Guest Column: California’s Consumer Privacy Act (CCPA) to Change How Companies Store Data Nationwide

By Richard Kanadjian, Encrypted USB Technology and Business Manager of

Kingston Technology

Privacy laws are always changing and getting stricter rather than more lenient. As of January 1, 2020 California’s Consumer Privacy Act (CCPA) has joined other policies like General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA). With the enactment of these privacy laws, data breaches have more serious liabilities for any company that holds sensitive consumer information, including Personally Identifiable Information (PII) of consumers and or any other confidential information. These laws don’t only affect companies in California, but any company that does business in California.

The European Union’s GDPR regulation is currently in effect as well, and it allows non-complying organizations to be fined up to 4 percent of annual global turnover or €20 million (about $20+ million USD), whichever is greater. In addition, companies must always have their records in order, conduct impact assessments, and notify supervising authorities and people affected by breaches or else be fined 2 percent of their annual global turnover.

CCPA (officially called AB-375) incorporates some of the elements of GDPR and takes a broader view of private data and protecting PII. The intentions of the law are to provide California residents (defined broadly enough to cover consumers, employees, business contacts and others) with the ability to know what personal data is collected about them (and have access to this information); how that data is used, sold or disclosed; ability to say no to the sale of personal data; request their data to be deleted; and more. It is necessary for companies of all sizes to lock down the storage, transportation, and management of sensitive consumer and company information.

The California Consumer Privacy Act’s (CCPA) Effect on Businesses

While CCPA was originally created to enhance privacy rights and consumer protection for the residents of California, it will impact most businesses across the country and the rest of the world. According to AB-375, companies will be penalized when there is “unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.” The criteria to determine if this law will affect your business are (any one of the three make the law applicable to your business):

• Do you earn more than half your annual revenue from selling consumers’ personal information?
• Do you possess the personal information of 50,000 or more consumers, households or devices?
• Do you have gross revenue of over $25 million?

Companies that do not comply with CCPA are subject to both civil class action lawsuits in the state of California and can be assessed with damages of $100 to $750 per California resident and incident, or actual damages, whichever is greater. Companies are also subject to fines from the state as the California attorney general can sue them for non-compliance.

BYOD: Bring Your Own Device & Its Effect on Security

Even with companies adhering to the strictest security mandates and spending millions on cybersecurity, all it takes is one unsecured BYOD device to threaten the entire security system.

Many companies do not restrict employees from bringing their own storage devices, such as USB drives, to make copies of data incorporating PII that should be protected – this is called Bring Your Own Device. While USB drives are incredibly convenient and have been proven to increase productivity, they are also very susceptible to being lost, ending up in the wrong hands. What’s more is that most of these drives are unencrypted, making the data accessible to anyone that has access to the drive.

How Does a Company Effectively Manage Removable Storage Devices? 

The safest, most reliable means to store and transfer personal, classified and / or sensitive data is to have a company policy of standardizing the use of hardware-based encrypted USB drives. Cybersecurity experts agree that the use of an encrypted USB flash drive is most effective for keeping confidential information what it was intended to be – confidential.

From a cost perspective, hardware-based encrypted USBs are not much more expensive than non-encrypted devices – and they are like insurance against the unthinkable – the loss and breach of private data that could be exposed otherwise. There is a range of easy-to-use, cost-effective, encrypted USB flashdrive solutions to choose from that can go a long way toward mitigating your privacy and security risks and, quite possibly, save you money and stress.

An example of a cost-effective and easy to use encrypted USB drive is Kingston’s DataTraveler^® Vault Privacy 3.0, providing affordable business-grade security. This encrypted solution features military-grade 256-bit AES hardware-based encryption in XTS mode, it protects 100-percent of data stored, and enforces complex password protocol with minimum characteristics to prevent unauthorized access. It also features a read-only access mode to avoid potential malware risks. For additional peace of mind, the drive locks down after 10-incorrect password attempts.

To take things a step further, companies can deploy encrypted USB drives in the field as a matter of practice. Some drives can be managed via software that is on-premises or Cloud-based where an IT architect can white list access to the drive, disable it if it’s lost, enforce password characteristics and much more.

Consumer privacy and data security are concerns for businesses of all sizes, and identifying cost-effective ways to mitigate the risk is of the utmost importance in 2020 and beyond. Customer information and other sensitive data needs to be stored on encrypted USB drives to mitigate any risk of a data breach, data loss, and liability.

Learn more at kingston.com

###

About the Author

Richard Kanadjian is currently the Technology and Business Manager of Kingston Technology’s Encrypted USB unit. He joined Kingston in 1994 and has served the company in a variety of roles for both the Flash and DRAM divisions. Among his many positions, Mr. Kanadjian was a field applications engineer in the company’s strategic OEM division, where he helped build relationships with leading PC and chipset manufacturers. Prior to his current role, Mr. Kanadjian was part of the SSD product engineering department helping develop and support Kingston’s enterprise SSDs on both a technical and customer level.