As we continue to trudge through this era of cybercrime, federal and state governments are placing increasingly stringent requirements upon organizations to protect client information. 31 states (and Puerto Rico) currently have laws on the books that require organizations to securely protect client information and ensure that all personal data is properly disposed of. For reference, a few years ago only 15 states had such laws, but government officials quickly took notice of the rampant data security breaches that resulted from such lax regulations. Thus, they raised the data protection standards that each organization must reach, and that’s a trend you can expect to see go on for the foreseeable future. As the cybercrime epidemic continues, organizations can expect heavier regulation and more strictly enforced regulatory compliance.
If your organization is to maintain its data security and continue to operate within the parameters of these ever-expanding regulations, you’ll need to revitalize your data security protocols and ensure your compliance with evolving standards. In the interest of keeping your organization up-to-date with the latest regulations, let’s look at the trends of these newest regulatory laws.
While each state has enacted its own unique data protection/destruction policies, there is certainly a good deal of overlap to be observed. Let’s look at the national trends of these newest regulations:
• Risk Assessment: In the age of information, ignorance is no longer an excuse for negligence. Claiming to be uninformed of optimal data destruction strategies will not protect your organization from the legal ramifications of a data breach, and this means you need to be aware of and actively trying to fix any weaknesses in your data security. Failure to do so will find you not only with a data breach but with more than a few lawyers breathing down your neck.
• Access Restrictions: If your organization grants all employees unlimited access to personally identifiable information (PII), you’ll quickly find yourself on the receiving end of a lawsuit. Part of protecting PII is ensuring that only a select few have access to it, and regulations are enforcing this protection more and more.
• Express Procedures. Data protection cannot be left up to chance any longer, and that means having a written and well-articulated plan for your data protection methods. How is data destroyed? Where will your decommissioned hardware be sent? You need to not only have answers to these questions, but the answers must be widely distributed and understood within your organization.
This is a varied list of data protection requirements, so it’s best to look at each piece individually and examine how your organization can ensure it’s completely compliant with these newest standards.
Managing Data Security Risks
No organization’s data security is perfect–if that were possible, we wouldn’t be seeing a record number of annual data breaches. Just because nothing is perfect, however, doesn’t mean that you can stop trying to improve your data security. On the contrary, the latest regulations insist that you consistently reevaluate and improve upon your data security protocols so that you can keep up with evolving attack vectors utilized by cybercriminals.
Say, for example, that you’ve noticed that your data wipe isn’t working; perhaps it leaves residual information, maybe it doesn’t fit the size or scope of your organization, but for one reason or another you know it’s not the best solution for you. In that situation, you’d be legally obligated to explore alternatives like Clarabyte’s data wipe, which both eradicates data from hardware and is completely scalable to any organization. It would be negligent of you to stick with a product that you know isn’t optimal, and these new regulatory standards mandate that you look at other options.
Of course, nothing in these new industry regulations states that you have to immediately replace a weak point in your data security, only that you must be actively trying to resolve it. Otherwise, you’d quickly find yourself rushing into flawed solutions and only increasing your problems. In the above data wipe scenario, scheduling a demonstration of Clarabyte’s wipe would be a more than adequate solution to prove that you’re actively investigating solutions to your data security issue.
In short, the latest regulatory standards require you to actively seek out weaknesses within your data security policies and do your best to address and resolve them. This doesn’t necessarily mean rushing into a decision, but you will need to prove that you’re actively pursuing solutions if such information is ever asked of you. While this addresses a process rather than a tangible action, some of the other standards are substantially more concrete.
Implementing Access Restrictions
In 2015, a study conducted by Info Security found that 43 percent of data breaches were perpetrated by individuals within the organization. This means that trusted employees were responsible for almost half of the data breaches that year, and the latest regulations reflect an acknowledgment of this danger. Organizations are now required to limit who has access to PII and, while a new step for some, this process is thankfully relatively straightforward.
This regulation means that you can no longer grant all employees unrestricted access to client information or sensitive company documents. And really, this step should seem like common sense. Why would your new employee in R&D need classified information about a client’s history of purchases? A good rule of thumb is that if an employee doesn’t have an immediate need to access private materials, then don’t grant them access. By implementing sensible restrictions about who is allowed to access what data, you can not only largely reduce your risk for insider theft, but also operate within the bounds of your industry’s regulatory requirements. From all perspectives, it’s a win-win scenario.
While these actions are relatively simple, not all methods of complying with regulations are so clear-cut and intuitive. These new laws often require organizations to have clear data protection guidelines in place and, for many, this is an entirely new process and they’ll find themselves requiring a bit more guidance.
Creating Clear Guidelines
While humans are naturally fallible, their potential to do harm is significantly reduced when they have express directions on how to perform their duties. For example, an employee responsible for deleting sensitive information may accidentally leave PII on a hard drive because they weren’t sure if it warranted deleting. If that same employee had been given clear and written instructions on what data was and wasn’t to be deleted, however, there would have been no security threat to speak of.
The natural progression of this line of thought is, “How do I create clear guidelines?” The content of your guidelines will vary depending on the task, but let’s keep it focused on data destruction. For those procedures, you should be asking yourself questions like: What data needs to be erased? What happens to decommissioned hardware? How do you operate your data destruction tool? These questions (and others) should be answered in your guidelines. If you’re unsure of what to ask for a specific aspect of data protection, try speaking with the head of whatever department you’re creating guidelines for. As it’s literally their department, they should have an idea of what needs to be articulated and you’ll be able to use this information to create unambiguous protocols for employees to follow. The important part is that your employees understand what’s expected of them and know how to comply with data security protocols and standards.
Making thorough data protection policies is an essential part of keeping up with the latest standards, so don’t skimp on this step. If it makes the job easier, collaborate with IT experts as well as legal counsel who will know how to guide you in your pursuit of securing your data. It may require an investment of time up-front, but it’ll be more than paid off when your employees know how to perform their data protection duties and you’re operating within the scope of your industry’s regulations.
Data protection standards are constantly evolving, which means that you can never grow complacent in your operations. Frequently check the data protection standards of both your state and your industry and ensure that you’re complying with these standards to the best of your ability. While the above are some of the most common trends in these laws, each one will be different and it’s essential that you operate within the bounds of whatever state your organization resides in.
By staying informed and consistently revitalizing your organization’s data protection practices, you’ll easily be able to keep yourself on the right side of regulatory standards and optimize your protections against data breaches. These extra rules and regulations may not make your job any easier, but they’re put in place to keep your organization’s data secure, so always follow them to the best of your ability–both to protect against cybercriminals as well as equally-damaging legal actions.
“A New Era Of Cybercrime, A New Enemy.” PYMNTS. 27 Jan. 2016. Web. 05 Feb. 2017.
“Data Disposal Laws.” National Conference of State Legislature. 01 Dec. 2016. Web. 5 Feb. 2017.
“Data Protection in the United States: Overview.” Practical Law. Web
“Insider Threats Responsible for 43% of Data Breaches.” Infosecurity Magazine. 25 Sept. 2015. Web. 05 Feb. 2017.
Lord, Nate. “The History of Data Breaches.” Digital Guardian. 27 Jan. 2017. Web. 05 Feb. 2017.