Passing Prop 24
Businesses now have to listen to consumers on how they want their PII used
- By Richard Kanadjian
- Mar 02, 2021
By a margin of 56.2% to
43.8%, residents of the
state of California this
past election passed Proposition
24 that further
strengthens the California Consumer
Privacy Act (CCPA), a significant dataprivacy
law the state’s Legislature passed
in 2018, and that took effect Jan. 1, 2020.
Supporters of Prop. 24 posited the
CCPA privacy law, even though it had just
gone into effect earlier in the year, wasn’t
strong enough. Updates in Prop. 24, they
said, would create, among other things, a
system to enforce CCPA and triple fines
on companies that violated under-aged
children’s privacy.
Furthermore, leaders of the proposition
said consumers would have more control
over specific personal data, prevent
their precise location from being tracked,
and increase the ability to sue companies
when their email and passwords are stolen
or hacked. They added that when the
residents of California passed this proposition,
they made it harder for lobbyists to
change the privacy laws in the Legislature.
Basically, Prop. 24 changed California’s
data-privacy law in these five meaningful
ways:
- Businesses now have to listen to consumers
on how they want their personally
identifiable information (PII) used
- Permits consumers to correct inaccurate
personal information
- Businesses can only hold onto consumers’
PII data for as long as it is necessary
- Companies can be fined up to $7,500 for
violating children’s privacy rights by the
government
- A new state agency is created to enforce,
investigate and assess penalties related to
privacy laws
It also is important to remember that
in addition to the CCPA and Prop. 24,
many companies in the United States and
worldwide are also affected by the European
Union’s (EU) very similar General
Data Protection Regulation (GDPR) that
took effect in 2018.
So, even if you don’t own a business in
California or have customers based there,
but you collect California consumers’ personal
data, or you don’t fall under GDPR
regulations, why do you care about all of
this? The answer is twofold: 1) consumers
(read: private citizens) and government
bodies worldwide are taking data privacy
very seriously, and 2) it stands to reason
that other states and countries around the
world will follow suit and impose their
own data privacy regulations.
Hopefully, all of this is just another
reminder to you that data breaches are
serious issues for any company that holds
consumer PII (Personally Identifiable Information)
as well as any other sensitive
information, including your own day-today
information vital to your operations.
Secure, protected data saves you potentially
millions of dollars in fines or
lawsuits as well as public and/or industry
embarrassment or scorn. Protecting personal
private information also shows you
are a good citizen, and that can become a
competitive advantage and enhance your
company’s reputation.
All of the above leads us to two basic
questions: what is considered PII, and
what is the best way to protect it?
The original CCPA defined personal
information as information that identifies,
relates to, describes, is reasonably capable
of being associated with, or could reasonably
be linked (directly or indirectly) with
a particular consumer or household. As
examples, it listed the following: a real
name, alias, postal address, unique personal
identifier, online identifier, internet
protocol address, email address, account
name, social security number, driver license
number, passport number, or other
similar identifiers.
But that’s not all. An additional stipulation
of California’s privacy laws lists
a variety of other identifiers including
name, signature, physical characteristics
or description, telephone number, passport
number, state identification card
number, insurance policy number, education,
employment, employment history,
bank account number, credit card number,
debit card number, or any other financial
information, medical information or
health insurance information.
It did, however, exempt two areas: personal
health information and financial information.
Regarding personal health information,
CCPA acquiesces to the Health
Insurance Portability and Accountability
Act (HIPAA). According to the National
Law Review, information gathered by financial
institutions must follow the California
Financial Information Privacy Act, Fair
Credit Reporting Act or the Gramm-Leach-
Bliley Act depending on the situation.
It did not, however, consider publicly
available information as personal.
In securing PII data, it is necessary to
consider both at rest (data permanently
stored) and in transit (data downloaded to
a mobile device such as a USB drive for
use at another location) situations.
In either case, the easiest, most effective means to secure such data is the use of encryption.
Encryption converts inputted information into blocks of basically
unreadable or undecipherable data. (Encrypted information
is referred to as ciphertext, and non-encrypted as plain text.) Encryption
technology can be either hardware or software-based.
And, yes, there is a difference between the two, with hardware
encryption being preferred.
Software encryption uses any of a variety of software programs
to encrypt the data. As the data is being written or read,
the programs, using the system’s or device’s CPU, encrypt or decrypt
it as applicable. While software encryption is cost effective,
it is only as secure as the system it is used on. If the code or password
is cracked by being sniffed in the system’s memory, encrypted
data becomes an open book. Also, since the processor does the
encryption and decryption, the entire system slows down, often
to a crawl, when the encryption process is taking place.
A hardware-centric/software-free encryption approach to data
security is the best defense against data loss, as it eliminates the
most commonly used attack routes. This software-free method can
also provide comprehensive compatibility with most OS or embedded
equipment. Since the CPU is not involved in the process, the
system does not slow down. Hence, it is much faster and more secure
than software-based encryption (e.g. Microsoft BitLocker). In
addition, encryption can never be turned off in hardware-encrypted
USB drives, whereas it can be removed on software-encrypted USB
drives; this is the biggest weakness of using software encryption.
Such devices meet stringent industry security standards and
offer the ultimate security in data protection to manage situations
confidently and reduce risks. They are self-contained and do not
require a software element on the host device. No software vulnerability
eliminates the possibility of brute-force, sniffing and
memory hash attacks.
The best hardware-based encrypted devices use AES 256-bit
encryption in XTS mode (the top of the line in encryption). It
protects 100% of data stored and enforces complex password protocol
with minimum characteristics (or complexity such as minimum
length, required number of character sets) to prevent unauthorized
access. For additional peace of mind, some password
authentication techniques lockdown after 10-incorrect password
attempts and render the encrypted data unreadable (basically
erased), and feature a read-only access mode to avoid malware
attacks on unknown systems. This ensures that anyone who finds
such a USB drive or attempts to hack an Encrypted USB drive
equipped with such technology cannot access the information.
Some USB drives have increased security with digitally signed
firmware that cannot be altered and a physical layer of protection.
In choosing what type of encryption to use,
your first choice should always be hardware-based,
AES-256 bit XTS.
This article originally appeared in the March 2021 issue of Security Today.