Biometrics to step in when CCPA kills the password, ImageWare exec says
The California Consumer Protection Act (CCPA) goes into effect on January 1, 2020, and brings a set of data privacy requirements to bear against qualifying companies that handle the data of California citizens, regardless of where they are based. ImageWare Systems CTO David Harding told Biometric Update in an interview that CCPA is poorly written and harsh, and that it could be the start of a trend that puts numerous companies at risk of dramatically increased liability, and even targeted cyberattacks. At the same time, it could be the beginning of a stunning market opportunity for identity security companies.
Harding believes the regulation takes a lot of the same principles as Europe’s General Data Protection Regulation (GDPR) a step further, and that it could have major impacts on a wide range of companies, not just in California, but for businesses across the country.
“CCPA makes GDPR look like light beer,” he says.
Like GDPR, CCPA gives residents in its jurisdiction several rights over their personal data. In CCPA’s case, there is the right to know what personal data is being collected about them, whether it is being sold and to whom, and to block its sale, as well as access and deletion rights. The regulation also includes the right not to be discriminated against based on data privacy decisions, which may or may not prevent businesses from using terms of service to obtain consent to sell user data.
Companies that make more than $25 million annually, that make more than half of their revenue selling user data, or hold identifying data for fifty thousand or more people, households, or devices are required to abide by CCPA regulations. In the event of a data breach, they could be fined up to $2,500 per violation, assuming the violation lacks intent, and also could potentially be sued for damages by individuals.
A fair degree of uncertainty also remains around CCPA, according to Harding. “There are a lot of interesting grey areas when it comes to the rights. The devil’s going to be in the details as a lot of these things get lobbied, litigated, and amended.”
Interest in amendments to CCPA is starting to percolate, but as that happens, 14 other states around the country are considering their own legislation along the same lines.
“Each one of these states is going to have its own level of regulation,” Harding warns. “There will be commonalities and similarities, but every one will be different.”
Companies that are not in the identity management business will have trouble meeting the many different sets of regulatory requirements, he says. If they are subject to major fines in each state, then a data breach, which is already potentially ruinous for many companies, could become a common route to bankruptcy.
In response, business will seek to limit their exposure in various ways. “The first thing is they’re going to start doing, and we’re already starting to see it, is they’re going to push liability off onto somebody else,” Harding explains. “Either a company that is willing to assume, or, as in many cases, they push it off to the consumer themselves.”
This creates a potentially enormous opportunity for companies like ImageWare. Harding believes the ‘biometric anonymity’ enabled by the company’s proprietary database system provides a way to achieve the robustness of authentication necessary to prevent enterprise hacks, which are mostly password-based, while meeting the requirements of CCPA.
“Being able to separate the biometrics away from any other personally identifiable information but still authenticate an identity on demand,” is the key, according to Harding.
Centralizing information is what systems engineers have been taught to do throughout the history of databases, he notes, but cybercrime and data breaches have made this practice untenable. They have also made passwords untenable, as compromised or weak credentials continue to get the blame for 80 percent of data breaches, and companies will soon face penalties in a growing number of jurisdictions, even for a single incident.
This is what makes CCPA such a golden opportunity for biometrics service providers, and in particular those that can properly secure and segment data, Harding argues.
“When you look at what is going to be required in the future, you’re going to have to know the identity of the person accessing your corporate assets,” he states. “Whether that be logging into your retail website, whether you’re a supplier that goes through some sort of supply side interface to figure out a bill of materials, or whether that be an employee who accesses the network. All of that comes down to you have to know who the person is, but you have to do it in a way that protects you from a liability perspective that the wrong person isn’t going to get into the system. So biometrics, for example, are a good way to make sure you’ve got the right person, and then you’ve got to make sure that those biometrics aren’t compromised.”
Biometrics still need to be “situational, environmental, and personal,” but the conditions are finally right for the right kind of biometrics to be adopted far and wide.
“It takes, in my opinion, something like CCPA,” Harding says. “I see that as the first domino. This will actually create a revolution. One of the biggest reasons for that is it’s not just going to be California, and the Federal government has failed to put any guidelines around this.”
Harding says CCPA is “rolling like a freight train” that will likely crush some unprepared companies. To get prepared, a wave of businesses will implement compliance-focussed logical access system upgrades.
“You’re going to start seeing a revolution of adoption,” he thinks. “I have waited 14 years to see this happen, and it’s going to be one of those overnight things. I never thought it would be State level regulation that would usher in the requirement for people to put in stronger authentication, but I think that’s exactly what’s happening.”