Businesses can avoid fines if customer data is encrypted or redacted
Encryption provides the best defense against any fines that might be levied for violations or data breaches under CCPA, according to ESG and Fortanix.
What can you do?
The report also revealed that CCPA applies data breach sanctions only if companies fail to protect personal data with encryption or redaction. If personal information is protected with appropriate data security measures, it cannot be used by unauthorized parties, so consumers are left unharmed.
Encrypted data that is stolen remains unintelligible, protecting the identity and personal information of its owner and mitigating risk for the business.
“Encryption is a security strategy that will protect sensitive data such as the personal information covered by CCPA,” wrote Christophe Bertrand, ESG senior analyst.
“It protects an organization from scenarios like a devastating breach where hackers gain access to systems containing personal data. It is important to implement encryption throughout the data lifecycle, including while data is at rest in a storage layer, while it is in transit over networks, and while it is in use by applications in the memory of the operating system.”
“Also, consider that personal customer data should be encrypted whether it exists in public cloud storage, in software-as-a-service (SaaS) applications such as CRM, or throughout your supply chain, in addition to your internal data center systems,” Bertrand continued in the report.
“Organizations need to implement advanced data classification, data anonymization, data masking, encryption, security, and access controls in order to set themselves up for successful compliance. ESG believes that many organizations are only ready on the surface – with marketing opt-in/out processes, for example.”
Protecting customer data privacy a strategic imperative for businesses
The CCPA is landmark consumer privacy legislation. Often compared to GDPR, CCPA protects consumers from mismanagement of their personal data and gives them control over what data is collected, processed, shared, or sold by companies doing business in California. This act is the strongest privacy legislation enacted in any state, giving more power to consumers with regards to their private data.
With many experts predicting that other states will pass similar legislation in the coming years, companies across the US that take proactive steps today to better protect consumer data will be best equipped for future regulations.
“With the increase in regulatory penalties and devastating data breaches we have seen, protecting the privacy of customer data is a strategic imperative for business,” said Ambuj Kumar, CEO of Fortanix.
“The most reliable and efficient method of both protecting customer data and avoiding regulatory penalties is to encrypt all customer data throughout its lifecycle while at rest, in motion, and while in use by applications.”