Avoiding Danger with Secure Data Storage
California’s Consumer Privacy Act is changing how businesses approach data security
- By Richard Kanadjian
- Apr 09, 2020
Privacy laws are expanding in the United States and
abroad. With the enactment of HIPAA, CCPA and
GDPR, data breaches have serious liabilities for any
company that holds sensitive consumer information,
including Personally Identifiable Information (PII) of consumers
and or any other confidential information. California’s Consumer
Privacy Act (CCPA) came into effect on Jan. 1, 2020, and affects
not only companies in California, but also companies nationwide
doing business in California.
The European Union’s GDPR regulation, which has been in
effect since 2018, allows non-complying organizations to be fined
up to 4 percent of annual global turnover, or about $20 million.
Additionally, under GDPR, companies can be fined 2 percent
for not having their records in order, not conducting an impact
assessment or not notifying the supervising authority and the
people affected by a breach.
CCPA (officially called AB-375) incorporates some of the elements
of GDPR and takes a broader view of private data and
protecting PII. The storage, transportation and management of
sensitive consumer and company information have become critical
issues for companies of all sizes to lock down and secure.
How Does the California Consumer
Privacy Act (CCPA) Affect Businesses?
Put simply, AB-375 levies specific penalties when there is “unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain
reasonable security procedures and practices.”
While CCPA is meant to enhance privacy rights and consumer
protection for the residents of California, as with many laws enacted
in the state, it will impact most businesses across the country
and the rest of the world. Any company that has customers
who are based in California could be affected by this new law.
CCPA can apply to businesses even if they do not have offices or employees in California. The criteria to determine if this law
will affect your business are (any one of the three make the law
applicable to your business):
• Do you have gross revenue of more than $25 million?
• Do you possess the personal information of 50,000 or more
consumers, households or devices?
• Do you earn more than half your annual revenue from selling
consumers’ personal information?
If the new CCPA applies to your company, the intentions
of the law are to provide California residents (defined broadly
enough to cover consumers, employees, business contacts and
others) with the ability to know what personal data is collected
about them (and have access to this information) and how that
data is used, sold or disclosed. In addition, consumers have the
ability to say no to the sale of personal data and to request their
data to be deleted.
They also have the right not to be discriminated against for
exercising their right to privacy, for instance, for opting out of
having their data used by the business in order to use a benefit
provided by the business.
Companies that do not comply with CCPA are subject to both
civil class action lawsuits in the state of California and can be assessed with damages of $100 to $750 per California resident and
incident or actual damages, whichever is greater. Companies are
also subject to fines from the state, as the California attorney general
can sue them for non-compliance. Key to CCPA is the underlying
assumption that companies protect the consumer or other Personally
Identifiable Information against unauthorized disclosures.
BYOD: Bring Your Own Device
Companies are focused on protecting data, especially PII behind the
company firewall. The problem with this is that employees can take
data they need and store it on unsecured devices so that they can
take it home or elsewhere to work – outside the company firewall.
Many companies do not restrict employees bringing their own
storage devices, such as USB drives, to take copies of data incorporating
PII that should be protected, a process referred to as
Bring Your Own Device (BYOD).
BYOD is a crucial threat to even the most robust cybersecurity
plan that any business can put in place. The tremendous portability
and exceptional convenience of USB drives has proven to increase
productivity for millions of companies. However, since most of
these drives are unencrypted, they pose a significant security risk
to the user when storing anything more valuable than public data.
The extreme portability of USB drives means they are very
susceptible to being lost, accessed or misappropriated. When that
happens, there is a reasonably good chance that data stored on
the device will end up in the wrong hands, risking the users or
company’s privacy and security. This is not just a worst-case scenario
– many USB drives have been lost and found, often with
unprotected confidential information on them. When these drives
are found and exposed, a breach occurs and a company can be
exposed to legal and other consequences.
The safest, most reliable means to store and transfer personal,
classified, sensitive data is to have a company policy of standardizing
the use of hardware-based encrypted USB drives. Cybersecurity
experts agree that the use of an encrypted USB flash drive
is most effective for keeping confidential information what it was
intended to be – confidential.
How Does a Company Effectively
Manage Removable Storage Devices?
The secure management, transfer or distribution of non-cloud
storage of private/personal data should always be front and center
whether you are a financial services firm or a manufacturing
company. A company should standardize their best practices for
what’s known as data “at-rest” or “in-transit.”
While the most common storage medium is the use of inexpensive
USB drives, the best practice is to standardize on hardware-
based encrypted USB drives which protect the data “at rest”
as well as “in transit.” With these drives, the data is always password
or PIN protected. This practice will provide efficiency and
security to mobile data for anyone.
Even accessing cloud storage can be risky. While you access
the Internet at a coffee shop, someone else may be spying on your
system. If you carry your data on a hardware-encrypted drive,
you can work on your data and keep your internet turned off
while using open Wi-Fi services.
From a cost perspective, hardware-based encrypted USBs are
not much more expensive than non-encrypted devices – and they
are like insurance against the unthinkable – the loss and breach of
private data that could be exposed otherwise. There is a range of
easy-to-use, cost-effective, encrypted USB flash-drive solutions to
choose from that can go a long way toward mitigating your privacy
and security risks, and, quite possibly, save you money and stress.
An example of a cost-effective and easy to use encrypted USB
drive is Kingston’s DataTraveler Vault Privacy 3.0USB Flash drive
that provides affordable business-grade security. This encrypted
solution features military-grade 256-bit AES hardware-based encryption
in XTS mode. It protects 100percent of data stored and
enforces complex password protocol with minimum characteristics
to prevent unauthorized access. For additional peace of mind, the
drive locks down after 10-incorrect password attempts. It also features
a read-only access mode to avoid potential malware risks.
Companies can take it a step further should they deploy encrypted
USB drives in the field as a matter of practice. Some drives
can be managed via software that is on-premises or cloud-based
where an IT architect can whitelist access to the drive, disable it if
it’s lost, enforce password characteristics and much more.
Consumer privacy and data security are concerns for businesses
of all sizes and identifying cost-effective ways to mitigate
the risk is paramount in 2020 and beyond. Customer information
and other sensitive data need to be stored on encrypted USB
drives whenever you need to take the data with
you to mitigate any risk of a data breach, data
loss and liability.
This article originally appeared in the April 2020 issue of Security Today.