In October of 2019 I blogged about the California Consumer Privacy Act (CCPA) and its impacts on businesses. I knew that a lot of businesses were aware of the CCPA coming into effect on January 1, 2020, but I thought that there was a lot of misinformation and confusion about the CCPA. In that blog I laid out a number of facts about CCPA and some suggestions on actions you can take. I also noted that the law was very likely to get an update by the end of the year. You can find that original blog here:
California Consumer Privacy Act (CCPA) - Things You Need To Know
One important change relates to encryption key management and breach notification. Let’s do a deeper dive.
First, it is important to note the role that encryption of sensitive information plays in CCPA. Among other things, the CCPA dramatically empowers consumers to recover damages after a data breach of unencrypted data, and limits the ability of businesses to inhibit that recovery. Here are a few aspects of CCPA law:
So, what is different with the new laws?
AB1130 is one of those recent bills that modifies the CCPA notification requirements. It retains the litigation protections provided by encryption, but further clarifies that encryption keys must be properly protected. Here is what AB1130 says about breach notification (extracted and highlight added):
SECTION 1. Section 1798.29 of the Civil Code is amended to read:
1798.29. (a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
The full text of AB1130 is here:
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200AB1130
Security professionals know that encryption is only as good as the protection you provide to the encryption key. The CCPA notification rules now embed that understanding right in the law. And you must understand what this means in terms of your litigation protections.
Let’s take one example:
Microsoft SQL Server is a widely used database for business information. SQL Server implements Transparent Data Encryption (TDE) to protect all data in the database. And it gives you two options for storing encryption keys:
A lot of Microsoft SQL Server customers store the key locally on the same server as the database. Why? Well, it is easy and free.
Here is the problem:
It is trivially easy for a cybercriminal to recover a locally stored encryption key if they have access to the server or a backup of the server. In fact, there are ready made programs that will just recover the key for the hacker and unlock the encrypted data, in just a few seconds. This is a prime example of where poor encryption key management will damage your ability to limit notification and liability under CCPA. Don’t expect to argue that the key was properly protected. Every security professional knows how poorly protected a locally stored key is.
Is there a way to mitigate this poor encryption key strategy?
Yes.
Microsoft SQL server also supports remote encryption key management systems through a special interface known as Extensible Key Management, or EKM. You don’t have to store the key locally - you can easily plug in a key management system and protect the encryption key properly as the CCPA recommends. Problem solved, from a CCPA perspective. Our own Alliance Key Manager supports remote key management through the EKM interface.
Here are a few takeaways:
The California Consumer Privacy Act and subsequent laws change everything in terms of how we process and protect sensitive data. Encrypting that sensitive data, and protecting the encryption key, is not hard and is within reach of every business.
Talk to us. We’ll show you how fast and easy it is to meet this part of the new CCPA and notification regulations.
Patrick
P.S. I don’t mean to pick on Microsoft SQL Server here. The same issue applies to almost every commercial and open source relational and NoSQL database!