CCPA is Coming, and Your Authentication Practices Matter

The CCPA goes into effect on January 1st, 2020. As you work on compliance, don't forget to evaluate and buttress your authentication practices.

The California Consumer Privacy Act,  enacted in 2018, goes into effect on January 1st, 2020—and imposes the strictest requirements in North America for the way in which companies handle and protect personal user information.

The CCPA gives consumers new rights—including the right to ensure that their personal information is destroyed rather than sold. © Sebastian Czapnik / Dreamstime

The primary purpose of CCPA is to give users more control over the personal data that companies store about them—as well as the right to:

  • know what's being collected and saved

  • know whether it's being sold

  • refuse to allow such sales

  • order that the data be deleted

—plus the further right to exercise all of these new rights at will without negatively affecting the prices they pay or the level of service that they receive.

Much of the discussion of CCPA has rightly been about the logistics and UX issues involved—in short, the "new stuff" that companies must build—to achieve compliance and give users the power to exercise these rights.

The Less Visible Part of CCPA Compliance

There's more, however, to CCPA than building workflows to support the exercise of these new rights.

While CCPA does not impose requirements for authentication, identity management, or access control per se, it does fundamentally require companies to protect users' data against unauthorized release, theft, and exfiltration.

Many will now note that this is no small requirement. Furthermore, in evaluating exposure to the law and to consequences for failure to comply, companies should avoid the temptation to ask what penalties the State of California plans to impose for non-compliance.

The bigger issue for most is the fact that once the law goes into effect, consumers will be particularly empowered to act a class in suing for damages when companies fail to protect their data.

Once the CCPA goes into effect, angry consumers will be empowered to act as a class in pursuing damages following data breaches. © Pojoslaw / Dreamstime

For this reason, it's important not to stop at "What specific new things does CCPA require us to do?" and to dig deeper—to the much more fundamental question "How well are we protecting user data of all kinds?"

Don’t Forget Basic Data Security

In its most recent data breach report,  the State of California found that the majority of data breaches—54 percent—resulted from "intentional intrusions into computer systems by unauthorized outsiders."

Perhaps more importantly, such intrusions were responsible for 90 percent of the total volume of data records breached.

In short, investing only in compliance with the newly required workflows and forms of record-keeping at the expense of basic data security is likely putting the cart before the horse for a great many companies whose data security remains ad-hoc or outdated.

CCPA, California, and Authentication

The new law specifies that a failure to "implement and maintain reasonable security procedures appropriate to the nature of the information" can leave a company liable for data theft or exfiltration events.

We can get a hint at what California finds to be "reasonable" by referring to the very same report, which points companies to the most recent version of the Center for Internet Security Controls.  

In particular, CIS calls for multi-factor authentication (MFA) in most cases, and California endorses this view, referencing among other recommendations the suggested use of out-of-band  MFA both for public-facing consumer logins and for accounts held by administrators, employees, and vendors.

In general, phone-based MFA methods like SMS codes and fingerprint scanners have proven to be easy for attackers to compromise. © Wilma64 / Dreamstime

It's not difficult to imagine that in the case of a breach, officials will not look kindly on companies that failed to deploy MFA even if they've implemented other recommended technologies, such as the use of encryption to make stolen data more difficult to use.

Not All MFA Technologies Are Equal

Of course, the best-case scenario for a company is to ensure that the data is never stolen in the first place—to avoid liability and class action scenarios entirely.

For that, what's needed is the strongest possible MFA—to stay well out of the 90 percent of records lost to intentional intrusions by unauthorized outsiders.

Unfortunately, many existing MFA technologies are relatively vulnerable to attack.

  • Phone-based SMS authentication is tremendously insecure because the SMS infrastructure is tremendously insecure  

  • Hardware authenticators  that display OTP codes visually are easy to pocket and steal, and the codes that they display can be captured at a glance—or from across the room by a good camera phone

  • Fingerprint scanners have proven to be shockingly easy to fool, with easily replicated video tutorials all over the web

If the goal is to stay out of the news and out of the breach discussion entirely, adaptive and behavioral-biometric solutions like Plurilock ADAPT  are a far better bet, since there's nothing to steal, nothing to remember, and compromise is orders of magnitude more difficult than is true for other MFA methods.

Whatever strategy you choose, be sure that your existing authentication and data security strategies are a part of your CCPA compliance efforts, even if it's the new user workflows that are getting the bulk of the coverage and discussion. ■