The Lifecycle of Data Protection Is Evolving. Here’s What You Need To Know
July 13, 2017
In this age of widespread ransomware attacks and rampant data breaches, enterprises are reimagining their data protection strategies. It is no longer adequate to worry about a disk crashing. Nowadays, you must worry about all of your data assets being stolen and held for ransom. Your team must adopt a proactive, lifecycle-based approach where data assets are discovered and documented, and controls are adopted to protect these assets at all times.
This consists of a four-step process:
- Identify sensitive data. Every enterprise should have an updated data classification document that states the type of data that is to be protected, and an associated policy that specifies the level of protection that it requires.
- Assess the risk. Based on the specified policies, assess the risk of a data breach in the environment where data is stored and processed.
- Implement the appropriate policies. The most important step is to implement those policies requiring sensitive data to be protected by using techniques such as masking, tokenization and encryption. Encryption is by far the most powerful, but it is important to match up the security requirements with the type of protection that is adopted.
- Monitor the implementation. This implementation is now monitored so that policy violations can be flagged and corrective action can be taken.
A New Era Of Privacy Regulations
The EU General Data Protection Regulation (GDPR) requires that sensitive data be protected at all times, including when it is being processed, which implies that at no time should the data be in the clear, including when in use. By the time that this regulation goes into effect in May 2018, it will require a completely reimagined framework for data protection.
This is a first as far as data privacy regulations go and will necessitate an approach that requires data protection by design and by default, as is evident from the title of Article 25. The failure to report a data breach carries a fine that is proportional to the revenue of the company that lost the data (4% of annual global turnover or €20 million, whichever is greater) and not to the damage that the data breach caused for their customers, as is the case today with other data privacy regulations.
These regulations apply to any entity that has access to information about a citizen of the EU, irrespective of where a company is headquartered. This means that a U.S. company that happens to have an EU citizen as a customer would be held liable in the case that the company loses his or her personal information. A similar law has been adopted in Australia, and the U.K. is likely to persist with similar regulations after its official exit from the EU in 2019.
Forty-eight states in the U.S. have data breach legislation in place. Today, the notification windows are not as stringent as that of GDPR (72 hours), and the liability for damages is restricted to the amount of harm caused by the breach. All of this will evolve as legislators look at GDPR as a precedent and as its citizens become more and more sensitive to how their personal data is protected. The only safe harbor for these regulations is encryption because it absolves them of the need to notify authorities or customers as loss of encrypted data is unlikely to cause harm.
A Proactive Approach To Data Protection
Companies that collect data from their customers or employees (who doesn’t these days?) will have to create a formal classification of what constitutes sensitive information. They will have to specify what they plan to use that data for and how they plan to protect that data. This will lead to a new approach to data management that starts as soon as the data is created, continuing when it is processed until it is retired. A desired side effect is that the data will not be lying around in unprotected stores from where it can easily be stolen.
Comprehensive compliance reporting will be the norm for these companies, eventually enhancing their reputations as responsible custodians of their customers’ and employees’ information. Companies that manage customer information like Uber, Dropbox, Twitter, Square and Airbnb, among others, have banded together to create a Vendor Security Alliance (VSA) that will issue questionnaires to vendors they do business with so that they can be assured of their security practices. This is likely to lead to a scoring system that will make it easy for companies to do business with each other, much like a Dun & Bradstreet rating.
Security Expenditure: A Necessary Evil Or A Competitive Differentiator
It is heartening to see that, according to a PWC survey of global CEOs, 64% said that the way their company manages their customer’s data will be a key differentiator for them in coming years. Does this mean that security is not just an insurance policy but a revenue accelerator? If yes, that certainly bodes well for our citizens who can now feel that the business world cares about how they control their customers’ data and takes responsibility of that data when they store and process it.
It’s time to take a proactive approach to data management. This means managing data throughout its lifecycle, from production through processing. Privacy regulations like GDPR mandate this or levy heavy penalties on companies that lose their customers’ data. A general awareness of responsibilities associated with data management is the first step in data security being a competitive differentiator rather than an insurance policy, a necessary evil.
Original Article found here.