In October of 2019 I blogged about the California Consumer Privacy Act (CCPA) and its impacts on businesses. I knew that a lot of businesses were aware of the CCPA coming into effect on January 1, 2020, but I thought that there was a lot of misinformation and confusion about the CCPA. In that blog I laid out a number of facts about CCPA and some suggestions on actions you can take. I also noted that the law was very likely to get an update by the end of the year. You can find that original blog here:
Well, that update to CCPA and related notification laws has happened. Several new laws were enacted in December 2019 that clarify and modify the CCPA. While the broad requirements of CCPA remain intact, there were some changes that bear noting.
One important change relates to encryption key management and breach notification. Let’s do a deeper dive.
First, it is important to note the role that encryption of sensitive information plays in CCPA. Among other things, the CCPA dramatically empowers consumers to recover damages after a data breach of unencrypted data, and limits the ability of businesses to inhibit that recovery. Here are a few aspects of CCPA law:
- Businesses are not allowed to limit the ability of consumers to seek recovery. The widely used practice of liability limitation, arbitration clauses, and so forth are prohibited.
- The California Department of Justice can levy steep fines on businesses that suffer a data breach and who have not adequately protected sensitive data.
- Consumers are empowered to bring class action lawsuits around a data breach to recover damages. This kind of litigation is specifically enabled by the CCPA and should scare covered businesses.
- However, class action lawsuits are only allowed with the loss of unencrypted sensitive data. Encryption is your friend!
So, what is different with the new laws?
AB1130 is one of those recent bills that modifies the CCPA notification requirements. It retains the litigation protections provided by encryption, but further clarifies that encryption keys must be properly protected. Here is what AB1130 says about breach notification (extracted and highlight added):
SECTION 1. Section 1798.29 of the Civil Code is amended to read:
1798.29. (a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
The full text of AB1130 is here:
Security professionals know that encryption is only as good as the protection you provide to the encryption key. The CCPA notification rules now embed that understanding right in the law. And you must understand what this means in terms of your litigation protections.
Let’s take one example:
Microsoft SQL Server is a widely used database for business information. SQL Server implements Transparent Data Encryption (TDE) to protect all data in the database. And it gives you two options for storing encryption keys:
- Local storage of the key on the same server as the database.
- Remote storage of the key by integrating with a professional key management system.
A lot of Microsoft SQL Server customers store the key locally on the same server as the database. Why? Well, it is easy and free.
Here is the problem:
It is trivially easy for a cybercriminal to recover a locally stored encryption key if they have access to the server or a backup of the server. In fact, there are ready made programs that will just recover the key for the hacker and unlock the encrypted data, in just a few seconds. This is a prime example of where poor encryption key management will damage your ability to limit notification and liability under CCPA. Don’t expect to argue that the key was properly protected. Every security professional knows how poorly protected a locally stored key is.
Is there a way to mitigate this poor encryption key strategy?
Microsoft SQL server also supports remote encryption key management systems through a special interface known as Extensible Key Management, or EKM. You don’t have to store the key locally - you can easily plug in a key management system and protect the encryption key properly as the CCPA recommends. Problem solved, from a CCPA perspective. Our own Alliance Key Manager supports remote key management through the EKM interface.
Here are a few takeaways:
- Under the CCPA, encryption is a critical part of your compliance strategy, and your strategy to limit liability after a data breach. It is hard to overstate the importance of encryption.
- When you do encryption, you have to manage the keys properly. Use a professional key management system like our affordable Alliance Key Manager to accomplish this. Alliance Key Manager is NIST FIPS 140-2 compliant which is the gold standard for key management certification.
- If you are currently storing the key locally, it is easy to move to a proper key management system. It usually just takes a few minutes.
- There is no such thing as a good, secure method to store keys locally with your data. Just don’t do it.
- Key management systems are now affordable and easy to deploy. We can prove it!
The California Consumer Privacy Act and subsequent laws change everything in terms of how we process and protect sensitive data. Encrypting that sensitive data, and protecting the encryption key, is not hard and is within reach of every business.
Talk to us. We’ll show you how fast and easy it is to meet this part of the new CCPA and notification regulations.
P.S. I don’t mean to pick on Microsoft SQL Server here. The same issue applies to almost every commercial and open source relational and NoSQL database!