On June 28, 2018 governor of California Jerry Brown signed into law Assembly Bill No. 375, the California Consumer Privacy Act (CCPA)1. The CCPA Act, grants to the state’s over 40 million people a range of rights comparable to the rights given to European citizens with the General Data Protection Regulation (GDPR) (the two legislations are not that similar, but they do share some general features, GDPR is an omnibus law, while CCPA is more limited).
Since CCPA became a law, it has had two major updates. The first update occurred on the August 24, 2018, with Senate Bill 11212, which introduced 45, largely non-substantive in nature, amendments (mostly addressed technical errors), and the second occurred on February 25, when California’s Attorney General introduced Senate Bill 5613 to further clarify and strengthen the act.
The bulk of the bill has to do specifically with consumer privacy protection. For a more comprehensive review, read How to Prepare for the California Consumer Privacy Act.
Part of the CCPA addresses data security specifically, and Thales provides many of the solutions you will need to comply with this part of the Act.
1 https://www.caprivacy.org/about
2 https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB1121
3 https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200SB561
1798.150. (a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action….4
4 https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB1121
Beyond encryption and redaction, the CCPA does not at this point specifically prescribe what organizations subject to the CCPA must do to protect consumer data from theft. However, this is true of most regulations like CCPA. Instead, they rely on “best practices” to keep pace with the ever-changing digital security environment. Thales is a leader in digital security, and, having helped hundreds of enterprises comply with regulatory regimes around the world, we recommend key data protection technologies called for in virtually every set of regulations.
These include:
Thales Vormetric Data Security Manager enables the organization to limit user access privileges to information systems that contain sensitive Information.
SafeNet Trusted Access is a cloud-based access management service that combines the convenience of cloud and web single sign-on (SSO) with granular access security. By validating identities, enforcing access policies and applying Smart Single Sign-On, organizations can ensure secure, convenient access to numerous cloud applications from one easy-to-navigate console.
Adding Thales's SafeNet certificate-based authentication (CBA) smart card solution as an integral part of IT infrastructure, significantly improves client logon security by requiring multi-factor authentication. Adding multiple factors ensures secure login to workstations and enterprise networks, eliminates complex and costly passwords and significantly reduces help desk calls. And, the smart card enables easy and reliable visual identification of the card holder and strong communication around corporate identity. Furthermore, the certificate-based solution is fully integrated in a Windows environment when using applications from Microsoft.
With SafeNet Authentication and Access Management solutions, you can leverage a unified authentication infrastructure for both on-premise and cloud-based services—providing a centralized, comprehensive way to manage all access policies. Users can log into enterprise cloud services such as Office 365, Salesforce.com or GoogleApps through your existing SafeNet authentication mechanisms.
Thales Vormetric Transparent Encryption solution protects data with file and volume level data-at-rest encryption, access controls, and data access audit logging without re-engineering applications, databases or infrastructure. Deployment of the transparent file encryption software is simple, scalable and fast, with agents installed above the file system on servers or virtual machines to enforce data security and compliance policies. Policy and encryption key management are provided by the Vormetric Data Security Manager.
Vormetric Vaultless Tokenization with Dynamic Data Masking dramatically reduces the cost and effort required to comply with security policies and regulatory mandates, such as CCPA. The solution delivers capabilities for database tokenization and dynamic display security. Enterprises can efficiently address their objectives for securing and pseudonymizing sensitive assets—whether they reside in data center, big data, container or cloud environments.
Vormetric Application Encryption delivers key management, signing, and encryption services enabling comprehensive protection of files, database fields, big data selections, or data in platform-as-a-service (PaaS) environments. The solution is FIPS 140-2 Level-1 certified, based on the PKCS#11 standard and fully documented with a range of practical, use-case based extensions to the standard. Vormetric Application Encryption eliminates the time, complexity, and risk of developing and implementing an in-house encryption and key management solution, with development options including a comprehensive, traditional software development kit for a wide range of languages and operating systems as well as a collection of RESTful APIs for the broadest platform support.
A powerful safeguard for data in motion, SafeNet High-Speed Encryptors deliver high-assurance certified data in motion encryption capabilities that meet secure network performance demands for real-time low latency and near zero overhead to provide security without compromise for data on the move across the network.
Thales Vormetric Enterprise Key Management unifies and centralizes encryption key management on premises and provides secure key management for data storage solutions. Cloud Key Management products include the CipherTrust Cloud Key Manager for centralized multi-cloud key life cycle visibility and management with FIPS-140-2 secure key storage, and Cloud Bring Your Own Key.
The Vormetric Platform’s Security Intelligence Logs let your organization identify unauthorized access attempts and build baselines of authorized user access patterns. Vormetric Security Intelligence integrates with leading security information and event management (SIEM) systems that make this information actionable. The solution allows immediate automated escalation and response to unauthorized access attempts. It also provides all the data needed to specify behavioral patterns required to identify suspicious use by authorized users, as well as for training.
Thales Hardware Security Modules provide the highest level of encryption security by always storing cryptographic keys in hardware. Thales HSMs provide a secure crypto foundation, because the keys never leave the intrusion-resistant, tamper-evident, FIPS-validated appliance. Strong access controls prevent unauthorized users from accessing sensitive cryptographic material, since all cryptographic operations occur within the HSM. In addition, Thales implements operations that make the deployment of secure HSMs as easy as possible, and our HSMs are integrated with SafeNet Crypto Command Center for quick and easy crypto resource partitioning, reporting and monitoring.
The award winning Thales Data Protection On Demand solution is a cloud-based platform providing a wide range of cloud HSM and key management services through a simple online marketplace. These include HSM on Demand and Key Management on Demand.
Perhaps the most comprehensive data privacy standard to date, GDPR affects any organisation that processes the personal data of EU citizens - regardless of where the organisation is headquartered.
Any organisation that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbour” clause.