have to make accessible on request.Once you have a map of the data that\u2019s essential to your business, you can start thinking about how to classify, store, move, and protect it.Secure your data storageThe potential cost of a data breach is enormous and that\u2019s why companies already have all kinds of security measures in place to protect most of the sensitive data they hold, such as credit card numbers, birth dates, and addresses. Despite this, there are still some kinds of data that may not be as protected as they should be, and there are also times when data is not transferred securely, or when data is used in other environments insecurely.It\u2019s alarmingly common for data to be unsecured in non-production environments that developers may be working on and testing. There\u2019s an assumption that because these environments are internal they don\u2019t need the same stringent protections as live business environments, but this is a misconception.All the personal data a company holds must be protected with reasonable security measures. It doesn\u2019t matter if the data is exfiltrated because a contractor is careless, a third-party is compromised, or because your system is hacked from the outside, your business will come under the same scrutiny and is subject to the same penalties.It\u2019s vital to take measures to secure the data you hold, at rest and in transit, wherever it may be and whatever it is being used for. Assessing the best way to do this is a crucial step. For test environments, for example, it may make more sense to develop a way to generate false data that\u2019s representative of real data and use that instead of real customer data.Limit the data distributionDo you know where all of your data is? It\u2019s common to store data in many different warehouses, often spread across countries and different cloud services. It\u2019s also common to share data with third-party vendors and partners. There are solid business reasons for this, but you must be sure to factor in the potential cost of poor security that leads to a data breach.While the CCPA doesn\u2019t have the same restrictions as GDPR on the flow of data across borders, it\u2019s still prudent to understand where your data resides. It\u2019s also absolutely vital that you ensure your partners share your security standards. This is not something you can afford to take on trust, so do your due diligence. Limit the flow of data where it appears unnecessary and make sure you have a clear picture of where all your data is collected, stored, and moved to for any purpose.There\u2019s a lot of advice out there that can help you plot your course to a better data security strategy, starting with things like the NIST Cybersecurity Framework or the ISO 27001\/2. While it may prove impossible to prevent a data breach, you must be able to show that you have taken reasonable measures to try and protect the data with which you\u2019ve been entrusted. The CCPA could be exactly the motivation you need to improve your data security standards because you will be held accountable.