The California Consumer Privacy Act and Encryption: Theory, Practice, Risk Assessment and Risk Mitigation

The US State of California Consumer Privacy Act of 2018 (CCPA) will have an impact on security professionals, auditors, managers and boards responsible for ensuring its effective implementation. The act, which governs the disclosure of data and the sharing of California residents’ personal information, became effective 1 January 2020.¹

Provisions of the CCPA

The CCPA requires that an enterprise’s privacy policy include the following four components:²

1. Information about selling users’ information and how to opt out of that process
2. Methods of verifying the identity of the person who requests access, change or erasure of data
3. Methods for submitting such requests
4. An explanation of to whom the law applies

The CCPA also requires that an enterprise obtain the consent of minors (defined as individuals between the ages of 13 and 16 years of age) before selling their personal data. Individuals who are 13 to 16 years old can give consent themselves. For younger children, their parents or guardians must give prior consent.³ There are fines for violation of the CCPA.

Fines under the CCPA will cap at $7,500 per violation—and even that maximum penalty is reserved for only intentional violations of the CCPA; violations lacking intent will remain subject to the preset $2,500 maximum fine under Section 17206 of the California Business and Professions Code. Of course, cumulative fines for large and systemic abuses may add up to be costly, but they are unlikely to be bank-breaking. [It also allows] persons to bring lawsuits for the breach of their “nonencrypted or nonredacted personal information”—even in the absence of evidence of actual damage. The CCPA allows individuals to recover between $100 and $750 per such incident—or greater in the showing of actual damages exceeding $750. Businesses have greater incentive to deploy encryption where they have not done so already—even for data that organizations have not traditionally encrypted.⁴

Applicability

The CCPA applies to every organization in the world if the following conditions are met:

• It collects personal data of California residents.
• It (or its parent organization or a subsidiary) meets at least one of the following three thresholds:⁵
  • Has annual gross revenue of at least US$25 million
  • Obtains personal information of at least 50,000 California residents, households and/or devices per year
  • Generates at least 50 percent of its annual revenue from selling California residents’ personal information

GDPR Vs. CCPA Compliance

There is overlap between the CCPA and the EU General Data Protection Regulation (GDPR). However, under the CCPA, an enterprise must meet the following requirements:⁶

• Its home page must include a “Do Not Sell My Personal Information” link.
• It must establish methods for users to request access to, change of and erasure of data.
• It must establish a method for verifying the identity of the person making a data-related request.
• It must establish a method for obtaining consent from minors before selling their personal data.

Definition of Personal Data

The CCPA defines personal data as any information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.⁷ Unlike other personal privacy laws, the CCPA includes household information in the definition of personal data.

OF PARTICULAR CONCERN IS THE CCPA’S REQUIREMENT THAT ENTERPRISES DEMONSTRATE USE OF THE PROPER LEVEL OF ENCRYPTION TO MITIGATE THE RISK OF A DATA BREACH.

Personal information includes but is not limited to name, email address, biometric data, IP address, Internet of Things (IoT) information, geolocation data, and professional or employment information. Publicly available information is not considered personal information under the CCPA.

Encryption Requirements

Of particular concern is the CCPA’s requirement that enterprises demonstrate use of the proper level of encryption to mitigate the risk of a data breach. Of what relevance is this provision to enterprises that are not doing business in California? These same requirements are delineated in the Federal Information Security Management Act (FISMA), a US law passed in 2002 that requires federal agencies to develop, document and implement information security and protection programs.⁸ The required controls are covered in Federal Information Processing Standards (FIPS) 199 and 200 and the US National Institute of Standards and Technology (NIST) Special Publication (SP) 800 series.

Encryption: SSL and TLS Protocols
The Secure Socket Layer (SSL) Protocol, the original encryption protocol used with HTTPS, evolved in three versions—SSL 1.0, SSL 2.0 and SSL 3.0—and has now been replaced by the Transport Layer Security (TLS) Protocol. It should be noted that Version 3.0 was redesigned to become TLS 1.0. TLS currently has the following versions: 1.0, 1.1, 1.2 and 1.3. TLS 1.0 and 1.1 are not allowed in PCI DS. Both protocols are part of Layer 4, Transport Security, of the Open Systems Interconnection (OSI) Model. (At this point, people are still more familiar with SSL, although TLS is increasingly being used within the industry. In the meantime, SSL/TLS is a common compromise and is used here.) SSL/TLS is used to secure electronic applications or functions. Applications incorporate the transport layer as part of their architecture, including secure coding and other best practices, to ensure a secure application. The transport layer is important because it controls the reliability of data through various processes such as segmentation/desegmentation and error control. The transport layer also provides the acknowledgment response after successful data transmission and sends the next data if no errors have occurred. It creates segments out of the message received from the application layer.

However, “SSL/TLS by itself will not be the most secure protocol without using a level of IP security (IPsec) and key exchange.”⁹ This can be called “defense in depth.” SSL/TLS is all about secure key exchange to ensure privacy controls over communications with a website. To connect securely with a website, one must exchange symmetric private keys that can be used to communicate. Specifically, a public/private key pair from the TLS cert is used to create a shared symmetric encryption key that is used to encrypt the session. SSL/TLS (and Public Key Infrastructure [PKI] in general, the trust model that facilitates public key encryption) is just a fancy mechanism for creating and exchanging those session keys. TLS establishes an encrypted, bidirectional network tunnel that allows arbitrary data to travel between two hosts. TLS is most often used in conjunction with other Internet protocols such as HTTPS, Secure Shell (SSH), secure File Transfer Protocol (FTPS) and secure email. Figure 1 lists the differences between SSL and TLS.¹⁰

Mitigating Risk in the Implementation of SSL/TLS
Given CCPA and regulatory requirements to encrypt data—whether at rest, in transit or in motion—there are certain risk factors that must be assessed and mitigated. Encryption disguises the information itself using a mathematical formula (algorithm) known as a cipher. Figure 2 lists some of the risk factors that should be addressed.¹¹

Layered Encryption
Imagine that Internet traffic to and from a network occurs in layered pipelines. HTTPS is actually a set of protocols that help protect and secure sensitive information online. These are: FTP, Telnet and SMPT/IMAP4.

Auditing SSL/TLS
The audit program outlined in figure 3 highlights the significant points of reference when reviewing controls over privacy and encryption as they relate to the CCPA.¹²

To ensure compliance with the provisions of the CCPA regarding privacy and encryption, best practices require a risk assessment of the corresponding controls and a mitigation plan that is documented and discussed with management for budgeting.

Conclusion

As the CCPA is implemented and enterprises review their controls to ensure compliance, they should also review their controls over encryption, data sensitivity and privacy to ensure compliance with the law and the protection of customer data using best practices. Enterprises should review the following:

• Implementation of HTTPS, SSL/TLS
• Access profiles
• Policies and standards regarding data privacy and encryption (and those standards should be evaluated against actual practice)

Of particular concern to enterprises is the requirement to demonstrate and validate compliance with CCPA’s requirements. The areas mentioned will help to ensure that the CCPA’s requirements, such as demonstrating the controls recommended or required by CCPA, are being implemented. This will also help organizations in their compliance review of the required controls covered in FIPS 199 and 200 and the NIST 800 series.

Endnotes

¹ California Legislative Information, AB-375 Privacy: personal information: business. (2017–2018), 29 June 2018, https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
² Secure Privacy, “Learn About the California Consumer Privacy Act (CCPA) and How to Become Compliant,” https://secureprivacy.ai/what-is-ccpa-and-how-to-become-compliant/#WhatisCCPA
³ Ibid.
⁴ Stanganelli, J.; “California’s CCPA Law: Why CISOs Need to Take Heed,” Security Now, 26 July 2018, https://www.securitynow.com/author.asp?section_id=706&doc_id=744859
⁵ Op cit Secure Privacy
⁶ Ibid.
⁷ Ibid.
⁸ National Institute of Standards and Technology, “FISMA Implementation Project,” USA, https://csrc.nist.gov/projects/risk-management
⁹ Oppliger, R.; SSL and TLS: Theory and Practice, 2^nd Edition, Artech House, USA, 2016
¹⁰ DifferenceBetween, “Difference Between SSL and TLS,” 29 December 2014, https://www.differencebetween.com/difference-between-ssl-and-vs-tls/
¹¹ GlobalSign, “SSL vs. TLS—What’s the Difference?” 7 July 2016, https://www.globalsign.com/en/blog/ssl-vs-tls-difference/
¹² Koussa, S.; “How to Quickly Audit Your Cryptography Usage?” Software Secured, 21 July 2015, https://www.softwaresecured.com/how-to-quickly-audit-your-cryptography-usage/

Larry Marks, CISA, CRISC, CISM, CGEIT, CFE, CISSP, CRVPM II, ITIL, PMP
Is a senior manager of governance, risk and compliance at BDO. Prior to joining BDO, Marks was principal subject matter expert for technology and security, supporting the implementation of cyber and operational risk frameworks, ensuring regulatory compliance. He has led cyber/information security risk control self-assessment (RCSA) and programs/projects, while mentoring team and business to implement policies and procedures aligned with regulatory and compliance requirements. As a business advisor, he has also had responsibilities involving internal/IT audit, development, quality assurance/quality control and risk. Marks is a thought leader, publishing regularly on subjects related to security, risk, regulatory compliance, governance, leadership and program/project management.