Category: Mobile Security

How Data Tokenization Can Help CCPA Compliance

The California Consumer Privacy Act (CCPA) is a California data protection law that went into effect on January 1, 2020 and began enforcement on July 1, 2020. The goal of the regulation is to ensure that companies operating in California and processing the data of California citizens properly protect that data and provide certain rights to data subjects.

The requirements of the CCPA are fairly strict, and the California Privacy Rights Act (CPRA), a current ballot initiative scheduled to be voted on in November 2020, will build upon and expand the requirements of the CCPA if passed. Achieving, maintaining, and demonstrating compliance with the regulation can pose a significant challenge for affected businesses.

However, the requirements of the CCPA and CPRA only apply to data that can be used to uniquely identify an individual or household. Efforts to anonymize data, such as the use of tokenization, can help to reduce the burden that CCPA places upon businesses.

CCPA is More Than Just Subject Rights

With the CCPA – and similar privacy laws such as the EU’s General Data Protection Regulation (GDPR) – the main takeaway that people have is that these laws dramatically expand the rights of data subjects regarding their personal data.

In the past, companies could collect, store, and use their customers’ data more or less with impunity. Consumers largely lacked visibility into what data was being collected and how it was used. They also often lacked a means of pushing back against “inappropriate” use of their data.

CCPA (and GDPR before it) have changed this. Within their jurisdictions, data subjects have the right to be informed of data collection and process, to request a copy of their data, to withdraw consent for certain processing activities, and to instruct a company to delete all data that it has collected about them.

However, while this is a significant change from the status quo, it is not the only purpose of the GDPR and CCPA. Both of these laws are also designed to protect the privacy of customer data from external parties by forcing companies to properly protect this data. By requiring a company to put certain cybersecurity controls in place and reserving the right to levy significant fines for security incidents or regulatory noncompliance, these laws incentivize organizations to have strong cybersecurity and reduce the probability of a breach of sensitive consumer information.

The Challenges of CCPA Compliance

The CCPA is a step in the right direction and is generally a positive move for consumers. However, the need to comply with the requirements of the regulation places a significant burden upon affected businesses.

In order to maintain compliance with the CCPA, an organization must have:

  • Complete Data Visibility: Companies must know where protected data is in order to respond to a subject’s rights requests or detect a potential data breach
  • Full Data Control: Companies must be able to modify or delete customer data in order to comply with a subject’s rights requests
  • Comprehensive Data Security: Companies must have compliant security controls in place to secure protected data wherever it is located

While achieving all of these requirements within an organization’s network is possible, it can be difficult. Also, even the best-designed security still carries the risk of a data breach. Minimizing this risk requires minimizing the footprint of sensitive and protected data on an organization’s network.

Tokenization Enables Effective Data Anonymization

The requirements associated with the CCPA only apply to data that can be uniquely identified as belonging to a particular individual or household. Data that has been properly anonymized or deidentified does not carry the same requirements, making it easier for organizations to manage without violating regulatory requirements.

Most applications within an organization do not require access to protected data. A unique identifier for a user is as effective as a name or email address and does not carry the same impacts if it is breached. Similarly, a user’s address and financial data are only required by shipping and billing departments.

Tokenization enables an organization to replace protected data with unique tokens that can be formatted to fit the needs of a particular application. Since the mapping from a token to the actual data is only stored in a single database, it is useless to an attacker without access to this database.

This enables an organization to focus their data protection efforts on a single location in the network, rather than everywhere that a user’s personal data could be stored or processed.

Leveraging Tokenization for CCPA Compliance

Compliance with the CCPA and other data protection laws requires organizations to reconsider how they implement data collection, processing, and storage in their networks. Under the new rules, consumers have many more rights regarding their personal data, and the stakes of failing to properly protect collected data are much higher with regulatory authorities actively investigating data breaches and reports of noncompliance and levying fines on offenders.

Scattering consumer data throughout the network and making it accessible to many applications expands an organization’s attack surface and makes managing subject rights requests much more difficult and complicated.

Taking advantage of tokenization enables an organization to minimize access to and use of sensitive and protected data to applications where it is required to perform their functions. This reduces an organization’s vulnerability to attack and simplifies the process of achieving, maintaining, and demonstrating compliance with the CCPA.

 

The Business Scams That Your Business Needs to Know About

At their heart, many criminals are also entrepreneurs – they’ve just decided to embrace the faster money and higher risks of illegal markets. However, just like other entrepreneurs, every criminal wants to maximize their ROI – increasing the amount of money they are earning while minimizing the amount they are spending. For however many dollars they put in, they can expect to get a certain number of dollars out. Here are some of the scams you need to know about.

CEO Fraud

A new type of scam which promises to enhance the ROI of many existing operations is beginning to be more frequently deployed by scammers. The Business Email Compromise (BEC), also known as ceo fraud, is a variant on conventional phishing attacks that businesses need to watch out for.

Phishing Attacks

Phishing attacks use emails that are masquerading as legitimate messages, containing links or attachments that look harmless but actually enable an attacker to execute malicious code. A spear phishing email is a phishing email that has been carefully crafted for a particular recipient. These were a notable feature of the Russian attacks on the 2016 elections – a spear phishing email crafted specifically for John Podesta ended up granting GRU access to the entire DNC network.

More About Spear Phishing

Spear phishing emails are more likely to be successful than the scattergun approach that phishing spam takes. Regular phishing emails rely upon users being susceptible and, for the most part, technologically illiterate. Often the scammers will have a list of emails from some database or other – every time one of those high-profile data breaches occur that we all collectively shrug our shoulders at, millions of people’s information is exposed.

Sometimes, passwords are exposed in these breaches, although that is relatively rare. When passwords are exposed, they are usually encrypted and, if the service in question takes security seriously, they will also be salted and hashed.

However, this is not always the case. You can enter an old email address into haveibeenpwned.com to see how many times it has been exposed in a breach and any passwords that have been exposed alongside it.

BEC Scam

The BEC scam utilizes spear phishing, spoofing, type squatting, or some other type of phishing attack, inducing the user to enter their username and password, thinking they are logging into a email phishing business scamslegitimate service.

The email itself deploys urgency and claims to have been sent at the behest of a CFO or CEO who is now in a meeting and therefore unavailable.  To disguise the lack of a corporate signature, the scammers use the ‘Sent from my iPad’ signature and explain that they are using a personal device. This also enables the scammers to get away with imperfect English as mistakes are written off as autocorrect. If hackers have any additional information that they can use to make themselves seem legitimate, they will often throw that in too.

In some cases, the scammers will use social engineering to convince employees to do things they normally wouldn’t. The best way to defend against this attack is to educate your employees about it. Once they know about it, it is fortunately easy to spot. Never open attachments you aren’t expecting without verifying in person that they are legitimate. Don’t open links or attachments from email addresses you don’t recognize, even if they purport to be from someone you know.