This is the first article of a three part series for data security and data privacy. In the first article, we discuss the similarities and differences of data security and data privacy.
In this digitized world, businesses rely on data for daily operations. This requires every organization, irrespective of its size, to comply with the myriad of data security and privacy laws.
Technology and data increases an organization’s profitability and efficiencies, but creates potentially disruptive security risks. Hackers’ advanced techniques makes data protection and security a top priority. However, how information is protected and how information is used are two different pieces of the puzzle. Keeping sensitive data secure does not mean one is automatically in compliance with data privacy regulations. Data security protects data from external attackers and malicious insiders, whereas data privacy relates to how a data should be handled based on legal classification such as those found in Regulation P: Gramm-Leach-Bliley Act or HIPPA. To put the pieces of this puzzle together, let’s dig deeper into the similarities and differences.
What is Data Security?
Data is a vital asset for every organization and should be safeguarded. A data breach jeopardizes your reputation, opens the door to serious legal and regulatory consequences and results in significant costs. As a result of data security incidents, several regulations have been enacted to set standards on how an organization’s data is to be protected. One recent example is the New York Cybersecurity Regulations. This regulation from the New York Department of Financial Services requires most financial institutions in the state to assess its cybersecurity risk and develop a program commensurate with the risk. Although this regulation is limited to New York financial institutions, other industries such as insurance and securities leverage it as an example to develop their own set of data security regulations. Other states such as Massachusetts enacted data protection laws to apply to all industries. In addition, Arizona, Delaware and Colorado have followed suit and developed data security laws.
When sensitive data finds itself in the wrong hands, a domino effect ensues. Data breaches have lasting harmful effects on an entity. For example, a data breach at a government agency can expose top confidential information to an enemy state. A breach at a hospital or doctor’s office divulges a patient’s personal information. Financial organizations are likely impacted more severely than others due to customer-facing resources. As a result, the costs become more significant when cybersecurity incidents impact brand loyalty and trust, leading to customer churn. Upholding customer trust and protecting member data mandates the urgent need for necessary resources to employ data security procedures and controls.
What is Data Privacy?
A sound data protection program extends beyond the protection of non-public information of customers, patients and employees. In addition to protecting the data one receives from its customers, an organization may be required to develop policies and procedures on the use of that information. Just like you cannot have data security without data privacy, you cannot have data privacy without data security.
Just like data security laws, governments are implementing laws, allowing an individual some power in how their personal information is used by engaged entities. The General Data Protection Regulation (GDPR) was one of the first regulations to set the standards about how entities can use customer information in addition to general cybersecurity regulations and strict notification requirements. Penalties for noncompliance are severe.
California soon followed suit with its enactment of the California Consumer Privacy Act (CCPA) which is set to go in to effect on January 1, 2020. Like GDPR, the regulations allows the consumer a say in what of their personal information is collected and how it is used. The individual is also able to request that their information be deleted from an organization’s systems once any relationship is completed.
Although the CCPA applies to residents of California only, others states will be looking at its effectiveness. California was one of the first states to enact a data breach notification law, and now all states have similar laws. If past is prologue, laws similar to the CCPA may be enacted in all states. Or, it may serve as a template for a federal privacy law. Several laws have been introduced in Congress but none have been signed into law yet.
Organizations should gauge their level of security not only in terms of installed patches or responded to incidents or incident management but also assess their labor-intensive ongoing processes to prevent security and privacy risks.
Managing data security and data privacy risks
How your organization collects, uses, stores, discloses and disposes non-public personal information calls for a robust risk management program in compliance with data protection laws and data security laws. These controls may include but are not limited to encryption, passwords, authentication protocols, disaster recovery, intrusion detection and physical security. New technologies and modern methodologies such as block chain, and artificial intelligence integrated systems, also drive the need for implemented data security and privacy programs.
Organizations should train and educate their employees on data protection policies and procedures on a routine basis. Organizations will not only have to demonstrate that proper security and privacy controls are executed but also ensure the mitigation of critical risks identified and associated with data security and data privacy.
The stakes have never been greater and WolfPAC’s Data Security and Privacy risk assessments work together to increase efficiency and accuracy by allowing you to identify the data security and privacy risks and control gaps within your organization. Full-spectrum visibility and shared intelligence offered through WolfPAC Data Security and Privacy, enables you to adapt to ever-changing threats and regulations and allows you to strengthen security controls across your organization.
Stay tuned for the next article in the series.