Advances in technology - broadband, the internet, and mobile devices - are enabling us to communicate more effectively and collaborate globally, regardless of network and geographic boundaries. In today's wide open world, just about anyone can access, share and disseminate unlimited amounts of information, any time, anywhere. While these newfound capabilities empower employees and speed the flow of business, they also make it more difficult to secure all of the sensitive data that we depend upon.
As data breaches make headlines on a daily basis, government regulators and industry standards bodies are stepping in to mandate that organizations protect their customers' private information. To comply with privacy rules, it is no longer sufficient to think of data security in terms of building walls around corporate information assets. Instead of simply reinforcing the perimeter as we have in the past, we must rethink security and find ways to protect the data itself – wherever it may reside.
The following snapshots of regulations reveal a common theme: secure your data or risk significant penalties and fines. Some of the laws and standards that require companies to demonstrate their ability to protect personally identifiable information (PII) include:
State privacy notification laws:
With the Security Breach Information Act (CA SB-1386), which went into effect in 2003, California became the first state to require that organizations notify any and all customers if their confidential data has been breached. Today, 36 states have implemented similar notification laws.
Payment Card Industry Data Security Standard (PCI DSS):
The retail industry – and in fact any business that processes credit card payments – must comply with provisions of the PCI DSS that require compliance with 12 data security requirements, including the prohibition on storing magnetic stripe data, the protection of cardholder account data, strong access control measures and enforcement of information security policies.
Gramm-Leach-Bliley Act (GLBA)
Because it deals in such high volumes of confidential customer financial data, the financial services industry is required under GLBA to safeguard that data. The bank regulators who enforce GLBA are focusing more and more on data privacy.
Health Information Portability and Accountability Act (HIPAA) – Health care organizations are required by HIPAA to protect all patient data. These organizations must be able to identify where patient records are located, as well as ensure that these records cannot be leaked via email, webmail, or lost laptops or other devices.
Proposed federal legislation
As data breaches continue to make headlines, several bills have been introduced by the current U.S. Congress that will likely lead to a national consumer data protection law. In addition to notification, these bills require that organizations establish data security policies and put measures in place to ensure workforce compliance.
These and other regulations make compliance a top driver for data loss prevention strategies in every industry. Due to the erosion of network boundaries, however, companies are often simply unable to identify where confidential data is stored on their systems or whether it is leaving their network. This puts most organizations in limbo – required to comply with regulations, but without systems in place to identify and protect their data.
Technology has created this problem, and technology must play a key role in solving it. But securing private data takes more than technology solutions. Only by establishing a culture of compliance can companies fulfill their obligations to safeguard their customers' privacy – and meet regulatory requirements.
Here are four key steps in the creation of a successful compliance culture:
- Create and communicate data security policies;
- Establish incident response and remediation rules, roles and processes;
- Implement systems to discover, protect, monitor and prevent the loss of confidential data;
- Continuously educate employees to reinforce policies and ensure workforce compliance.
In summary, data loss prevention is a journey, not a destination. Successful organizations will be those that learn to manage and reduce risk by identifying and monitoring confidential data, and then communicating data policies clearly to everyone throughout the organization. Through this continuous communication and ongoing education of employees, organizations can create a culture that promotes employee accountability and compliance with data security policies.
- Joseph Ansanelli is CEO of Vontu