Passing Prop 24

Passing Prop 24

Businesses now have to listen to consumers on how they want their PII used

By a margin of 56.2% to 43.8%, residents of the state of California this past election passed Proposition 24 that further strengthens the California Consumer Privacy Act (CCPA), a significant dataprivacy law the state’s Legislature passed in 2018, and that took effect Jan. 1, 2020.

Supporters of Prop. 24 posited the CCPA privacy law, even though it had just gone into effect earlier in the year, wasn’t strong enough. Updates in Prop. 24, they said, would create, among other things, a system to enforce CCPA and triple fines on companies that violated under-aged children’s privacy.

Furthermore, leaders of the proposition said consumers would have more control over specific personal data, prevent their precise location from being tracked, and increase the ability to sue companies when their email and passwords are stolen or hacked. They added that when the residents of California passed this proposition, they made it harder for lobbyists to change the privacy laws in the Legislature.

Basically, Prop. 24 changed California’s data-privacy law in these five meaningful ways:

  • Businesses now have to listen to consumers on how they want their personally identifiable information (PII) used
  • Permits consumers to correct inaccurate personal information
  • Businesses can only hold onto consumers’ PII data for as long as it is necessary
  • Companies can be fined up to $7,500 for violating children’s privacy rights by the government
  • A new state agency is created to enforce, investigate and assess penalties related to privacy laws

It also is important to remember that in addition to the CCPA and Prop. 24, many companies in the United States and worldwide are also affected by the European Union’s (EU) very similar General Data Protection Regulation (GDPR) that took effect in 2018.

So, even if you don’t own a business in California or have customers based there, but you collect California consumers’ personal data, or you don’t fall under GDPR regulations, why do you care about all of this? The answer is twofold: 1) consumers (read: private citizens) and government bodies worldwide are taking data privacy very seriously, and 2) it stands to reason that other states and countries around the world will follow suit and impose their own data privacy regulations.

Hopefully, all of this is just another reminder to you that data breaches are serious issues for any company that holds consumer PII (Personally Identifiable Information) as well as any other sensitive information, including your own day-today information vital to your operations.

Secure, protected data saves you potentially millions of dollars in fines or lawsuits as well as public and/or industry embarrassment or scorn. Protecting personal private information also shows you are a good citizen, and that can become a competitive advantage and enhance your company’s reputation.

All of the above leads us to two basic questions: what is considered PII, and what is the best way to protect it?

The original CCPA defined personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with a particular consumer or household. As examples, it listed the following: a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver license number, passport number, or other similar identifiers.

But that’s not all. An additional stipulation of California’s privacy laws lists a variety of other identifiers including name, signature, physical characteristics or description, telephone number, passport number, state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information or health insurance information.

It did, however, exempt two areas: personal health information and financial information. Regarding personal health information, CCPA acquiesces to the Health Insurance Portability and Accountability Act (HIPAA). According to the National Law Review, information gathered by financial institutions must follow the California Financial Information Privacy Act, Fair Credit Reporting Act or the Gramm-Leach- Bliley Act depending on the situation.

It did not, however, consider publicly available information as personal.

In securing PII data, it is necessary to consider both at rest (data permanently stored) and in transit (data downloaded to a mobile device such as a USB drive for use at another location) situations.

In either case, the easiest, most effective means to secure such data is the use of encryption. Encryption converts inputted information into blocks of basically unreadable or undecipherable data. (Encrypted information is referred to as ciphertext, and non-encrypted as plain text.) Encryption technology can be either hardware or software-based. And, yes, there is a difference between the two, with hardware encryption being preferred.

Software encryption uses any of a variety of software programs to encrypt the data. As the data is being written or read, the programs, using the system’s or device’s CPU, encrypt or decrypt it as applicable. While software encryption is cost effective, it is only as secure as the system it is used on. If the code or password is cracked by being sniffed in the system’s memory, encrypted data becomes an open book. Also, since the processor does the encryption and decryption, the entire system slows down, often to a crawl, when the encryption process is taking place.

A hardware-centric/software-free encryption approach to data security is the best defense against data loss, as it eliminates the most commonly used attack routes. This software-free method can also provide comprehensive compatibility with most OS or embedded equipment. Since the CPU is not involved in the process, the system does not slow down. Hence, it is much faster and more secure than software-based encryption (e.g. Microsoft BitLocker). In addition, encryption can never be turned off in hardware-encrypted USB drives, whereas it can be removed on software-encrypted USB drives; this is the biggest weakness of using software encryption.

Such devices meet stringent industry security standards and offer the ultimate security in data protection to manage situations confidently and reduce risks. They are self-contained and do not require a software element on the host device. No software vulnerability eliminates the possibility of brute-force, sniffing and memory hash attacks.

The best hardware-based encrypted devices use AES 256-bit encryption in XTS mode (the top of the line in encryption). It protects 100% of data stored and enforces complex password protocol with minimum characteristics (or complexity such as minimum length, required number of character sets) to prevent unauthorized access. For additional peace of mind, some password authentication techniques lockdown after 10-incorrect password attempts and render the encrypted data unreadable (basically erased), and feature a read-only access mode to avoid malware attacks on unknown systems. This ensures that anyone who finds such a USB drive or attempts to hack an Encrypted USB drive equipped with such technology cannot access the information. Some USB drives have increased security with digitally signed firmware that cannot be altered and a physical layer of protection. In choosing what type of encryption to use, your first choice should always be hardware-based, AES-256 bit XTS.

This article originally appeared in the March 2021 issue of Security Today.


  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Cybersecurity Awareness Month: Top Five Action Items to Elevate Your Data Security Posture Management and Secure Your Data

    October is Cybersecurity Awareness Month, and every year most tips for security hygiene and staying safe have not changed. We’ve seen them all – use strong passwords, deploy multi-factor authentication (MFA), be vigilant to spot phishing attacks, regularly update software and patch your systems. These are great recommended ongoing tips and are as relevant today as they’ve ever been. But times have changed and these best practices can no longer be the bare minimum. Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity


New Products

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • XS4 Original+

    XS4 Original+

    The SALTO XS4 Original+ design is based on the same proven housing and mechanical mechanisms of the XS4 Original. The XS4 Original+, however, is embedded with SALTO’s BLUEnet real-time functionality and SVN-Flex capability that enables SALTO stand-alone smart XS4 Original+ locks to update user credentials directly at the door. Compatible with the array of SALTO platform solutions including SALTO Space data-on-card, SALTO KS Keys as a Service cloud-based access solution, and SALTO’s JustIn Mobile technology for digital keys. The XS4 Original+ also includes RFID Mifare DESFire, Bluetooth LE and NFC technology functionality. 3