Passing Prop 24

Passing Prop 24

Businesses now have to listen to consumers on how they want their PII used

By a margin of 56.2% to 43.8%, residents of the state of California this past election passed Proposition 24 that further strengthens the California Consumer Privacy Act (CCPA), a significant dataprivacy law the state’s Legislature passed in 2018, and that took effect Jan. 1, 2020.

Supporters of Prop. 24 posited the CCPA privacy law, even though it had just gone into effect earlier in the year, wasn’t strong enough. Updates in Prop. 24, they said, would create, among other things, a system to enforce CCPA and triple fines on companies that violated under-aged children’s privacy.

Furthermore, leaders of the proposition said consumers would have more control over specific personal data, prevent their precise location from being tracked, and increase the ability to sue companies when their email and passwords are stolen or hacked. They added that when the residents of California passed this proposition, they made it harder for lobbyists to change the privacy laws in the Legislature.

Basically, Prop. 24 changed California’s data-privacy law in these five meaningful ways:

  • Businesses now have to listen to consumers on how they want their personally identifiable information (PII) used
  • Permits consumers to correct inaccurate personal information
  • Businesses can only hold onto consumers’ PII data for as long as it is necessary
  • Companies can be fined up to $7,500 for violating children’s privacy rights by the government
  • A new state agency is created to enforce, investigate and assess penalties related to privacy laws

It also is important to remember that in addition to the CCPA and Prop. 24, many companies in the United States and worldwide are also affected by the European Union’s (EU) very similar General Data Protection Regulation (GDPR) that took effect in 2018.

So, even if you don’t own a business in California or have customers based there, but you collect California consumers’ personal data, or you don’t fall under GDPR regulations, why do you care about all of this? The answer is twofold: 1) consumers (read: private citizens) and government bodies worldwide are taking data privacy very seriously, and 2) it stands to reason that other states and countries around the world will follow suit and impose their own data privacy regulations.

Hopefully, all of this is just another reminder to you that data breaches are serious issues for any company that holds consumer PII (Personally Identifiable Information) as well as any other sensitive information, including your own day-today information vital to your operations.

Secure, protected data saves you potentially millions of dollars in fines or lawsuits as well as public and/or industry embarrassment or scorn. Protecting personal private information also shows you are a good citizen, and that can become a competitive advantage and enhance your company’s reputation.

All of the above leads us to two basic questions: what is considered PII, and what is the best way to protect it?

The original CCPA defined personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with a particular consumer or household. As examples, it listed the following: a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver license number, passport number, or other similar identifiers.

But that’s not all. An additional stipulation of California’s privacy laws lists a variety of other identifiers including name, signature, physical characteristics or description, telephone number, passport number, state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information or health insurance information.

It did, however, exempt two areas: personal health information and financial information. Regarding personal health information, CCPA acquiesces to the Health Insurance Portability and Accountability Act (HIPAA). According to the National Law Review, information gathered by financial institutions must follow the California Financial Information Privacy Act, Fair Credit Reporting Act or the Gramm-Leach- Bliley Act depending on the situation.

It did not, however, consider publicly available information as personal.

In securing PII data, it is necessary to consider both at rest (data permanently stored) and in transit (data downloaded to a mobile device such as a USB drive for use at another location) situations.

In either case, the easiest, most effective means to secure such data is the use of encryption. Encryption converts inputted information into blocks of basically unreadable or undecipherable data. (Encrypted information is referred to as ciphertext, and non-encrypted as plain text.) Encryption technology can be either hardware or software-based. And, yes, there is a difference between the two, with hardware encryption being preferred.

Software encryption uses any of a variety of software programs to encrypt the data. As the data is being written or read, the programs, using the system’s or device’s CPU, encrypt or decrypt it as applicable. While software encryption is cost effective, it is only as secure as the system it is used on. If the code or password is cracked by being sniffed in the system’s memory, encrypted data becomes an open book. Also, since the processor does the encryption and decryption, the entire system slows down, often to a crawl, when the encryption process is taking place.

A hardware-centric/software-free encryption approach to data security is the best defense against data loss, as it eliminates the most commonly used attack routes. This software-free method can also provide comprehensive compatibility with most OS or embedded equipment. Since the CPU is not involved in the process, the system does not slow down. Hence, it is much faster and more secure than software-based encryption (e.g. Microsoft BitLocker). In addition, encryption can never be turned off in hardware-encrypted USB drives, whereas it can be removed on software-encrypted USB drives; this is the biggest weakness of using software encryption.

Such devices meet stringent industry security standards and offer the ultimate security in data protection to manage situations confidently and reduce risks. They are self-contained and do not require a software element on the host device. No software vulnerability eliminates the possibility of brute-force, sniffing and memory hash attacks.

The best hardware-based encrypted devices use AES 256-bit encryption in XTS mode (the top of the line in encryption). It protects 100% of data stored and enforces complex password protocol with minimum characteristics (or complexity such as minimum length, required number of character sets) to prevent unauthorized access. For additional peace of mind, some password authentication techniques lockdown after 10-incorrect password attempts and render the encrypted data unreadable (basically erased), and feature a read-only access mode to avoid malware attacks on unknown systems. This ensures that anyone who finds such a USB drive or attempts to hack an Encrypted USB drive equipped with such technology cannot access the information. Some USB drives have increased security with digitally signed firmware that cannot be altered and a physical layer of protection. In choosing what type of encryption to use, your first choice should always be hardware-based, AES-256 bit XTS.

This article originally appeared in the March 2021 issue of Security Today.

Featured

  • Maximizing Your Security Budget This Year

    7 Ways You Can Secure a High-Traffic Commercial Security Gate  

    Your commercial security gate is one of your most powerful tools to keep thieves off your property. Without a security gate, your commercial perimeter security plan is all for nothing. Read Now

  • Making Safety and Security Intrinsic to School Design

    Public anxieties about school safety are escalating across the country. According to a 2023 Gallup report, 44% of parents fear for their child’s physical safety at school, a 10 percentage-point increase since 2019. Unfortunately, these fears are likely to increase if the incidence of school tragedies continues to mount. As a result, school leaders are now charged with two non-negotiable responsibilities. The first, as always, is to ensure kids have what they need to learn, grow, and thrive. Sadly, their second responsibility is to keep the children in their care safe from threats and physical danger. Read Now

  • The Power of a Layered Approach to Safety

    In a perfect world, every school would have an unlimited budget to help secure their schools. In reality, schools must prioritize what budget they have while navigating the complexities surrounding school security and lockdown. Read Now

  • How a Security System Can Enhance Arena Safety and the Fan Experience

    Ensuring guests have both a memorable experience and a safe one is no small feat for your physical security team. Stadiums, ballparks, arenas, and other large event venues are increasingly leveraging new technologies to transform the fan experience and maintain a high level of security. The goal is to preserve the integrity and excitement of the event while enhancing security and remaining “behind the scenes.” Read Now

Featured Cybersecurity

Webinars

New Products

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3