Passing Prop 24

Passing Prop 24

Businesses now have to listen to consumers on how they want their PII used

By a margin of 56.2% to 43.8%, residents of the state of California this past election passed Proposition 24 that further strengthens the California Consumer Privacy Act (CCPA), a significant dataprivacy law the state’s Legislature passed in 2018, and that took effect Jan. 1, 2020.

Supporters of Prop. 24 posited the CCPA privacy law, even though it had just gone into effect earlier in the year, wasn’t strong enough. Updates in Prop. 24, they said, would create, among other things, a system to enforce CCPA and triple fines on companies that violated under-aged children’s privacy.

Furthermore, leaders of the proposition said consumers would have more control over specific personal data, prevent their precise location from being tracked, and increase the ability to sue companies when their email and passwords are stolen or hacked. They added that when the residents of California passed this proposition, they made it harder for lobbyists to change the privacy laws in the Legislature.

Basically, Prop. 24 changed California’s data-privacy law in these five meaningful ways:

  • Businesses now have to listen to consumers on how they want their personally identifiable information (PII) used
  • Permits consumers to correct inaccurate personal information
  • Businesses can only hold onto consumers’ PII data for as long as it is necessary
  • Companies can be fined up to $7,500 for violating children’s privacy rights by the government
  • A new state agency is created to enforce, investigate and assess penalties related to privacy laws

It also is important to remember that in addition to the CCPA and Prop. 24, many companies in the United States and worldwide are also affected by the European Union’s (EU) very similar General Data Protection Regulation (GDPR) that took effect in 2018.

So, even if you don’t own a business in California or have customers based there, but you collect California consumers’ personal data, or you don’t fall under GDPR regulations, why do you care about all of this? The answer is twofold: 1) consumers (read: private citizens) and government bodies worldwide are taking data privacy very seriously, and 2) it stands to reason that other states and countries around the world will follow suit and impose their own data privacy regulations.

Hopefully, all of this is just another reminder to you that data breaches are serious issues for any company that holds consumer PII (Personally Identifiable Information) as well as any other sensitive information, including your own day-today information vital to your operations.

Secure, protected data saves you potentially millions of dollars in fines or lawsuits as well as public and/or industry embarrassment or scorn. Protecting personal private information also shows you are a good citizen, and that can become a competitive advantage and enhance your company’s reputation.

All of the above leads us to two basic questions: what is considered PII, and what is the best way to protect it?

The original CCPA defined personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with a particular consumer or household. As examples, it listed the following: a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver license number, passport number, or other similar identifiers.

But that’s not all. An additional stipulation of California’s privacy laws lists a variety of other identifiers including name, signature, physical characteristics or description, telephone number, passport number, state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information or health insurance information.

It did, however, exempt two areas: personal health information and financial information. Regarding personal health information, CCPA acquiesces to the Health Insurance Portability and Accountability Act (HIPAA). According to the National Law Review, information gathered by financial institutions must follow the California Financial Information Privacy Act, Fair Credit Reporting Act or the Gramm-Leach- Bliley Act depending on the situation.

It did not, however, consider publicly available information as personal.

In securing PII data, it is necessary to consider both at rest (data permanently stored) and in transit (data downloaded to a mobile device such as a USB drive for use at another location) situations.

In either case, the easiest, most effective means to secure such data is the use of encryption. Encryption converts inputted information into blocks of basically unreadable or undecipherable data. (Encrypted information is referred to as ciphertext, and non-encrypted as plain text.) Encryption technology can be either hardware or software-based. And, yes, there is a difference between the two, with hardware encryption being preferred.

Software encryption uses any of a variety of software programs to encrypt the data. As the data is being written or read, the programs, using the system’s or device’s CPU, encrypt or decrypt it as applicable. While software encryption is cost effective, it is only as secure as the system it is used on. If the code or password is cracked by being sniffed in the system’s memory, encrypted data becomes an open book. Also, since the processor does the encryption and decryption, the entire system slows down, often to a crawl, when the encryption process is taking place.

A hardware-centric/software-free encryption approach to data security is the best defense against data loss, as it eliminates the most commonly used attack routes. This software-free method can also provide comprehensive compatibility with most OS or embedded equipment. Since the CPU is not involved in the process, the system does not slow down. Hence, it is much faster and more secure than software-based encryption (e.g. Microsoft BitLocker). In addition, encryption can never be turned off in hardware-encrypted USB drives, whereas it can be removed on software-encrypted USB drives; this is the biggest weakness of using software encryption.

Such devices meet stringent industry security standards and offer the ultimate security in data protection to manage situations confidently and reduce risks. They are self-contained and do not require a software element on the host device. No software vulnerability eliminates the possibility of brute-force, sniffing and memory hash attacks.

The best hardware-based encrypted devices use AES 256-bit encryption in XTS mode (the top of the line in encryption). It protects 100% of data stored and enforces complex password protocol with minimum characteristics (or complexity such as minimum length, required number of character sets) to prevent unauthorized access. For additional peace of mind, some password authentication techniques lockdown after 10-incorrect password attempts and render the encrypted data unreadable (basically erased), and feature a read-only access mode to avoid malware attacks on unknown systems. This ensures that anyone who finds such a USB drive or attempts to hack an Encrypted USB drive equipped with such technology cannot access the information. Some USB drives have increased security with digitally signed firmware that cannot be altered and a physical layer of protection. In choosing what type of encryption to use, your first choice should always be hardware-based, AES-256 bit XTS.

This article originally appeared in the March 2021 issue of Security Today.

Featured

  • Accelerating a Pathway

    There is a new trend touting the transformational qualities of AI’s ability to deliver actionable data and predictive analysis that in many instances, seems to be a bit of an overpromise. The reality is that very few solutions in the cyber-physical security (CPS) space live up to this high expectation with the one exception being the new generation of Physical Identity and Access Management (PIAM) software – herein recategorized as PIAM+. Read Now

  • Protecting Your Zones

    It is game day. You can feel the crowd’s energy. In the parking lot. At the gate. In the stadium. On the concourse. Fans are eager to party. Food and merchandise vendors ready themselves for the rush. Read Now

  • Street Smarts

    The ongoing acceptance of AI and advanced data analytics has allowed surveillance camera technology to shift from being a tactical tool to a strategic business solution. Combining traditional surveillance technology with AI-based data-driven insights can streamline transportation systems, enhance traffic management, improve situational awareness, optimize resource allocation and streamline emergency response procedures. Read Now

  • The Progress of Biometrics

  • Next-Gen AI for Smart Cities

    The future of smart city technology is not being shaped in Silicon Valley — it is taking root in Dubuque, Iowa. With a population of about 60,000, this mid-sized city has become a live testbed for AI-driven traffic management thanks to a unique public-private collaboration led by Milestone Systems. Project Hafnia demonstrates how cities can transform urban mobility and safety through Responsible Technology—without costly infrastructure overhauls. Read Now

New Products

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.