California Consumer Privacy Act Compliance (CCPA) and Data Security

Kim Chen Bock
California Consumer Privacy Act Compliance (CCPA) and Data Security

California has the world’s 5th largest economy with an estimated $3.018 trillion gross state product as of 2018. Its 39.75 million residents present a very attractive market for many businesses, domestic and foreign. As of January 1, 2020, companies meeting certain criteria and transacting business with California residents will be required to demonstrate California Consumer Privacy Act (CCPA) compliance.

Which businesses must demonstrate CCPA compliance?

Businesses with annual gross revenue greater than $25 million, companies that receive, share or sell the personal information of more than 50,000 individuals and businesses that earn 50 percent or more of annual revenue from selling consumers’ personal information are required to demonstrate CCPA compliance.

What rights does CCPA give California residents?

CCPA is designed to give consumers significant control over their personal information which can include real name, alias, unique personal identifiers, account name, social security number, driver’s license, passport number, postal, email and IP address, biometric data, education, employment history and financial information. CCPA also considers family information, household purchases and location data as personal information. In its essence, the CCPA gives Californians the rights to:

1. Know what personal information is being collected about them and how it will be used.

2. Know whether their personal information is being sold or disclosed to other parties and know the identity of those parties.

3. Prohibit the sale of personal information to prevent businesses from selling this information to third parties.

4. Access their personal information, as well as request a business to remove the personal information that has been collected.

5. Receive equal service and prices, even if the individual exercises their privacy rights by refusing or limiting the use of personal information.

Businesses will be investing significant time in implementing appropriate policies, processes and procedures on their web and commerce sites to attain CCPA compliance.

How does CCPA differ from GDPR?

In brief, GDPR focuses on data breach notifications to individuals and regulators, data security methods and cross-border data transfers and provides substantial penalties for violations. CCPA focuses on the use of personal data a company collects and requires that companies provide an “opt-out” link on their web sites for the consumer to indicate they do not want their data sold or shared. Readers interested in a detailed comparison should review the Future of Privacy Forum’s Comparison Guide for an analysis of the differences between CCPA and GDPR. [1]

With the majority of companies adopting a multicloud strategy, a better approach to encrypting data distributed across multiple cloud environments is HSM as a Service (HSMaaS).

What are the penalties for failure to comply?

CCPA empowers consumers to initiate, either individually or as a class, legal actions when their personal information has been subject to unauthorized disclosure, access or theft. Businesses can be required to pay damages between $100 to $750 per resident, per incident and fined up to $7,500 for each intentional violation and $2,500 for each unintentional violation. There’s an important caveat, however. Fines cannot be levied if the data that has been disclosed, accessed or stolen is encrypted or redacted.

Encryption is the foundation for data protection

With that proviso, it’s clear that encryption provides the best defense against any fines that might be levied for violations of CCPA compliance. Encrypted data that is stolen remains unintelligible ciphertext, protecting the identity and personal information of its owner and mitigating risk for the business.

Hardware security module (HSM) technology has long provided the backbone for encryption in corporate data centers, but as businesses adopt cloud strategies—hybrid, public and multicloud—the shortcomings of HSMs become apparent. Protracted HSM procurement, installation and configuration prevent companies from moving at cloud speed when implementing encryption key management across widely distributed data resources hosted in the cloud.

Key management service (KMS) offers faster deployment, but it’s limited to encrypting data in a single cloud provider’s environment. With the majority of companies adopting a multicloud strategy, a better approach to encrypting data distributed across multiple cloud environments is HSM as a Service (HSMaaS).

HSM as a Service provides a higher level of data security

HSM as a Service, available from Equinix as SmartKey, can be deployed on-demand to address the need to securely and efficiently manage encryption keys that protect widely distributed data sources. SmartKey overcomes the limitations of the HSM and KMS approaches by:

  • Delivering a level of security equivalent to on-prem HSM devices, but with the ease of on-demand deployment.
  • Supporting encryption key management across AWS, Google, Azure, IBM, Oracle, SalesForce and other providers in private, hybrid and public cloud environments.
  • Quickly and easily scaling to meet local and global growth and increased processing demands.
  • Providing a single, centralized point of encryption key management regardless of which cloud provider or providers are hosting the data.

In comparison to HSM and KMS, SmartKey also provides a higher level of data security. It maintains encryption keys in a secure environment separate from the data they are encrypting. In the event of a data breach, without access to the encryption keys personally identifiable information remains encrypted, unintelligible ciphertext.

Securely share data with partners

CCPA compliance will also require businesses to assess the data security measures of partners with whom they share data. SmartKey facilitates secure authorized (by the consumer) sharing with partners. A business can continue to securely maintain consumers’ personal data in the cloud and enable partner access via the encryption keys managed by SmartKey. This approach reduces risks inherent in duplicating data into a partner’s cloud environment or on-premises data repository and delegating all security responsibilities for that data to the partner.

Encryption strategy for CCPA compliance

Businesses are making significant investments in their IT environment to establish the policies, procedures and processes to comply with CCPA. All of these steps are important, but businesses should ensure they’ve addressed the most fundamental means of data security: encryption. A centralized approach to key management that supports hybrid and multicloud environments, maintains keys separately from the data they encrypt and can be deployed on-demand is critical in meeting the requirements of CCPA compliance.

Kim Chen Bock Product Marketing - Head of Emerging Services - Data, Security, Applications