Banner Image

California Consumer Privacy Act (CCPA) Compliance

CCPA compliance requirements and solutions

Are you ready for CCPA Compliance?

TestOn June 28, 2018 governor of California Jerry Brown signed into law Assembly Bill No. 375, the California Consumer Privacy Act (CCPA)1. The CCPA Act, grants to the state’s over 40 million people a range of rights comparable to the rights given to European citizens with the General Data Protection Regulation (GDPR) (the two legislations are not that similar, but they do share some general features, GDPR is an omnibus law, while CCPA is more limited).

Since CCPA became a law, it has had two major updates. The first update occurred on the August 24, 2018, with Senate Bill 11212, which introduced 45, largely non-substantive in nature, amendments (mostly addressed technical errors), and the second occurred on February 25, when California’s Attorney General introduced Senate Bill 5613 to further clarify and strengthen the act.

The bulk of the bill has to do specifically with consumer privacy protection. For a more comprehensive review, read How to Prepare for the California Consumer Privacy Act.

Part of the CCPA addresses data security specifically, and Thales provides many of the solutions you will need to comply with this part of the Act.

1   https://www.caprivacy.org/about

2   https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB1121

3   https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200SB561

  • Regulation
  • Compliance

The following text is excerpted directly from the CCPA:

1798.150. (a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action….4

4   https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB1121

CCPA compliance summary

Beyond encryption and redaction, the CCPA does not specifically prescribe what organizations subject to the CCPA must do to protect consumer data from theft. This, however, is true of most regulations like CCPA. Instead, they rely on “best practices” to keep pace with the ever-changing digital security environment. Thales is a leader in digital security, and, having helped hundreds of enterprises comply with regulatory regimes around the world, we recommend key data protection technologies called for in virtually every set of regulations.

These include:

  • Sensitive data discovery and classification
  • Data access control
  • Encryption and tokenization (pseudonymization) of data at rest
  • Encryption of data in motion
  • Encryption key management
  • Keeping and monitoring user access logs
  • The use of hardware security modules for executing encryption processes and protecting encryption keys

Data Discovery and Classification

The first step in protecting sensitive data is finding the data wherever it is in the organization, classifying it as sensitive, and typing it (e.g. PII, financial, IP, HHI, customer-confidential, etc.) so you can apply the most appropriate data protection techniques. It is also important to monitor and assess data regularly to ensure new data isn’t overlooked and your organization does not fall out of compliance.

Thales’ CipherTrust Data Discovery and Classification efficiently identifies structured as well as unstructured sensitive data on-premises and in the cloud. Supporting both agentless and agent-based deployment models, the solution provides built-in templates that enable rapid identification of regulated data, highlight security risks, and help you uncover compliance gaps. A streamlined workflow exposes security blind spots and reduces remediation time. Detailed reporting supports compliance programs and facilitates executive communication.

Strong access management and authentication

Thales Access Management and Authentication solutions provide both the security mechanisms and reporting capabilities organizations need to comply with data security regulations. Our solutions protect sensitive data by enforcing the appropriate access controls when users log into applications that store sensitive data. By supporting a broad range of authentication methods and policy driven role-based access, our solutions help enterprises mitigate the risk of data breach due to compromised or stolen credentials or through insider credential abuse.

Support for smart single sign on and step-up authentication allows organizations to optimize convenience for end users, ensuring they only need to authenticate when needed. Extensive reporting allows businesses to produce a detailed audit trail of all access and authentication events, ensuring they can prove compliance with a broad range of regulations.

Protection of sensitive data at rest

The CipherTrust Data Security Platform is an integrated suite of data-centric security products and solutions that unify data discovery, protection, and control in one platform.

  • Discover: An organization must be able to discover data wherever it resides and classify it. This data can be in many forms: files, databases, and big data, and it can rest across storage on premises, in clouds, and across back-ups. Data security and compliance starts with finding exposed sensitive data before hackers and auditors. The CipherTrust Data Security Platform enables organizations to get complete visibility into sensitive data on-premises and in the cloud with efficient data discovery, classification, and risk analysis.
  • Protect: Once an organization knows where its sensitive data is, protective measures such as encryption or tokenization can be applied. For encryption and tokenization to successfully secure sensitive data, the cryptographic keys themselves must be secured, managed and controlled by the organization. The CipherTrust Data Security Platform provides comprehensive data security capabilities, including file-level encryption with access controls, application-layer encryption, database encryption, static data masking, vaultless tokenization with policy-based dynamic data masking, and vaulted tokenization to support a wide range of data protection use cases.
  • Control: The organization needs to control access to its data and centralize key management. Every data security regulation and mandate requires organizations to be able to monitor, detect, control, and report on authorized and unauthorized access to data and encryption keys. The CipherTrust Data Security Platform delivers robust enterprise key management across multiple cloud service providers (CSP) and hybrid cloud environments to centrally manage encryption keys and configure security policies so organizations can control and protect sensitive data in the cloud, on-premise and across hybrid environments.
  • Monitor: Finally, the enterprise needs to monitor access to sensitive data to identify ongoing or recent attacks from malicious insiders, privileged users, APTs, and other cyberthreats. CipherTrust Security Intelligence logs and reports streamline compliance reporting and speedup threat detection using leading Security Information and Event Management (SIEM) systems. The solution allows immediate automated escalation and response to unauthorized access attempts and provides all the data needed to build behavioral patterns required to identify suspicious usage by authorized users.

Protection of sensitive data in motion

Thales High Speed Encryptors (HSEs) provide network independent data-in-motion encryption (Layers 2,3 and 4) ensuring data is secure as it moves from site-to-site, or from on-premises to the cloud and back. Our HSE solutions allow customers to better protect data, video, voice, and metadata from eavesdropping, surveillance, and overt and covert interception—all at an affordable cost and without performance compromise.

Protection of cryptographic keys

Luna HSMs from Thales provide a hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption, and more. Available in three FIPS 140-2 certified form factors, Luna HSMs support a variety of deployment scenarios.

In addition, Luna HSMs:

  • Generate and protect root and certificate authority (CA) keys, providing support for PKIs across a variety of use cases
  • Sign your application code so you can ensure that your software remains secure, unaltered, and authentic
  • Create digital certificates for credentialing and authenticating proprietary electronic devices for IoT applications and other network deployments

Related Resources

Secure your digital assets, comply with regulatory and industry standards, and protect your organization’s reputation. Learn how Thales can help.

Thales CipherTrust Data Discovery and Classification

Thales CipherTrust Data Discovery and Classification - Product Brief

The crucial first step in privacy and data protection regulatory compliance is to understand what constitutes sensitive data, where it is stored, and how it is used. If you don't know what sensitive data you have, where it is, and why you have it, you cannot apply effective...

SafeNet Trusted Access Brings Security to Authentication and Access - Product Review

SafeNet Trusted Access Brings Security to Authentication and Access - Product Review

Product review of SafeNet Trusted Access. Explore the options of authentication security that STA offers, to bridge the MFA, SSO and access management worlds in a single, well-integrated package. Discover how your business can bring security to access management.

Thales OneWelcome Authenticators Portfolio - Brochure

Thales OneWelcome Authenticators Portfolio - Brochure

Offering the broadest range of multi-factor authentication methods and form factors, Thales facilitates and empowers enterprise-wide security initiatives for maintaining and improving secure access to enterprise resources.Thales’s OneWelcome authenticators include hardware and...

Data Security Compliance and Regulations - eBook

Data Security Compliance and Regulations - eBook

This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.

CipherTrust Transparent Encryption - White Paper

CipherTrust Transparent Encryption - White Paper

Enterprise digital transformation and increasingly sophisticated IT security threats have resulted in a progressively more dangerous environment for enterprises with sensitive data, even as compliance and regulatory requirements for sensitive data protection rise. With attacks...

CipherTrust Transparent Encryption - Product Brief

CipherTrust Transparent Encryption - Product Brief

Safeguarding sensitive data requires much more than just securing a data center’s on-premises databases and files. The typical enterprise today uses three or more IaaS or PaaS providers, along with fifty or more SaaS applications, big data environments, container technologies,...

The Key Pillars for Protecting Sensitive Data in Any Organization - White Paper

The Key Pillars for Protecting Sensitive Data in Any Organization - White Paper

Traditionally organizations have focused IT security primarily on perimeter defense, building walls to block external threats from entering the network. However, with today’s proliferation of data, evolving global and regional privacy regulations, growth of cloud adoption, and...

The Enterprise Encryption Blueprint - White Paper

The Enterprise Encryption Blueprint - White Paper

You’ve been tasked with setting and implementing an enterprise wide encryption strategy, one that will be used to guide and align each Line of Business, Application Owner, Database Administrator and Developer toward achieving the goals and security requirements that you define...

Luna Network HSM

Luna Network Hardware Security Module - Product Brief

Secure your sensitive data and critical applications by storing, protecting and managing your cryptographic keys in Thales Luna Network Hardware Security Modules (HSMs) - high-assurance, tamper-resistant, network-attached appliances offering market-leading performance and...

Unshare and Secure Sensitive Data - Encrypt Everything - eBook

Unshare and Secure Sensitive Data - Encrypt Everything - eBook

Business critical data is flowing everywhere. The boundaries are long gone. As an enterprise-wide data security expert, you are being asked to protect your organization’s valuable assets by setting and implementing an enterprise-wide encryption strategy. IT security teams are...

High Speed Encryption Solutions - Solution Brief

High Speed Encryption Solutions - Solution Brief

Networks are under constant attack and sensitive assets continue to be exposed. More than ever, leveraging encryption is a vital mandate for addressing threats to data as it crosses networks. Thales High Speed Encryption solutions provide customers with a single platform to ...

Other key data protection and security regulations

GDPR

Regulation
Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.

PCI DSS

Mandate
Active Now

Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Data Breach Notification Laws

Regulation
Active Now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.

Related Solutions