California’s Consumer Privacy Act Affects How Companies Will Store Data Nationwide -- Security Today

California’s Consumer Privacy Act Affects How Companies Will Store Data Nationwide

CCPA (officially called AB-375) incorporates some of the elements of GDPR and takes a broader view of private data and protecting PII. The storage, transportation, and management of sensitive consumer and company information have become critical issues for companies of all sizes to lock down and secure.

By Richard Kanadjian
Feb 24, 2020

Privacy laws are expanding in the U.S. and abroad. With the enactment of HIPAA, CCPA and GDPR, data breaches have serious liabilities for any company that holds sensitive consumer information including Personally Identifiable Information (PII) of consumers and or any other confidential information. California’s Consumer Privacy Act (CCPA) came into effect on January 1, 2020, and affects not only companies in California, but also companies nationwide doing business in California. The European Union’s GDPR regulation is already in effect, where non-complying organizations can be fined up to 4 percent of annual global turnover or €20 million (about $20+ million USD), whichever is greater. Additionally, under GDPR, companies can be fined 2 percent for not having their records in order, not conducting an impact assessment, or not notifying the supervising authority and the people affected by a breach.

How Does the California Consumer Privacy Act (CCPA) Affect Businesses?

Put simply, AB-375 levies specific penalties when there is “unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.” While CCPA is meant to enhance privacy rights and consumer protection for the residents of California in the United States, as with many laws enacted in the state, it will impact most businesses across the country and the rest of the world. Any company that has customers who are based in California could be affected by this new law. CCPA can apply to businesses even if they do not have offices or employees in California. The criteria to determine if this law will affect your business are (any one of the three make the law applicable to your business):

Do you have gross revenue of over $25 million, or
Do you possess the personal information of 50,000 or more consumers, households or devices, or
Do you earn more than half your annual revenue from selling consumers’ personal information?

If the new CCPA applies to your company, the intentions of the law are to provide California residents (defined broadly enough to cover consumers, employees, business contacts and others) with the ability to know what personal data is collected about them (and have access to this information); how that data is used, sold or disclosed; ability to say no to the sale of personal data; request their data to be deleted; and more. They also have the right not to be discriminated against for exercising their right to privacy, e.g., for opting out of having their data used by the business in order to use a benefit provided by the business. Companies that do not comply with CCPA are subject to both civil class action lawsuits in the state of California and can be assessed with damages of $100 to $750 per California resident and incident, or actual damages, whichever is greater. Companies are also subject to fines from the state as the California Attorney General can sue them for non-compliance. Key to CCPA is the underlying assumption that companies protect the consumer or other Personally Identifiable Information against unauthorized disclosures.

BYOD: Bring Your Own Device

Companies are very focused on protecting data, especially PII behind the company firewall. The problem with this is that employees can take data they need and store it on unsecured devices so that they can take it home or elsewhere to work – outside the company firewall.

Many companies do not restrict employees bringing their own storage devices, such as USB drives, to take copies of data incorporating PII that should be protected – this is called Bring Your Own Device.

BYOD is a crucial threat to even the most robust cybersecurity plan that any business can put in place. The tremendous portability and exceptional convenience of USB drives have been proven to increase productivity for millions of companies. However, since most of these drives are unencrypted, they pose a significant security risk to the user when storing anything more valuable than public data.

The extreme portability of USB drives means they are very susceptible to being lost, accessed, or misappropriated. When that happens, there is a reasonably good chance that data stored on the device will end up in the wrong hands, risking the user’s or company’s privacy and security. This is not just a worst-case scenario – many USB drives have been lost and found, often with unprotected confidential information on them; when these drives are found and exposed, a breach occurs and a company can be exposed to legal and other consequences.

The safest, most reliable means to store and transfer personal, classified, sensitive data is to have a company policy of standardizing the use of hardware-based encrypted USB drives. Cybersecurity experts agree that the use of an encrypted USB flash drive is most effective for keeping confidential information what it was intended to be – confidential.

How Does a Company Effectively Manage Removable Storage Devices?

The secure management, transfer, or distribution of non-Cloud storage of private/personal data should always be front and center whether you are a financial services firm or a manufacturing company. A company should standardize their best practices for what’s known as data “at-rest” or “in-transit.” While the most common storage medium is the use of inexpensive USB drives, the best practice is to standardize on hardware-based encrypted USB drives which protect the data “at rest” as well as “in transit” – the data is always password or PIN protected. This practice will provide efficiency and security to mobile data for anyone.

Even accessing Cloud storage can be risky – while you access the internet at a coffee shop, someone else may be spying on your system. If you carry your data on a hardware-encrypted drive, you can work on your data and keep your internet turned off while in an untrusted open Wi-Fi area.

From a cost perspective, hardware-based encrypted USBs are not much more expensive than non-encrypted devices – and they are like insurance against the unthinkable – the loss and breach of private data that could be exposed otherwise. There is a range of easy-to-use, cost-effective, encrypted USB flash-drive solutions to choose from that can go a long way toward mitigating your privacy and security risks, and, quite possibly, save you money and stress.

An example of a cost-effective and easy to use encrypted USB drive is Kingston’s DataTraveler® Vault Privacy 3.0 USB Flash drive that provides affordable business-grade security. This encrypted solution features military-grade 256-bit AES hardware-based encryption in XTS mode. It protects 100-percent of data stored and enforces complex password protocol with minimum characteristics to prevent unauthorized access. For additional peace of mind, the drive locks down after 10-incorrect password attempts. It also features a read-only access mode to avoid potential malware risks.

Companies can take it a step further should they deploy encrypted USB drives in the field as a matter of practice. Some drives can be managed via software that is on-premises or Cloud-based where an IT architect can white list access to the drive, disable it if it’s lost, enforce password characteristics and much more.

Consumer privacy and data security are concerns for businesses of all sizes and identifying cost-effective ways to mitigate the risk is paramount in 2020 and beyond. Customer information and other sensitive data need to be stored on encrypted USB drives whenever you need to take the data with you to mitigate any risk of a data breach, data loss, and liability.

Security Trends Reshaping Enterprise Resilience Into 2027
05/05/2025
ZBeta Strengthens Its Advisory Bench with New Appointment
05/05/2025
Amerant Bank Selects Omnilert AI Technology for Enhanced Video Surveillance Security
05/02/2025
Minnesota County Is Still Reaping Huge Benefits from ASAP Service
05/01/2025
Winsted Unveils Pinnacle Collection with Sliding Worksurface
04/30/2025
Everon Awarded Sourcewell Cooperative Purchasing Contract
04/30/2025
Honeywell Signs Global Distribution Agreement With Milestone Systems
04/28/2025
DSI Security Services Announces Leadership Reorganization and Strategic Growth Initiatives
04/21/2025

Featured

Body-Worn Cameras on the Rise

On the evening of Oct. 29, 2024, the owner of 300 Guard based in Houston, was shot while on duty at a convenience store. He returned fire. He was wearing a plated vest and thankfully recovered in the hospital. Read Now
- Government
Fast-Forward from 1,000 B.C.E. to Today

The lock and key have been around since time immemorial. In fact, the locksmith profession is one of the oldest in the world when you consider the earliest wooden tumbler lock debuted three-plus millennia ago. Read Now
- Access Control
Brazil Port Enhances Surveillance and Supports Wildlife Conservation with Sustainable Technology

Ferroport, which operates the iron ore terminal at the Port of Açu in São João da Barra, Rio de Janeiro, Brazil, has deployed state-of-the-art video surveillance cameras from Axis Communications to enhance nighttime security and visibility, while decreasing environmental impact and prioritizing sustainability. With cutting-edge technology, the port now has precise surveillance cameras that capture high-quality nighttime images, while reducing the amount of artificial lighting that negatively impacts the surrounding ecosystem. Read Now
- Government
Verizon’s 2025 Data Breach Investigations Report Notes Alarming Cyberattack Surge Through Third Parties

Verizon Business recently released its 2025 Data Breach Investigations Report (DBIR), which reveals a significant increase in cyberattacks. The report found that third-party involvement in breaches has doubled to 30%, and exploitation of vulnerabilities has surged by 34%, creating a concerning threat landscape for businesses globally. Read Now
- Cybersecurity
Net2 Access Control Increases Reliability at Residential Complex

Encore Atlantic Shores is a residential complex of 240 luxurious townhomes for ages 55 and over in Eastport, New York. Completed in 2011, the site boasts an 11,800 square foot clubhouse, with amenities such as a fitness center, heated indoor pool, whirlpool spa, multi-purpose ballroom, cardroom and clubroom with billiards, tennis courts and an outdoor putting green. Read Now
- Access Control

Security Today eNews

Sign up today for essential industry news and product information that can help you stay afloat in the fast-paced world of security.

Email Address*Country*

Please type the letters/numbers you see above.

Webinars

Whitepapers

New Products

Hanwha QNO-7012R

The Q Series cameras are equipped with an Open Platform chipset for easy and seamless integration with third-party systems and solutions, and analog video output (CVBS) support for easy camera positioning during installation. A suite of on-board intelligent video analytics covers tampering, directional/virtual line detection, defocus detection, enter/exit, and motion detection.
FEP GameChanger

Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.
4K Video Decoder

3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises.