Image credit: Unsplash
It seems we’ve become somewhat immune to the shock of data breach headlines. Now instead of the news of the latest large data breach, we’re awed by the sizeable fines levied against these corporate targets of cybercrime. British Airways fined $228M and Marriott ordered to pay $128M - both due to GDPR, the European Union data privacy regulations that went into effect in May 2018. And lest we forget Equifax and their $600M settlement. While the financial impact of these breaches is staggering, the indirect damage done to brand reputation, revenue and customer trust far outweigh the fines and settlements.
And now these data privacy regulations are no longer exclusively in the realm of the EU. While California made headlines with the passing of its California Consumer Privacy Act (CCPA) with Assembly Bill 1130, all 50 states now have breach notification laws. The Office of the Attorney General for California even publishes a list of breaches and associated costs – as a sort of reverse honor roll. (https://oag.ca.gov/privacy/privacy-enforcement-actions). The truth is, no enterprise, large or small is immune to the threat, or the disclosure and fines associated with data loss.
But there is a bright spot here. Sitting within the text of Assembly Bill 1130 is an old friend, a best friend really to those in the data security business – Encryption. Breach notification and fines are only mandatory if “unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. It further stipulates that notification is mandatory even for encrypted data, if “the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person…”
The important takeaways here are (1), the absolute criticality of encrypting customer data is certainly a best practice. And (2), the equally critical measure of protecting the associated encryption keys. This means that if my company is breached and the data stolen is encrypted and the attacker does not have access to unprotected encryption keys then my company is not legally obligated to notify. Stolen encrypted data, without access to the encryption keys, is rendered useless, even in the hands of the bad guys!
Now, more than ever, it is critical to understand the scope of the legislation, what data is protected under the law and what can businesses do to help mitigate the direct and indirect impact of a breach. A comprehensive cyber security technical plan and procedural controls that fully encrypts all data, and fully protects encryption keys is an imperative for all businesses – in all 50 states and around the world.
A summary of the specific data protected under the laws includes:
Social Security Number
Driver’s License, Tax Identification Number, Passport Number, Military Identification Number
Account or Credit Card Number with associated code
Health Insurance Information
Biometric data: fingerprint, retina, iris, picture with associated facial recognition data
Username/email with associated password