Data Privacy is a Business Responsibility
Most people have an inherent expectation of privacy and the protection of their personal information is extremely important to them. In an odd contrast, consumers routinely provide detailed personal and financial information to companies, in order to partake in the many convenient and necessary opportunities for shopping, utilities, banking, and mobile device applications, which today’s super-connected world provides. Consumers freely provide their private and personal information to these companies with an expectation that it will be protected for disclosure or misuse. In fact, this large amount of personal data, which companies ingest to conduct business, does become the company’s responsibility to protect.
Cyberattacks, such as ransomware, intrusions, and malware, are persistent threats and companies and individuals are targeted continuously. A breach to a company’s data, which results in the disclosure of personal information, is not only embarrassing and problematic to the company brand, it can also likely result in stiff criminal and civil liabilities and penalties for failing to provide adequate protections against such attacks and data loss.
The company must take specific steps to protect the privacy of employees and clients. Personally Identifiable Information, or PII, that may be collected for security purposes or for account data, must be protected in accordance with state, federal, and international laws and regulations that apply to their businesses.
3 Common Security Mistakes Organizations Make
There are many legalities in place today with the intention of protecting citizens and consumer personal information. There are laws and regulations in place to protect private information and that require organizations to properly secure their data against a breach. Whether your company is looking to protect against corporate espionage, insider threat or hackers looking to steal personal information, it is important you have a full understanding of data privacy, how they apply to your organization, and that you are actively addressing them.
Having a clear understanding of all required and applicable regulatory laws and regulations allows a company to plan and prepare documented policies and implement procedures that will ensure all compliance laws are being met by the organization. The legal team and leadership of an organization must be prepared to keep apprised of recent litigation and new legislation that could have an effect on company policies and procedures.
A few of most important laws regarding privacy include:
Privacy Act of 1974, governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies. Companies must maintain account and tax information on employees for payroll and personnel management purposes. This includes SSNs, addresses, phone numbers, next of kin, and other personal data.
HIPAA. The Federal Health Insurance Portability and Accountability Act (HIPAA) of 1996, requires specific processes and technical mitigations to be in place protect individually identifiable Protected Health Information (PHI) that is held or transferred electronically. HIPAA has two primary rules. The Privacy Rule, which established standards for PHI, and the Security Rule, which operationalizes the Privacy Rule, by establishing a national set of security standards and addressing technical and administrative protections and mitigations to protect individuals’ PHI. In 2009, the HITECH Act provided additional requirements to address privacy and security concerns associated with electronic transmission of health information, which the intention of strengthening the civil and criminal enforcement of the HIPAA rules.
GLBA. For financial institutions, the U.S. Federal Gramm-Leach Bliley Act (GLBA) requires that those companies disclose, to customers, how they protect and share their customer’s data. Additionally, GLBA requires the financial institutions inform customers of their right to opt-out of any data sharing.
GDPR. For the European Union (EU), and any company with partnerships, vendors, or customers that deal with the EU, the compliance rules of the General Data Protection Regulation (GDPR) must also be followed.
CCPA. California’s Consumer Privacy Act (CCPA) is one of the newest, and broadest, laws to go into effect in the U.S. Taking effect in January of 2020, the CCPA is meant to protect the privacy and personal information of California residents and consumers. CCPA applies to California residents and any for-profit business that does business in the state of California, whether that business resides in California or not. If you collect personal information on California residents, such as may happen with online businesses, this law likely applies to you. The law, in essence, provides the people of California the right to make decisions on how their data is used, shared, or stored. CCPA has many similarities to the EU’s GDPR, including the right to opt-out of any sharing of personal data. Companies that are already under compliance requirements under HIPAA or GLBA are exempt from CCPA requirements.
The proper and thorough risk management must be in place and company security and privacy policies should be in place that address risk mitigation controls and meet any legal obligations or compliance regulations. The company must comply to protect against lawsuits, customer complaints, public relations nightmares, and loss of customer trust. All of these could have a detrimental effect on the profitability, or survivability, of the company.
Additionally, technical, and physical control policies should be put in place to protect data at rest and in transit while in the custody of the organization.
The company must assure that any policy, plan, or procedure is written and implemented in accordance with and designed to maintain compliance with federal, state, and regulatory laws and policies.
A data breach will cause significant damage to the company’s reputation. The trust of company employees, consumers, and partner organizations are in jeopardy. This loss of trust is the reason that 60% of small and medium-sized companies lose their business after a breach that results in the loss of data.
Your company has a responsibility to safeguard customer data, including personal information, just as it does other company data, such as proprietary information and trade secrets. A company’s data, next to its employees, is the organization’s most essential asset. This means that you must protect the data of your employees, your customers, your partners, vendors, and all contacts for which your company does business and that is in your care.
Data Security and Data Privacy.
Data security is focused on the technical processes and tools that IT professionals employ to prevent, deter, or mitigate against cybercriminals and their attempts to access company data and capture a company’s sensitive information. Some of the data that must be protected may be PII, PHI or privacy related, such as credit cards, addresses, phone numbers, social security numbers, or account information.
Data privacy, a subset of data security, is more of a legal and compliance term, describing the laws, regulations and policies that are applied to ensure the proper handling, storing, transmission and use of personal data and to avoid unauthorized disclosure. Data privacy also means that any individual, who has provided personal information to a company, retains control over their own information.
What can a company do to ensure data privacy?
Data privacy can be accomplished through the implementation of policies and processes that are designed to protect the privacy of data. A company’s data privacy policy and the procedures that are followed are designed to govern the proper collection, storage and use of personal information that the company processes.
To ensure data privacy is maintained, the responsible company will create clear policy that outlines its commitment to privacy protection. This commitment might also be a key line item in the company’s ethics codes. A privacy policy should also include the authorities, laws, and regulations that apply to the organization, and the roles and responsibilities of those that are tasked with the processes and procedures related to privacy and data protection.
Privacy protection should be included in initial and annual cybersecurity awareness training for all employees, to ensure that all understand the importance of data privacy in the company. Privacy policy training will reinforce how everyone can help to protect private information and how to handle any potential breaches or privacy concerns.
A company’s overall privacy policy will also drive the IT staff’s guidelines, processes, and procedures that document, in technical detail, how sensitive and personal data is obtained, how it is stored, and how the company uses it. Most importantly, company Privacy policy must provide technical details for how the company protects the data that is collected, stored, transmitted, and processed.
If appropriate protections, such as identity management, device management, data loss prevention, or multi-factor authentication, are not implemented, you run the likely risk of a data breach.
At The Penn Group, we can help small companies and organizations with cybersecurity concerns and solutions, such as policy development, risk assessments, privacy protection, security monitoring, workforce training, testing, and incident response. We will break down complex cybersecurity and compliance topics to help your company build a culture of security and privacy in your organization.
Written by Douglas Stewart – MSIT, CISSP, CEH, PMP
Original Artwork by Douglas Stewart
