It’s difficult to operate a business, but it is more challenging if you have an online presence and have customers and suppliers who require you to keep sensitive information. The need to store data securely has been on top of regulators’ minds and there are a lot of standards that you have to comply with.
For instance, if you process payment cards, you will comply with the Payment Card Industry Digital Security Standards (PCI-DSS). If you transfer money from one account to another, you need to know the advisory and mandatory controls put forth by the Society for Worldwide Interbank Financial Telecommunication. You also need to comply with the Sarbanes-Oxley Act (SOX). And if you store data on European customers, then you need to comply with the General Data Protection Regulation (GDPR). In other words, there’s a sea of complex regulations spanning every industry that companies need to stay on top of.
Aside from these laws, there are several others that you might need to comply with depending on the types of data you store or what industry you’re in. For instance, you need to know the laws, standards, advisory controls, and regulations from:
- Continuous Diagnostics & Mitigation
- Health Insurance Portability and Accountability Act
- Federal Financial Institutions Examination Council
- Federal Information Security Management Act
- North American Electric Reliability Corporation – Critical Infrastructure Protection
- Criminal Justice Information Services
These regulations and standards mandate that companies utilize certain best practices and safeguards. Truth be told, even without these standards, businesses should really focus on knowing how to store customer data and secure it. Their reputations are at stake. Who in their right mind would want to do business with a company that would inadvertently give hackers and other people their credit card details, social security numbers, and even what they bought in the past month?
To help you get up to speed on important regulations related to secure data storage, here’s a look at the current regulatory guidelines you need to know.
Digital Guardian wrote about the Sabarney-Oxley Act in this post, noting that it is aimed at protecting stockholders and other parties from fraudulent practices and accounting errors. SOX also provides guidelines that lead to more accurate company disclosures. SOX was introduced in direct response to the financial scandals of Enron, Tyco, WorldCom, and other big companies at the time to improve corporate accountability and governance.
Due to the SOX Act, business entities must now keep all electronic records and messages for at least five years, or risk imprisonment and/or hefty fines. Digital Guardian suggests a three-pronged approach to managing electronic records:
1. Data classification and security tools
The first step in SOX compliance is getting the right security controls in place. This will ensure that the data you have will not be lost and its accuracy is untainted. Lay down the best practices and get the finest security tools that help to automate SOX compliance while also reducing costs.
One useful tool is data classification software that will automatically tag and classify data and information as soon as it is created. These context-aware solutions can classify information, such as personally identifiable data, personal health records, social security numbers, financial data, and others. It can work with either structured or unstructured data.
2. Data protection
Data classification can help you monitor and enforce your organization’s policies on data handling. When properly categorized, you can easily know whether to encrypt the data, to compress it, or doing whatever you need to do to protect it. An excellent data protection plan can keep unauthorized users out and unable to view the data you are maintaining.
Data protection tools should also prevent unauthorized copying and removal of storage devices. They should also safeguard the data you share with others via masking features.
3. Compliance and audit
The tools that you use should be able to monitor data, log all actions of all users, and enforce policies when necessary. In short, there should be audit trails you can rely on to prove compliance.
PCI-DSS Data Storage Guidelines
While SOX data storage compliance focuses more on data classification, data protection, and audits, the PCI-DSS has a more stringent set of rules. For instance, you can only store the primary account number, cardholder name, service code, and expiration date. You cannot, under any circumstances, store full data on the magnetic stripe, the CAV2, CVC2, CVV2, or the CID, and the PIN or PIN block data.
You’re required to protect all card details that you are going to keep. You should encrypt the data to ensure that it’s unusable even if it gets into the wrong hands. Encryption renders the data unreadable unless the user has the right cryptographic keys. PCI-DSS also encourages you to not keep the entire user string if it is not needed. For instance, if you don’t need the entire account number, you can either mask that data or truncate it.
You can also use a hashed index, which only points to the location where the actual data is stored. Furthermore, you can use index tokens or security pads. This technique makes use of plain text data and a random key that works only once.
General Data Protection Regulation
Data storage and privacy have never been discussed as much as when the GDPR was released. Thanks to the European Union’s new set of rules on how data should be secured and handled, there is renewed interest in data storage and security. The GDPR sought to update the Data Protection Act of 1998, which was introduced at a time when such entities as Facebook, Google, and Twitter did not even exist. As such, the law needs to change to accommodate the new landscape.
GDPR gives ownership of data to the user, rather than the company, and as such, users have more rights and they have a say as to how a company can use their data. For the first time, consumers can refuse companies who want to use their personal data. They even have a right to be forgotten. Plus, businesses are now required to inform supervisory authorities of a data breach within 72 hours. If they fail to do so, they face hefty fines.
With the GDPR in place, businesses need to know what types of personal data they have been collecting over the years, as well as where these data are stored. Apart from knowing where all the data in your organization exists, you should also be able to focus on user-identifiable data. This includes data given or generated by the user, as well as data created on behalf of the user by a third party.
To remain compliant with GDPR, encrypt as much of the data you hold as possible, even when it is at rest or being transmitted. You should also come up with a very detailed mapping of your data according to the application that uses or stores it.
Moreover, you should be able to secure the data, restrict access to it, and log everything for future auditing, allowing you to know if there are data breaches.
Health Insurance Portability and Accountability Act
If you are in the healthcare industry, such as running a doctor’s office, or you have your own wellness practice, then you are covered by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA relates to patient information, and it brings with it a lot of very stringent security and privacy provisions when it comes to personal health data.
HIPAA has some tough rules on how protected health information is to be managed, handled, stored, and shared. If you violate HIPAA rules, then you might be facing some very hefty fines. In fact, if you deliberately disclose patient information then you might land in jail.
When it comes to data storage, HIPAA calls for security on three levels:
- technical, and
It requires you to make sure that all patient-related data are readily available, secure, and with its integrity intact. There should be defenses against attacks or threats, as well as protections to avoid disclosing or using patient information without due authorization.
HIPAA suggests securing data when it is being transmitted. You should also have access and integrity controls in place, and the ability to make all the information available for audit. Beyond technology, HIPAA also requires organizations to protect devices, work stations, and facilities that access patient data. The company should also have a point person for security, as well as undergo continuous assessment and training for HIPAA compliance.
The Last Word
When it comes to secure data storage, it really requires work. However, the thing with the different set of rules and regulations being set forth by different organizations is that they all have the same goals: protect the customer’s data and their privacy. For this reason, different entities, such as the Payment Card Industry, the European Union, or regulators in the United States, all work towards the same goal.
As such, being compliant involves less work than you would expect, even if you need to comply with three or more sets of regulations. As you can guess, the processes needed to store and secure data are very similar. You can use the same tools to gather, classify, encrypt, secure, and store data. The good news is that there are readily-available software and tools that can help you do everything you need to do with data storage.
Start with understanding the data and classify everything you get. You should have a thorough grasp of your most critical data and services, and where to store it. Prioritize the most important data and build your best practices and policies from there.
Data might be at rest when it is stored in a resource, such as a local area network, a device, or a data warehouse. Then, there are also those that are in use and in transit. Taking note of the different states of your data allows you to know how it flows and ultimately how to protect it.
To avoid being overwhelmed, remember that not all data are the same. For example, you really do not need to encrypt all types of data. There are, however, data types that you are required to encrypt. If you want to be compliant, encrypt personal and financial information, as well as other sensitive data. You can also anonymize confidential or sensitive information.
After you deal with storing and securing the data you have, you should look at how these data are accessed. In this respect, you will need to have good identity and access management tools in place. The goal is to make sure that only those users who need the data for their jobs should be able to access the information. As with storage and security, access management should be an ongoing process.
Overlapping, but not an exact duplicate
You should not think, however, that if you are compliant with one standard that it means you are compliant with all the other standards. There are several overlaps in processes and best practices, and you can use the same tools and software for two or more sets of regulations, but there are still finer points that you need to flesh out to ensure full compliance.
Businesses in any industry should expect more regulations in the future. The landscape is changing, and people are not only aware of data privacy – they are demanding it, too.
In fact, according to a Janrain Research survey, close to seven out of every 10 Americans would like to see something like the GDPR enacted in the United States. Around three out of four, or 73 percent, think that websites know too much about them and their behavior. Furthermore, close to eight out of ten, or 78 percent, are aware of the Facebook and Cambridge Analytica scandal.
As such, enterprises today will do better if they make data storage and data protection a priority. The good news is, armed with the right tools and if you are working towards compliance with any one of these current standards, you are in a very strong foundation. No matter what new rules come out in the future, you will be ready for compliance. You might even say that you are, for the good part, already compliant with the upcoming laws.