The job to protect sensitive data often falls in the hands of IT security administrators and their teams because of their technical expertise. We feel data protection is everyone's responsibility because every employee has an invested interest in maintaining their organization's good reputation with customers and partners.
We have compiled questions from discussions over the years with customers and prospects to help people understand the basics of data privacy and why responsibility of maintaining data integrity goes beyond the IT department. In addition to this list, we have produced a podcast with more information - download it here.
1. What constitutes personal information that we have to protect and how do businesses protect this information?
The first things people think of are credit card or social security numbers. However, other pieces of information are equally as important. Think about the things your bank asks you when you call them to talk about your account. Can you verify your phone number? The last four digits of your social security number? Your birthdate? Maiden name? These pieces of information can be used to commit fraud.
The banks are using that information to identify you. And the fraudsters will use that information to impersonate you. The technical term for this kind of information is Personally Identifiable Information, or PII.
Businesses can protect data with a few different techniques involving third-party software solutions and implementing internal policies around who has access to data.
Vendor solutions can provide the ability to control who has access to data inside the company and prevent potential hackers from gaining access to your network. Companies can also use vendor solutions to encrypt their data. Encryption is a process that takes sensitive information and runs it through a scrambling process. Once encrypted, your data can only be deciphered with a special key. The data is useless to the person that attempts to steal it, unless they they have the key.
2. We’ve been hearing a lot about encryption and key management. How do they relate to each other?
They go together, they are complementary technologies. In addition to the raw credit card number, another very important input to the encryption is the secret key. Without the key, no one can read the encrypted data. Many people think that an encryption algorithm itself is a secret mechanism, but that’s not the case. Encryption is well understood, there are standards for it and they’re readily available. The secret that prevents malicious users from stealing data is the encryption key.
At home, the key to your front door is what protects you. Companies that use encryption have to create a key that is unique and strong, and then protect it to ensure it doesn’t get into the wild. Anyone who has the key can get the data. In the real world of protecting data with encryption, the encryption key is what users are taking care to protect.
3. What happens when the encryption is not done correctly?
There are many ways that encryption can be done incorrectly or poorly. We see that particularly around the area of encryption key management. One big mistake many people make is storing an encryption key on the same platform where the data are stored. Sometimes you hear the term integrated key management to describe this practice. Even if you lock down the database, keeping it on the same partition as your data leaves it readily accessible for potential cracking.
Other examples are using nonstandard or proprietary encryption. It’s important that a company buying encryption technology should vet their vendors carefully. NIST certified encryption is the best assurance that a solution meets your compliance requirements.
4. Are there any laws or regulations requiring businesses to protect their sensitive data?
Yes, there are quite a few, and many companies find themselves complying with multiple regulations. If you take credit cards, you fall under the Payment Card Industry standard. That’s a private regulation promoted by the credit card vendors such as Visa and Mastercard. If you’re a bank or engaged in the banking industry, you fall under Gramm-Leach-Bliley Act and FFIEC regulation for protecting data. In the health care industry, you fall under the HIPAA/HITECH acts. FIRPA is the regulatory environment around educational institutions.
Individual states have passed data privacy regulations and defined data breaches and the penalties for them. And the federal government is moving laws through Congress to define protections for personal information. There are quite a number of regulations that define data that needs to be protected.
5. How would my organization develop a data security policy?
It’s a real challenge especially if you’re starting for the first time, it’s easy to feel overwhelmed when hearing about data breaches on a daily basis. Keep it simple to start. There are some things you can do that are very effective up front. Rank where the vulnerabilities are. Here are just a few to help get you started:
Here’s another interesting thing, if you have a problem, it’s going to be your problem, not the vendor’s problem. It’s going to be your headache, your upset customers, and your financial loss. So pay attention to your encryption solution!
Something that inhibits people from taking action is just thinking they are not subject to a data breach. That’s a dangerous attitude. We've been saying it for years beause it's true - Data Gets Out. Encrypt it!