Data Privacy is Everywhere

Data Privacy and Security is Among Us

I was thinking about this the other day, about all the different privacy guidelines that an employer or a company may need to think about, know, act on, and at the end of the day protect certain types of information; from prying eyes, business need to know, 3rd parties, and the bad guy too. The lengths and bounds one might have to go in this situation depends specifically on the industry that they work in, or the company fits in. Some industries have strict or additional guidelines they must follow.

Corporations have "baseline" or fundamental privacy regulations they must follow. As an example, when dealing with employee health data (leave of absent too) there is the overarching HIPAA (Health Insurance Portability and Accountability Act) guidelines to ensure proper protection of employee data. Tied to HIPAA, companies typically may work with BAA's (Business Associate Agreement), which is a contract between a HIPAA covered entity and a business associate; one that may work with, process or store medical / health records. Companies typically maintain a HIPAA security policy as well.

What other privacy guidelines might you face? Again, depending on industry and location. Every state has specific data privacy protection laws and regulations that you should know. On the federal level there are laws too that protect data. If your company is a global organization, then you have specific laws/regulations by country too. Some countries like Germany, Netherlands (Dutch) and of course the EU (and all member countries) will have a single regulation call GDPR (General Data Protection Regulation). The GDPR is a lengthy regulation and companies are required to be compliant by 2018, or face stiff penalties. The GDPR will push some companies to the limit, especially if they are not organized and know what their requirements will be. One requirement is the data breaches MUST be reported within 72 hours. If you work in incident response, then you know the first 72 hours is the most important from an evidence, investigation and remediation stage. The GDPR is all about knowing what information you have in your hands that require protection, whether in your infrastructure, cloud or even your e-commerce environments. The regulation also requires specific data security processes for certain actions, such as auditing, privacy assessments and data backups. That is all Europe. Asia and some of their countries have strict guidelines too when it addresses data privacy. Make sure to do your homework and partner with your legal stakeholders.

Other industries like banking and finance have other levels of privacy, as an example GLBA (Gramm-Leach-Bliley Act) which regulates data the same way most other privacy regulations do the same. On top of that, the OCC (Office of the Comptroller of Currency) also have specific privacy protections and requirements that must be followed. You can't forget about the Federal Reserve bank either, because they have thrown in privacy regulations too.

From a communications standpoint, lets say a telecommunications (telephone) or data (ISP) company, or even a cable company, there are specific privacy regulations that come into play here - ECPA (Electronic Communications Privacy Act) and CCPA (Cable Communications Privacy Act) Both of these regulations mandate specific policy and process for the way data, especially consumer data can be released, handled, used, etc. Interesting enough, ECPA is a great guideline for protecting corporate data like email access from prying eyes. Example, your conducting an investigation and it involves an employee and you need to dive deeper into their employee mailbox. Its not like you need a subpoena at your company, BUT you should have a process in place so that you have to make a formal request to the designated legal stakeholder to make the request and receive approval. This way everyone is covered.

In the retail world, there is PCI-DSS - how your payment data is protected, transmitted and handled. It is important to have risk and compliance personnel that are familiar with this guideline. On top of ensuring your organization is compliant, there is an annual compliance audit process that must be completed, typically carried out by a QSA (Qualified Security Assessor) that will visit your locations, interview stakeholders and audit your environment.

Recommendations for protecting data

1. Contracts: It is a good idea to maintain a "minimum data security requirements" exhibit for all contracts with 3rd parties, including those that will be handling sensitive data (PII, PCI, PHI). These guidelines are really industry best practice when it relates to items such as encryption, DLP, auditing, storage and breach notification.
2. Ensure information security / Risk and Compliance are an essential part of your project management process (PMO) as well as aligned with your procurement or sourcing teams, to ensure that any project or purchase that includes certain factors like sensitive information, connection to your networks, etc. get the well needed review by the security specialists.
3. Access to Sensitive Data: In certain areas of your company like HR, there is very sensitive data that needs to be protected. In my experience, everyone and every team wants (or thinks they need) access to this data. Establishing a data request process where the person requesting must include business need, approvals from their management, and how the data will be used and protected is important. Then the process should include review by legal, HR and InfoSec.

So, depending on your circumstances, company locations, global or not, what industry you work in, etc., will really dictate the types of privacy regulations that govern you and your company. If you have done so already, go make friends with your legal department and ensure you are both on the same page.