Well, that did not take long.
34 days after the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, a lawsuit was filed against retailer Hanna Andersson and cloud service provider Salesforce for a data breach where sensitive information was not properly protected. Information about approximately 10,000 California customers were exposed on the dark web. The information apparently included customer names, addresses, credit card numbers, CVV codes, and card expiration dates. Everything a cybercriminal needs to execute financial fraud. What a haul!
The fine under the CCPA can be up to $750 per record, making the liability cost in this case about $7.5 million - and that is only a part of the picture. Litigation costs will be large and there may be fines from the California Department of Justice and from other governmental entities. Hanna Andersson is a relatively small retailer with approximately 60 stores, 400 employees and annual revenue around $140M. Losses of this size are painful.
Here is a good article about the data breach, and it has a link to the actual lawsuit:
Let me share a few thoughts with you.
First, let’s not forget that the villains in this case are the cybercriminals who perpetrated this crime against Hanna Andersson and Salesforce, and ultimately against the individuals who will experience identity theft and financial fraud. Could Hanna Andersson and Salesforce have done more to prevent this data breach? Certainly yes. But in the early years of my IT career I worked for companies like Hanna Andersson. I worked with wonderful, amazing, dedicated IT professionals and my sympathies are with them, too. Salesforce has been a moral leader in an industry that has seemed at times to lack a moral compass and I admire the values that Marc Benioff and his company have promoted over these last few years.
But this lawsuit is a harbinger of things to come. Ignoring the new landscape of regulatory compliance is dangerous.
Here are some takeaways that I hope will be helpful:
- We are all moving our IT infrastructure to the cloud. The financial and operational benefits are overwhelming and this migration to the cloud will not change. However, we have not properly accepted responsibility for the security of our applications and data in the cloud. Our cloud service provider, whomever it is, will not protect us. Own and embrace your security posture now, no one else will do it for you.
- The California Consumer Privacy Act puts the onus on businesses to protect consumer sensitive data. This may not be fair, but it is now a fact of life and other states will certainly follow California’s lead. The CCPA mandates that businesses protect consumer information with encryption if they want to avoid these types of lawsuits. That’s where we are, and that is what you need to do.
- We have fully arrived in the land of Zero Trust. All of your systems in the cloud and on-premise are at risk. If you haven’t done an inventory of your systems with sensitive data, this is the first thing to do. Knowing where sensitive data resides provides you with a map to address adding the protections that are needed.
- Prioritize the systems based on risk. Which systems have the most sensitive data? Which are more exposed to a data breach? Which databases will be the easiest to mitigate? The prioritized list does not have to be perfect, but you need one as soon as possible.
- Get started with your encryption projects. Some databases make this easy to do. If you have Microsoft SQL Server, MongoDB, or MySQL, you have a clear and fast path to add encryption through native database support. If you have databases or storage that do not support native encryption, consider migrating them to VMware vSAN encrypted storage for these applications.
- On your way to encrypting your sensitive data, don’t forget about encryption key management. One of the changes that came with CCPA is the requirement to store encryption keys away from the sensitive data. Most databases give you the option of storing the encryption key on the same server as the data. Don’t do this, you will lose all of the protections you need under CCPA.
Here at Townsend Security we help organizations large and small achieve the highest level of data protection. It won’t cost you an arm and a leg, either. The days of overpriced encryption and key management solutions are over. Talk to us about our Alliance Key Manager solution for protecting your data.