Top security priorities: data protection

With each message sent, story posted, blog written, item purchased, video streamed and countless other actions completed, the approximately 4.66 billion internet users create and consume data. Estimates put data consumption at 118 zetabytes for 2023—the average filesize of one hour of 4K video sits around 21 GB, meaning we consume enough data in one year to binge watch over 641 million years of crystal clear video.

Like it or not, your organization is a subject in the dominion of data too, whether via credit card transactions, email lists, patient admittance, software license distribution and beyond. The huge quantity of data processing required can make data privacy and handling complex. In this next blog in the top security priorities series, we’ll try to break this down into some easier-to-chew pieces.

What data needs to be protected?

In practical use, “data” can mean a lot of things. But we’re not talking about a self-aware space-dwelling android with a beloved cat named Spot—instead we care about data that can identify persons or affect your business operations, and other sensitive data that could wreak havoc on your organization if exposed. In other words, you should strive to protect Business Identifiable Information (BII) that can be proprietary, business-critical or confidential, and Personal Identifiable Information (PII) that can identify a customer, employee or business partner. This can even extend into child data privacy if children are using their parents’ devices.

Of course keeping BII secured is important, as it can be the lifeblood of your organization. But PII exposure can also ruin your reputation, lose you customers and cost your business hundreds of thousands or millions of dollars in fees (more on that later). So what exactly is PII? This is how NIST defines it:

any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity… and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information

This can be, for example:

• Full name, maiden name, mother’s maiden name, or alias
• Street or email address
• Biometric information
• Date or place of birth
• Bank account number
• Credit/debit card expiration date or chip data

What are the laws and regulations surrounding data?

Before we dive into how data should be handled, it can be helpful to know the standards organizations are subject to when dealing with data.

Payment Card Industry Data Security Standard (PCI DSS)

If you conduct any transactions with a payment card, PCI DSS is important for you. PCI DSS aims to protect payment account data via technical and operational requirements to achieve these steps toward financial privacy:

• Build and maintain a secure network and systems
• Protect account data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

Violation of PCI DSS requirements can result in fines of up to $500,000 per incident if merchants are found not to be in compliance with these requirements.

General Data Protection Regulation (GDPR)

GDPR is a recent 2018 regulation about data subject rights that affects countries in the EU and other entities interacting with EU citizen data. It requires organizations to inform customers of their data usage, appoint appropriate staffing to handle data and notify relevant parties of a personal data breach within 72 hours. GDPR relies on seven principles: lawfulness, fairness and transparency, purpose, limitation, data minimization, accuracy, storage limitation, integrity and confidentiality and accountability. GDPR is long and complex; a summary can be helpful.

Gramm-Leach-Bliley Act (GLBA)

This act requires financial institutions to “explain their information-sharing practices to their customers and to safeguard sensitive data.” The Safeguards Rule established by GLBA requires institutions to maintain an information security program with administrative, technical and physical safeguards to protect PII. This rule requires employee training, proper software and testing and monitoring of vulnerabilities in your network infrastructure.

Financial institutions that violate GLBA can be fined $100,000 for each violation; individuals face fines of $10,000 for each violation and can be put in prison for up to five years.

Sarbanes-Oxley Act (SOX)

SOX is a 2002 federal act that deals with auditing reporting requirements and data retention. Executives can face fines up to $1 million and ten years imprisonment for SOX violations.

Health Insurance Portability and Accountability Act (HIPAA)

Covered entities—health plans, healthcare clearinghouses and healthcare providers who conduct standard health care transactions electronically—all need to be HIPAA compliant. HIPAA led to these rules about healthcare data privacy:

• Privacy Rule: This rule sets standards for the protection of personal health information
• Security Rule: This rule sets standards for protecting the confidentiality, integrity and availability of electronic protected health information
• Breach Notification Rule: This rule requires HIPAA covered entities and their business associates to provide notification of a breach of unsecured protected health information
• Omnibus Rule: This rule applies HIPAA rules to business associates in addition to covered entities and implements a number of provisions for the 2009 Health Information Technology for Economic and Clinical Health (HITECH) act

HIPAA violation fees vary based on levels of culpability and can range $127 per violation to millions of dollars. Violations can be civil or criminal, and lack of understanding of HIPAA requirements does not recuse individuals or organizations of responsibility.

How can data be kept private?

Ok, now that we have a basic understanding of what data is and how it’s governed, let’s get into the nitty gritty about how data should be handled. To summarize rules and regulations surrounding data, it’s necessary to protect the confidentiality, availability and integrity of the said data. This means keeping it secret and accessible when needed while being able to trust that the data is accurate and unaltered.

Customer transparency

The data lifecycle starts with its harvest from customers or clients. Organizations have an ethical (and legal) obligation to not only explain to customers why their data is being harvested, but to only request the minimum amount of data needed to conduct business successfully. In this stage, it’s useful to provide customers with a terms of agreement to inform them that your organization will be collecting and storing their personal information. And a privacy notice informs them about their data will be kept private (or not, in some cases). Customers must agree to these terms.

Again, only the minimum amount of PII should be collected and retained. Also consider these practices to reduce the quantity of PII stored:

• Data masking: Hiding original data with modified content, such as using asterisks to hide all but the last four digits of a Social Security number
• Data Tokenization: Assigning a value known by a single source (or token) to replace PII, such as using a patient number instead of their name
• Data Anonymization: Removing identifying information and instead keeping statistics, such as the number of people in your client base who are over the age of 35

Defending your data

Keeping your data private means protecting it from a variety of attack vectors—this requires a multi-faceted security strategy. A great starting point is to conduct a risk assessment to see where your organization stands. In general, a risk assessment aims to determine risk by:

• Identifying threat sources and events
• Identifying vulnerabilities and predisposing conditions
• Determining likelihood of occurrence
• Determining magnitude of impact

Though the overarching intention of a risk assessment is to determine your entire organization’s security posture, the actual process of risk assessment varies from organization to organization. NIST offers a number of resources to help you get started, as does the Center for Internet Security (CIS).

Storing, accessing and disposing of data

At a minimum, data needs to be encrypted during harvesting, transmission and retention. This means that all devices—servers, workstations, point-of-sale systems, employee devices, etc— that could be accessing data also need to be encrypted and should be password or PIN protected.

Servers, whether on-premises or hosted on the cloud, should be regularly maintained and backed up to preserve the availability of the data.

When data needs to be accessed, access controls should be implemented. Access should only be granted to employees who need it and have individual user accounts, and should be closely monitored.

Device and network security

Beyond encryption, devices should be free of malware and up-to-date. Device management, threat hunting and endpoint security tools come in handy here with automatic updates, artificial intelligence and activity monitoring. Learn more about this is in the first blog in the Top Security Priorities series.

Security training

Social engineering attacks like phishing are the most common ways bad actors infiltrate your data. User training and awareness is paramount for keeping business and employee data secure—read more about this in the previous blog post in this series.

Incident response

Data breaches are extremely common; it’s unwise to assume that your organization is totally defended against them. Developing an incident response plan is critical to recover from any breaches and to plan to prevent further ones.

Key takeaways

• Organizations have ethical and legal obligations to protect Personal Identifiable Information
• There are a number of laws around data privacy in various industries, including PCI DSS, GDPR, GLBA, SOX and HIPAA
• Customers should be informed of how their data will be collected and used
• Keeping data private is a part of a holistic security solution and requires a number of tactics