Tag: data breach

How Data Tokenization Can Help CCPA Compliance

The California Consumer Privacy Act (CCPA) is a California data protection law that went into effect on January 1, 2020 and began enforcement on July 1, 2020. The goal of the regulation is to ensure that companies operating in California and processing the data of California citizens properly protect that data and provide certain rights to data subjects.

The requirements of the CCPA are fairly strict, and the California Privacy Rights Act (CPRA), a current ballot initiative scheduled to be voted on in November 2020, will build upon and expand the requirements of the CCPA if passed. Achieving, maintaining, and demonstrating compliance with the regulation can pose a significant challenge for affected businesses.

However, the requirements of the CCPA and CPRA only apply to data that can be used to uniquely identify an individual or household. Efforts to anonymize data, such as the use of tokenization, can help to reduce the burden that CCPA places upon businesses.

CCPA is More Than Just Subject Rights

With the CCPA – and similar privacy laws such as the EU’s General Data Protection Regulation (GDPR) – the main takeaway that people have is that these laws dramatically expand the rights of data subjects regarding their personal data.

In the past, companies could collect, store, and use their customers’ data more or less with impunity. Consumers largely lacked visibility into what data was being collected and how it was used. They also often lacked a means of pushing back against “inappropriate” use of their data.

CCPA (and GDPR before it) have changed this. Within their jurisdictions, data subjects have the right to be informed of data collection and process, to request a copy of their data, to withdraw consent for certain processing activities, and to instruct a company to delete all data that it has collected about them.

However, while this is a significant change from the status quo, it is not the only purpose of the GDPR and CCPA. Both of these laws are also designed to protect the privacy of customer data from external parties by forcing companies to properly protect this data. By requiring a company to put certain cybersecurity controls in place and reserving the right to levy significant fines for security incidents or regulatory noncompliance, these laws incentivize organizations to have strong cybersecurity and reduce the probability of a breach of sensitive consumer information.

The Challenges of CCPA Compliance

The CCPA is a step in the right direction and is generally a positive move for consumers. However, the need to comply with the requirements of the regulation places a significant burden upon affected businesses.

In order to maintain compliance with the CCPA, an organization must have:

  • Complete Data Visibility: Companies must know where protected data is in order to respond to a subject’s rights requests or detect a potential data breach
  • Full Data Control: Companies must be able to modify or delete customer data in order to comply with a subject’s rights requests
  • Comprehensive Data Security: Companies must have compliant security controls in place to secure protected data wherever it is located

While achieving all of these requirements within an organization’s network is possible, it can be difficult. Also, even the best-designed security still carries the risk of a data breach. Minimizing this risk requires minimizing the footprint of sensitive and protected data on an organization’s network.

Tokenization Enables Effective Data Anonymization

The requirements associated with the CCPA only apply to data that can be uniquely identified as belonging to a particular individual or household. Data that has been properly anonymized or deidentified does not carry the same requirements, making it easier for organizations to manage without violating regulatory requirements.

Most applications within an organization do not require access to protected data. A unique identifier for a user is as effective as a name or email address and does not carry the same impacts if it is breached. Similarly, a user’s address and financial data are only required by shipping and billing departments.

Tokenization enables an organization to replace protected data with unique tokens that can be formatted to fit the needs of a particular application. Since the mapping from a token to the actual data is only stored in a single database, it is useless to an attacker without access to this database.

This enables an organization to focus their data protection efforts on a single location in the network, rather than everywhere that a user’s personal data could be stored or processed.

Leveraging Tokenization for CCPA Compliance

Compliance with the CCPA and other data protection laws requires organizations to reconsider how they implement data collection, processing, and storage in their networks. Under the new rules, consumers have many more rights regarding their personal data, and the stakes of failing to properly protect collected data are much higher with regulatory authorities actively investigating data breaches and reports of noncompliance and levying fines on offenders.

Scattering consumer data throughout the network and making it accessible to many applications expands an organization’s attack surface and makes managing subject rights requests much more difficult and complicated.

Taking advantage of tokenization enables an organization to minimize access to and use of sensitive and protected data to applications where it is required to perform their functions. This reduces an organization’s vulnerability to attack and simplifies the process of achieving, maintaining, and demonstrating compliance with the CCPA.


Cyber security pros say mobile payments will boost data breaches

As a rising number of people use their smartphones to make purchases, cyber criminals will up their efforts, too.

According to the results of a recent survey, most cyber security experts (87 percent) now feel that as mobile payments become more popular over the next 12 months, it will also bring about a rise in the number of associated data breaches.

Equally, 42 percent of surveyed cyber security experts had also already used that transaction method this year.

The survey involved the participation of 900 experts in cyber security. It was conducted by ISACA and it suggested that mobile payments are likely to progress without any real barrier from security concerns. Among the respondents to this survey, only 23 percent said that they felt that smartphone payments were actually a safe way to store personal information. Another 47 percent said that they felt that this type of transaction is entirely unsecure. An additional 30 percent of respondents said that they were unsure as to whether or not the transactions were secure.

Regardless of the risk that is associated with security, it looks as though mobile payments are moving ahead.

Cyber Security - Mobile PaymentsNearly 89 percent felt that cash remains the most secure way for payments transactions to be completed, today. That said, only 9 percent of the respondents said that this was their preferred method of payment.

The ISACA survey participants were asked to provide their opinions with regards to the types of vulnerabilities that could be associated with using smartphones to complete payments transactions. Among them, the mobile security concerns that were identified were:

• WiFi – 26 percent
• Loss or theft of the smartphone – 21 percent
• Shmishing (text message phishing)/phishing – 18 percent
• Weak password protection – 13 percent
• User/human error – 7 percent

The report also indicated that mobile payments based on contactless and NFC technology will be continuing their growth. As a whole, the marketplace for these transactions is predicted by Future Market Insights to be worth $2.8 trillion in five years. The cyber security experts felt that the best way to boost the security of the transactions is to use two authentication methods (66 percent) and to require a short-term authentication code (18 percent).