Following the raft of recent cyberattacks on major businesses, CBR spoke to Paul Ayres from data security specialists Vormetric to find out what he thinks companies need to do in order to safeguard their data.
Driven by relentless news about cyber threats, security breaches and data loss, lawmakers and regulators the world over are increasingly defining new obligations for data security. Amid increasing internal and external hazards, the mandate for technologies like encryption and access control to protect personal and financial data have assumed a prominent role in the resulting legislation. Given the scale of breaches suffered by megabrands like Target in recent months, where card holder data was the primary target, the emergence of more prescriptive legislation in the field is hardly surprising.
However, this development does signal a change in data security ‘best practice’ – now the technology is not just mandated for portable equipment, but also of databases, unstructured data and data in the cloud. As such, it is imperative that businesses, especially those operating on the international stage, be fully informed as to the details of their legal security and compliance obligations.
It’s worthwhile to point out that businesses responsible for handling payment or card data are already aware that encryption is mandated in the likes of PCI DSS – wherein requirement 3 states that all data should be rendered "unreadable – anywhere it is stored" and strong cryptography with key management is recognised as a primary option for this. But a crucial point to highlight here is that cardholder data is treated as "personal data" for the purposes of EU data protection law, and so it must be encrypted.
In this regard, the mandate that the business community as a whole is perhaps most familiar with is probably the 1995 Data Protection Directive, which sets out the current framework for data protection in the EU member states. Of its core principles concerning the processing of personal data, there is a specific requirement under Article 17 for Member States to implement "appropriate technical and organisational measures" to protect personal data against accidental loss or unauthorised disclosure.
Looking to the US, by contrast, the data protection regime is based on a ‘sectoral model’, meaning that personal information is protected by various laws applicable to particular industry sectors. What’s more, federal laws, as well as laws of individual states, will apply, so organisations are often faced with having to comply with a complex web of legal requirements. That said, overlapping federal regulations, like HIPAA, GLBA, FCRA, SOX, FISMA, NIST standards for federal agencies, FTC expectations and 47 US State laws, result in multiple drivers for the same requirement: encrypt personal and financial data and control access.
The US, UK, Germany and South Korea treat non-compliance with encryption laws very seriously, with consequences in the form of high regulatory fines and/or a high possibility of harmful civil litigation. Indeed, the South Korean Personal Information Protection Act (PIPA) is dubbed one of the strictest data protection regimes in the world. According to the law, information managers (i.e. data controllers) must take the "technical, administrative and physical measures necessary for security safety in order to prevent personal information from loss, theft leakage, alteration or damage."
This week the UK Information Commissioner’s Office announced in its annual report that data use is getting more complicated and the public need someone they can trust to watch over their information. As the above illustrates, while the continued presence of an independent regulator overseeing the handling of personal data is essential, this is only one part of the data protection puzzle.
mplementing solutions like encryption will reduce the attack surface – whether from bad guys inside or outside the fence – but it is important to remember that it is not the beginning and the end to data security compliance; a holistic approach is essential.
Paul Ayers is VP EMEA, Vormetric. In conjunction with FieldFisher, Vormetric has produced a whitepaper on the legal obligations for encryption of personal data in the United States, Europe, Asia and Australia. For more information and to access the paper visit: http://enterprise-encryption.vormetric.com/web-analyst-reports-march-2013.html