The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information of California residents. Given the size of the Californian economy and the global distribution network that stems from it, there are key measure that businesses need to have in place top avoid the risk of receiving a heavy fine. In essence, all companies that serve California residents and have at least $25 million in annual revenue must comply with the law.
In terms of the types of data covered under the regulation, this includes direct identifiers of people, including a person’s real name, alias, postal address, social security numbers, driver’s license, passport information and signature. The measures also extend to indirect identifiers. These include cookies, beacons, pixel tags, telephone numbers, IP addresses, and account names.
While the Act was passed and came in force in January 2020, the Act grants the California Attorney General the authority to enforce the CCPA starting on July 1, 2020. This means businesses need to have all of their systems and standards, metrics and policies in place in order to avoid falling foul of the law.
According to Cindy Provin, General Manager of nCipher Security and SVP of Entrust Datacard an important measure is with establishing roots of trust throughout the enterprise ahead of the July 1 implementation.
Provin tells Digital Journal: “Encryption protects sensitive information including financial data, government IDs and Social Security numbers by making it unreadable, but if you fail to protect the encryption keys it’s like locking your front door and leaving the keys under the mat.” She added, “So, while it is very likely that more organizations will invest in encryption solutions to meet CCPA requirements, they cannot forget to also invest in solutions that also protect and manage their encryption keys and credentials.”
This means business investment in encryption and key management solutions is about more than simply meeting compliance requirements.
In relation to this, Provin recommends: “When businesses employ encryption and key management, they are better positioned to win and keep customers everywhere.”
She adds that: “A robust root of trust must be established to ensure that the keys and credentials that underpin the security of the encryption solutions deployed are always protected. Hardware security modules can enable that, acting as the root of trust to store and manage encryption keys and credentials.”
