The California Consumer Privacy Act (CCPA) went into effect at the turn of the year. But come July 1, we’re expecting CCPA will have truly arrived. July marks the expiration of the six-month CCPA compliance grace period when regulators will begin enforcing CCPA compliance, although some are calling for an extension due to COVID-19.
But whether enforcement comes sooner or later, for organizations found to be out of compliance with CCPA, things could get dicey – and pricey.
Those found in violation of CCPA stand to incur a $7,500 fine for each intentional violation. Non-intentional violations are less onerous, but still costly, at $2,500 each. But it’s the potential civil litigation that will really make an impact. For each consumer impacted by CCPA non-compliance, organizations stand to face up to $750 in civil damages per consumer.
Organizations are, or should be, working to comply with CCPA – and protect their reputations and businesses. This requires a fair amount of time, effort and resources. But that’s the cost of business, customer trust, personal data privacy and, some say, democracy.
Why California implemented the CCPA
CCPA, which was signed into law in June 2018, came in the wake of the Facebook-Cambridge Analytica scandal. That involved the misuse of consumer data in an attempt to influence the 2016 U.S. presidential election.
This event and other high-profile data breaches put the spotlight on data privacy and security. Articles, podcasts, programs and speeches proclaimed the end of privacy and the end of trust. There was a widespread call for privacy protection regulation, and California responded with the CCPA.
CCPA provides California residents with the right to demand that companies disclose what data those organizations have collected about them. Californians also can activate their CCPA rights by requesting that companies delete their personal data. Under CCPA, organizations that receive such requests must comply or incur penalties. People who live in California also can forbid companies from sharing their personal data with third parties.
How encryption now figures
Late last year, California’s leaders expanded on CCPA with an amendment that specifically refers to encryption. The first part of Section 1798.29 of Assembly Bill 1130 begins as follows:
Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable.
What that means for organizations and compliance
That means businesses that use encryption to safeguard California residents’ data cannot solely rely on the fact that their data is unreadable to unauthorized entities. They must also safeguard the associated encryption keys or security credentials to be in compliance. Encryption protects sensitive information including financial data, government IDs and Social Security numbers by making it unreadable, but if you fail to protect the encryption keys it’s like locking your front door and leaving the keys under the mat. So, while it is very likely that more organizations will invest in encryption solutions to meet CCPA requirements, they cannot forget to also invest in solutions that also protect and manage their encryption keys and credentials.
The implementation of CCPA also means consumers are becoming increasingly aware of data privacy and encryption. So, business investment in encryption and key management solutions is about more than simply meeting compliance requirements. It’s also about serving a community that wants to do business with organizations that take care in handling their personal data.
That community extends far beyond California. When businesses employ encryption and key management, they are better positioned to win and keep customers everywhere.
Deploying encryption and key management
Effective encryption strategies require strong key management practices and best practice is to store those keys in a hardware security module (HSM). Traditionally, encryption and key management solutions have been deployed on-premises. In this approach, businesses purchase encryption and key management software and hardware and install it within their own IT infrastructure and data centers. As enterprise IT has adopted a cloud-first strategy, or the as a service model, encryption and key management solutions have also migrated to this approach. This option offers businesses the alternative to lease encryption and key management services.
Importance of a root of trust
Regardless of which model businesses choose to deploy their encryption and key management solutions, one thing is clear: a robust root of trust must be established to ensure that the keys and credentials that underpin the security of the encryption solutions deployed are always protected. Hardware security modules (HSMs) can enable that, acting as the root of trust to store and manage encryption keys and credentials.
Now, more than ever, it’s important that organizations think about protecting their data and that of their customers. Recently the US Department of Homeland Security Cybersecurity and Infrastructure Agnecy issused a joint advisory with the UK’s National Cyber Security Centre to warn that a growing number of cyber criminals and other malicious groups online are exploiting the COVID-19 outbreak.
The good news is that the recent 2020 Global Encryption Trends Study shows that for the first time protecting customer personal information is the major driver behind data encryption. And that means organizations really do care about protecting what matters most. There has been a massive shift brought about by new data privacy expectations and CCPA regulation. As consumers it protects our identities and our bank account, it also helps organizations avoid financial penalties, declining business and loss of trust.