While legislators struggle to agree on a new federal data privacy law and how it would handle fast-emerging state laws like the one in California, organizations shouldn’t sit back and wait on a list of rules. Data privacy considerations are increasingly critical, especially as our now digital world has dematerialized people into being who the data says they are.
Protecting personally identifiable information, PII, for the benefit of your constituents and the demands of regulators is no easy task, however. To address the enormous goal of protecting data, start with these three often-overlooked considerations:
- Data residency: Are you certain you know where your data is hiding?
- Orchestration of controls: How are your security controls policed?
- Continuous monitoring: Can you be sure data is not residing in the wrong place and, if it is, are security controls in place?
Your organization is full of sensitive data. You need it to fuel your business. Generally speaking, PII is accessed only via approved business applications.
Of course, your employees would never export data from Salesforce.com and save it on their laptop. And, they’d never save an Excel spreadsheet containing PHI to their hard drive. They’d certainly never sync a proposal containing proprietary company information to Dropbox.
The problem is that your employees would do all of the above. And they do.
Your sensitive data is sitting out there on more endpoints than you think. You need the equivalent of Google for your endpoint data — a lexicographical crawler for PHI and PII data that can alert you to any unauthorized data hiding out there on endpoint devices.
Unless you have that, you simply won’t be able to track all the places where the data resides.
According to Forbes, one laptop is stolen every 53 seconds. What happens when one of those laptops belongs to your organization? Results from a recent Forrester security survey found that 39 percent of breaches can be traced back to the endpoint (24 percent caused by employee misuse and 15 percent caused by lost or missing devices). Without the ability to know what data resides on a device, you’ve no idea if you’ve exposed your customers to a data breach risk.
Orchestration of Controls
There is no shortage of security controls, whether they be native in the operating system or third-party applications like antivirus, antimalware, encryption, or other endpoint detection and response (EDR) solutions. These controls help ensure that the place that data resides is a secure one.
The problem organizations face is ensuring that the third-party controls remain in place and are functioning at all times. Native controls can help with this, giving organizations the ability to pull information from the controls and push actions to the device if they are not operating as they should or if the user of the device is acting suspiciously.
This is particularly important in a breach scenario. For example, if a company laptop is stolen from the trunk of your employee’s car and you know that the laptop contains PHI, without visibility into that device, you have no way to prove that encryption was in place and functioning and that no data was accessed post-incident. In this scenario, you would have to assume that the data was breached and follow HIPAA’s breach notification rules.
With the right visibility in place, you can categorically prove that security controls were in place on a device, that no data was accessed, and that the device has been locked down and is no longer a threat.
Annual auditing is only valid on the day the audit takes place. Can you be sure on any day in between audits that data is not residing in the wrong place and, if it is, that security controls are in place to protect it? Without continuous monitoring, you’ll never be able to keep track of all the data copies that exist on all your devices. This can leave you in hot water when the regulators come knocking.
Say, for example, that you have a customer who resides in Nice, France. They notify your company that they want to be erased from your records. Under GDPR, you have to find every stitch of their data that is saved in your organization and erase it.
You can pull them from your data lakes — that’s the easy part — but shards of their data will still exist out there on numerous endpoints, leaving you exposed to sanctions under GDPR. In this scenario, you need the ability to reverse your gaze, looking outwards rather than inwards, and surgically delete their data elements from your endpoints.
For your data privacy efforts to be effective, diligence is required across all three these three areas. In my next post, I will discuss 3 simple steps to approaching data protection. In the meantime, if you’d like to learn more, get our new eBook, 3 Overlooked Data Privacy Considerations.