Passing Prop 24

Passing Prop 24

Businesses now have to listen to consumers on how they want their PII used

  • By Richard Kanadjian
  • Mar 02, 2021

By a margin of 56.2% to 43.8%, residents of the state of California this past election passed Proposition 24 that further strengthens the California Consumer Privacy Act (CCPA), a significant dataprivacy law the state’s Legislature passed in 2018, and that took effect Jan. 1, 2020.

Supporters of Prop. 24 posited the CCPA privacy law, even though it had just gone into effect earlier in the year, wasn’t strong enough. Updates in Prop. 24, they said, would create, among other things, a system to enforce CCPA and triple fines on companies that violated under-aged children’s privacy.

Furthermore, leaders of the proposition said consumers would have more control over specific personal data, prevent their precise location from being tracked, and increase the ability to sue companies when their email and passwords are stolen or hacked. They added that when the residents of California passed this proposition, they made it harder for lobbyists to change the privacy laws in the Legislature.

Basically, Prop. 24 changed California’s data-privacy law in these five meaningful ways:

  • Businesses now have to listen to consumers on how they want their personally identifiable information (PII) used
  • Permits consumers to correct inaccurate personal information
  • Businesses can only hold onto consumers’ PII data for as long as it is necessary
  • Companies can be fined up to $7,500 for violating children’s privacy rights by the government
  • A new state agency is created to enforce, investigate and assess penalties related to privacy laws

It also is important to remember that in addition to the CCPA and Prop. 24, many companies in the United States and worldwide are also affected by the European Union’s (EU) very similar General Data Protection Regulation (GDPR) that took effect in 2018.

So, even if you don’t own a business in California or have customers based there, but you collect California consumers’ personal data, or you don’t fall under GDPR regulations, why do you care about all of this? The answer is twofold: 1) consumers (read: private citizens) and government bodies worldwide are taking data privacy very seriously, and 2) it stands to reason that other states and countries around the world will follow suit and impose their own data privacy regulations.

Hopefully, all of this is just another reminder to you that data breaches are serious issues for any company that holds consumer PII (Personally Identifiable Information) as well as any other sensitive information, including your own day-today information vital to your operations.

Secure, protected data saves you potentially millions of dollars in fines or lawsuits as well as public and/or industry embarrassment or scorn. Protecting personal private information also shows you are a good citizen, and that can become a competitive advantage and enhance your company’s reputation.

All of the above leads us to two basic questions: what is considered PII, and what is the best way to protect it?

The original CCPA defined personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with a particular consumer or household. As examples, it listed the following: a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver license number, passport number, or other similar identifiers.

But that’s not all. An additional stipulation of California’s privacy laws lists a variety of other identifiers including name, signature, physical characteristics or description, telephone number, passport number, state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information or health insurance information.

It did, however, exempt two areas: personal health information and financial information. Regarding personal health information, CCPA acquiesces to the Health Insurance Portability and Accountability Act (HIPAA). According to the National Law Review, information gathered by financial institutions must follow the California Financial Information Privacy Act, Fair Credit Reporting Act or the Gramm-Leach- Bliley Act depending on the situation.

It did not, however, consider publicly available information as personal.

In securing PII data, it is necessary to consider both at rest (data permanently stored) and in transit (data downloaded to a mobile device such as a USB drive for use at another location) situations.

In either case, the easiest, most effective means to secure such data is the use of encryption. Encryption converts inputted information into blocks of basically unreadable or undecipherable data. (Encrypted information is referred to as ciphertext, and non-encrypted as plain text.) Encryption technology can be either hardware or software-based. And, yes, there is a difference between the two, with hardware encryption being preferred.

Software encryption uses any of a variety of software programs to encrypt the data. As the data is being written or read, the programs, using the system’s or device’s CPU, encrypt or decrypt it as applicable. While software encryption is cost effective, it is only as secure as the system it is used on. If the code or password is cracked by being sniffed in the system’s memory, encrypted data becomes an open book. Also, since the processor does the encryption and decryption, the entire system slows down, often to a crawl, when the encryption process is taking place.

A hardware-centric/software-free encryption approach to data security is the best defense against data loss, as it eliminates the most commonly used attack routes. This software-free method can also provide comprehensive compatibility with most OS or embedded equipment. Since the CPU is not involved in the process, the system does not slow down. Hence, it is much faster and more secure than software-based encryption (e.g. Microsoft BitLocker). In addition, encryption can never be turned off in hardware-encrypted USB drives, whereas it can be removed on software-encrypted USB drives; this is the biggest weakness of using software encryption.

Such devices meet stringent industry security standards and offer the ultimate security in data protection to manage situations confidently and reduce risks. They are self-contained and do not require a software element on the host device. No software vulnerability eliminates the possibility of brute-force, sniffing and memory hash attacks.

The best hardware-based encrypted devices use AES 256-bit encryption in XTS mode (the top of the line in encryption). It protects 100% of data stored and enforces complex password protocol with minimum characteristics (or complexity such as minimum length, required number of character sets) to prevent unauthorized access. For additional peace of mind, some password authentication techniques lockdown after 10-incorrect password attempts and render the encrypted data unreadable (basically erased), and feature a read-only access mode to avoid malware attacks on unknown systems. This ensures that anyone who finds such a USB drive or attempts to hack an Encrypted USB drive equipped with such technology cannot access the information. Some USB drives have increased security with digitally signed firmware that cannot be altered and a physical layer of protection. In choosing what type of encryption to use, your first choice should always be hardware-based, AES-256 bit XTS.

This article originally appeared in the March 2021 issue of Security Today.

Featured

  • Security Industry Association Announces the 2026 Security Megatrends

    The Security Industry Association (SIA) has identified and forecasted the 2026 Security Megatrends, which form the basis of SIA’s signature annual Security Megatrends report defining the top 10 factors influencing both near- and long-term change in the global security industry. Read Now

  • The Future of Access Control: Cloud-Based Solutions for Safer Workplaces

    Access controls have revolutionized the way we protect our people, assets and operations. Gone are the days of cumbersome keychains and the security liabilities they introduced, but it’s a mistake to think that their evolution has reached its peak. Read Now

  • A Look at AI

    Large language models (LLMs) have taken the world by storm. Within months of OpenAI launching its AI chatbot, ChatGPT, it amassed more than 100 million users, making it the fastest-growing consumer application in history. Read Now

  • First, Do No Harm: Responsibly Applying Artificial Intelligence

    It was 2022 when early LLMs (Large Language Models) brought the term “AI” into mainstream public consciousness and since then, we’ve seen security corporations and integrators attempt to develop their solutions and sales pitches around the biggest tech boom of the 21st century. However, not all “artificial intelligence” is equally suitable for security applications, and it’s essential for end users to remain vigilant in understanding how their solutions are utilizing AI. Read Now

  • Improve Incident Response With Intelligent Cloud Video Surveillance

    Video surveillance is a vital part of business security, helping institutions protect against everyday threats for increased employee, customer, and student safety. However, many outdated surveillance solutions lack the ability to offer immediate insights into critical incidents. This slows down investigations and limits how effectively teams can respond to situations, creating greater risks for the organization. Read Now

Most   Popular

New Products

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles.

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”