Passing Prop 24

Businesses now have to listen to consumers on how they want their PII used

• By Richard Kanadjian
• Mar 02, 2021

By a margin of 56.2% to 43.8%, residents of the state of California this past election passed Proposition 24 that further strengthens the California Consumer Privacy Act (CCPA), a significant dataprivacy law the state’s Legislature passed in 2018, and that took effect Jan. 1, 2020.

Supporters of Prop. 24 posited the CCPA privacy law, even though it had just gone into effect earlier in the year, wasn’t strong enough. Updates in Prop. 24, they said, would create, among other things, a system to enforce CCPA and triple fines on companies that violated under-aged children’s privacy.

Furthermore, leaders of the proposition said consumers would have more control over specific personal data, prevent their precise location from being tracked, and increase the ability to sue companies when their email and passwords are stolen or hacked. They added that when the residents of California passed this proposition, they made it harder for lobbyists to change the privacy laws in the Legislature.

Basically, Prop. 24 changed California’s data-privacy law in these five meaningful ways:

• Businesses now have to listen to consumers on how they want their personally identifiable information (PII) used
• Permits consumers to correct inaccurate personal information
• Businesses can only hold onto consumers’ PII data for as long as it is necessary
• Companies can be fined up to $7,500 for violating children’s privacy rights by the government
• A new state agency is created to enforce, investigate and assess penalties related to privacy laws

It also is important to remember that in addition to the CCPA and Prop. 24, many companies in the United States and worldwide are also affected by the European Union’s (EU) very similar General Data Protection Regulation (GDPR) that took effect in 2018.

So, even if you don’t own a business in California or have customers based there, but you collect California consumers’ personal data, or you don’t fall under GDPR regulations, why do you care about all of this? The answer is twofold: 1) consumers (read: private citizens) and government bodies worldwide are taking data privacy very seriously, and 2) it stands to reason that other states and countries around the world will follow suit and impose their own data privacy regulations.

Hopefully, all of this is just another reminder to you that data breaches are serious issues for any company that holds consumer PII (Personally Identifiable Information) as well as any other sensitive information, including your own day-today information vital to your operations.

Secure, protected data saves you potentially millions of dollars in fines or lawsuits as well as public and/or industry embarrassment or scorn. Protecting personal private information also shows you are a good citizen, and that can become a competitive advantage and enhance your company’s reputation.

All of the above leads us to two basic questions: what is considered PII, and what is the best way to protect it?

The original CCPA defined personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with a particular consumer or household. As examples, it listed the following: a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver license number, passport number, or other similar identifiers.

But that’s not all. An additional stipulation of California’s privacy laws lists a variety of other identifiers including name, signature, physical characteristics or description, telephone number, passport number, state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information or health insurance information.

It did, however, exempt two areas: personal health information and financial information. Regarding personal health information, CCPA acquiesces to the Health Insurance Portability and Accountability Act (HIPAA). According to the National Law Review, information gathered by financial institutions must follow the California Financial Information Privacy Act, Fair Credit Reporting Act or the Gramm-Leach- Bliley Act depending on the situation.

It did not, however, consider publicly available information as personal.

In securing PII data, it is necessary to consider both at rest (data permanently stored) and in transit (data downloaded to a mobile device such as a USB drive for use at another location) situations.

In either case, the easiest, most effective means to secure such data is the use of encryption. Encryption converts inputted information into blocks of basically unreadable or undecipherable data. (Encrypted information is referred to as ciphertext, and non-encrypted as plain text.) Encryption technology can be either hardware or software-based. And, yes, there is a difference between the two, with hardware encryption being preferred.

Software encryption uses any of a variety of software programs to encrypt the data. As the data is being written or read, the programs, using the system’s or device’s CPU, encrypt or decrypt it as applicable. While software encryption is cost effective, it is only as secure as the system it is used on. If the code or password is cracked by being sniffed in the system’s memory, encrypted data becomes an open book. Also, since the processor does the encryption and decryption, the entire system slows down, often to a crawl, when the encryption process is taking place.

A hardware-centric/software-free encryption approach to data security is the best defense against data loss, as it eliminates the most commonly used attack routes. This software-free method can also provide comprehensive compatibility with most OS or embedded equipment. Since the CPU is not involved in the process, the system does not slow down. Hence, it is much faster and more secure than software-based encryption (e.g. Microsoft BitLocker). In addition, encryption can never be turned off in hardware-encrypted USB drives, whereas it can be removed on software-encrypted USB drives; this is the biggest weakness of using software encryption.

Such devices meet stringent industry security standards and offer the ultimate security in data protection to manage situations confidently and reduce risks. They are self-contained and do not require a software element on the host device. No software vulnerability eliminates the possibility of brute-force, sniffing and memory hash attacks.

The best hardware-based encrypted devices use AES 256-bit encryption in XTS mode (the top of the line in encryption). It protects 100% of data stored and enforces complex password protocol with minimum characteristics (or complexity such as minimum length, required number of character sets) to prevent unauthorized access. For additional peace of mind, some password authentication techniques lockdown after 10-incorrect password attempts and render the encrypted data unreadable (basically erased), and feature a read-only access mode to avoid malware attacks on unknown systems. This ensures that anyone who finds such a USB drive or attempts to hack an Encrypted USB drive equipped with such technology cannot access the information. Some USB drives have increased security with digitally signed firmware that cannot be altered and a physical layer of protection. In choosing what type of encryption to use, your first choice should always be hardware-based, AES-256 bit XTS.

This article originally appeared in the March 2021 issue of Security Today.