California Consumer Privacy Act (CCPA) Compliance

The following text is excerpted directly from the CCPA:

1798.150. (a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action….⁴

⁴   https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB1121

CCPA Compliance Summary

Beyond encryption and redaction, the CCPA does not at this point specifically prescribe what organizations subject to the CCPA must do to protect consumer data from theft. However, this is true of most regulations like CCPA. Instead, they rely on “best practices” to keep pace with the ever-changing digital security environment. Thales is a leader in digital security, and, having helped hundreds of enterprises comply with regulatory regimes around the world, we recommend key data protection technologies called for in virtually every set of regulations.

These include:

• Data access control
• Encryption and tokenization (pseudonymization) of data at rest
• Encryption of data in motion
• Encryption key management
• Keeping and monitoring user access logs
• The use of hardware security modules for executing encryption processes and protecting encryption keys

Data Access Control

Thales Vormetric Data Security Manager enables the organization to limit user access privileges to information systems that contain sensitive Information.

SafeNet Trusted Access is a cloud-based access management service that combines the convenience of cloud and web single sign-on (SSO) with granular access security. By validating identities, enforcing access policies and applying Smart Single Sign-On, organizations can ensure secure, convenient access to numerous cloud applications from one easy-to-navigate console.

Adding Thales's SafeNet certificate-based authentication (CBA) smart card solution as an integral part of IT infrastructure, significantly improves client logon security by requiring multi-factor authentication. Adding multiple factors ensures secure login to workstations and enterprise networks, eliminates complex and costly passwords and significantly reduces help desk calls. And, the smart card enables easy and reliable visual identification of the card holder and strong communication around corporate identity. Furthermore, the certificate-based solution is fully integrated in a Windows environment when using applications from Microsoft.

With SafeNet Authentication and Access Management solutions, you can leverage a unified authentication infrastructure for both on-premise and cloud-based services—providing a centralized, comprehensive way to manage all access policies. Users can log into enterprise cloud services such as Office 365, Salesforce.com or GoogleApps through your existing SafeNet authentication mechanisms.

Encryption and Tokenization

Thales Vormetric Transparent Encryption solution protects data with file and volume level data-at-rest encryption, access controls, and data access audit logging without re-engineering applications, databases or infrastructure. Deployment of the transparent file encryption software is simple, scalable and fast, with agents installed above the file system on servers or virtual machines to enforce data security and compliance policies. Policy and encryption key management are provided by the Vormetric Data Security Manager.

Vormetric Vaultless Tokenization with Dynamic Data Masking dramatically reduces the cost and effort required to comply with security policies and regulatory mandates, such as CCPA. The solution delivers capabilities for database tokenization and dynamic display security. Enterprises can efficiently address their objectives for securing and pseudonymizing sensitive assets—whether they reside in data center, big data, container or cloud environments.

Vormetric Application Encryption delivers key management, signing, and encryption services enabling comprehensive protection of files, database fields, big data selections, or data in platform-as-a-service (PaaS) environments. The solution is FIPS 140-2 Level-1 certified, based on the PKCS#11 standard and fully documented with a range of practical, use-case based extensions to the standard. Vormetric Application Encryption eliminates the time, complexity, and risk of developing and implementing an in-house encryption and key management solution, with development options including a comprehensive, traditional software development kit for a wide range of languages and operating systems as well as a collection of RESTful APIs for the broadest platform support.

Encryption of Data in Motion

A powerful safeguard for data in motion, SafeNet High-Speed Encryptors deliver high-assurance certified data in motion encryption capabilities that meet secure network performance demands for real-time low latency and near zero overhead to provide security without compromise for data on the move across the network.

Encryption Key Management

Thales Vormetric Enterprise Key Management unifies and centralizes encryption key management on premises and provides secure key management for data storage solutions. Cloud Key Management products include the CipherTrust Cloud Key Manager for centralized multi-cloud key life cycle visibility and management with FIPS-140-2 secure key storage, and Cloud Bring Your Own Key.

User Access Logs

The Vormetric Platform’s Security Intelligence Logs let your organization identify unauthorized access attempts and build baselines of authorized user access patterns. Vormetric Security Intelligence integrates with leading security information and event management (SIEM) systems that make this information actionable. The solution allows immediate automated escalation and response to unauthorized access attempts. It also provides all the data needed to specify behavioral patterns required to identify suspicious use by authorized users, as well as for training.

Hardware Security Modules

Thales Hardware Security Modules provide the highest level of encryption security by always storing cryptographic keys in hardware. Thales HSMs provide a secure crypto foundation, because the keys never leave the intrusion-resistant, tamper-evident, FIPS-validated appliance. Strong access controls prevent unauthorized users from accessing sensitive cryptographic material, since all cryptographic operations occur within the HSM. In addition, Thales implements operations that make the deployment of secure HSMs as easy as possible, and our HSMs are integrated with SafeNet Crypto Command Center for quick and easy crypto resource partitioning, reporting and monitoring.

The award winning Thales Data Protection On Demand solution is a cloud-based platform providing a wide range of cloud HSM and key management services through a simple online marketplace. These include HSM on Demand and Key Management on Demand.