A common misconception is that IT teams can manually compile a list of sensitive data
Investors and shareholders until today, have evaluated a company’s financial health majorly by assessing its financial statement, but that’s soon to change. The Research conducted by BT and Amarch reveals that the future will see financial statements allocating a separate segment on the company’s data management and security capabilities. This segment will hold as much significance as revenue or net profits to investors and shareholders. The importance of data has only increased in the recent past. How many organizations, do you think, will be able to make a strong case with their data management and security capabilities to their investors?
Almost all companies across the world have access to some kind of personal data today. Data, among the other things, carries a competitive advantage that can further a company’s position in the industry. This significance of the data makes it imperative for organizations to protect it and manage its use and access.
Being optimistic is often considered a good virtue. But, inculcating the ‘It won’t happen to me’ attitude when it comes to data security can cost you and your organization dearly. With the emergence of stringent data compliance regulations such as GDPR, CCPA, etc., organizations now have no choice but to comply with appropriate regulations, failing which they are heavily penalized and end up losing their brand value in the market.
Implications of regulatory non-compliance and precautionary measures:
-How can compliance with data regulations save you from financial losses?
Regulatory non-compliance can leave a huge dent in the corporate wallet. One such instance which pushed an organization to file for bankruptcy protection was the infamous American Medical Collection Agency (AMCA) data breach. AMCA in 2019, was subject to a major data breach that compromised the personal information of almost 20 million U.S. citizens. Following this disastrous breach, multiple class-action lawsuits were filed on the company and its client organizations that forced AMCA to file for bankruptcy protection.
According to a report by IBM, on average, a company loses a whopping USD 3.9 billion due to a data breach. The report also identified that a company loses ~$148 per compromised data record. Reputational damage and delay in services are an add-on. Given such heavy losses that companies have to bear as an aftermath of a data breach, compliance to data regulations is vital and takes a significant place in the broader data security strategy.
When Mariott was hit by a data breach in 2018, more than millions of the hospitality giant’s customers’ personal data, such as credit card numbers, passport numbers, etc. were compromised. This major attack cost the company around $120 million in GDPR fines alone.
Damage to the corporate wallet is often a huge consequence that follows a data breach. Financial losses, apart from the non-compliance fee, also encompass the expenses that go into rebranding your company, decreased share values, compensating affected customers and clients, etc. Compliance with data regulations is one of the ways to avoid huge penalties that burn a hole in your organization’s finances. Rapid implementation of security measures post a data breach can also prove expensive for the company.
-How can security compliances build consumer confidence?
Two data breaches back to back delayed the acquisition of Yahoo by Verizon in 2017. Verizon was contemplating either backing out of the agreement or pushing for a lower price upon the disclosure of the breaches.
Data breaches are often accompanied by damage to the company’s image. When a company’s database is hacked, its customers lose trust and terminate their association with the company. Rebuilding trust right from the scratch can be an extremely time-consuming and costly affair. The results of a survey by Thales Group indicated that the largest percentage of surveyees, i.e. 37%, would opt for the products or services of a hacked company only if they were left with no other options.
A robust data governance framework can increase your customer’s trust and loyalty in your products and services as they know that their data is not being abused.
-How can regulatory compliance speed up customer service?
Regulatory non-compliance at healthcare facilities has been tied to an uptick in fatal heart attacks, according to a 2019 study by the Health Services Research.
When Campbell County Health at Wyoming suffered a ransomware attack, the patients admitted to the facility were transferred to the nearest hospital that was almost 70 miles away. The facility took 17 days to recover from the attack and was compelled to postpone critical surgeries during the recovery period.
Victims have to be immediately notified in case of a data breach so that they can take immediate remedial actions.
This extensive notification process can have a huge impact on the company’s ongoing operations leading to delay in services to its customers.
-How does regulatory compliance promote effective data management?
Data discovery is the foundation for an effective data governance program. Unless an organization is aware of the sensitive information that it holds, it will not be successful at demonstrating compliance. Through the process of sensitive data discovery, the organization also reduces the amount of redundant data that it holds and restructures its data storage capabilities to reflect a better data organization system.
This process also saves money for the organization as it gets rid of unnecessary data and saves space for actionable information that can be used to promote better customer engagement.
-How does data compliance ease Subject Rights Request Management (SRRM)?
As discussed above, data compliance also promotes better data organization and processing. Through the course of building an efficient compliance program, an organization refines its data infrastructure and retains only the data that matters.
When customers exercise their right to opt-out, erasure, or any other right that falls under SRRM, an organization with proper regulatory compliance will be able to efficiently meet such requests in an accelerated time frame. When organizations are armed with a thorough knowledge of the sensitive data that they hold, they can handle SRRM with the utmost ease.
-How can compliance protect your organization against insider threats?
Data breaches may not necessarily be caused by external threats alone. Employees of a company may also abuse their privileges fueled by a variety of motives.
Compliance with data regulations comes as a robust solution to such insider threats. When an organization complies with appropriate regulations, its internal data security measures are scrutinized. In this process, the company takes a deeper look at its critical databases and secures them by restricting and monitoring access to prevent insider threats.
How to achieve compliance?
Compliance with any data regulation starts with sensitive data discovery. Only when a company identifies its critical databases will it be able to classify and secure the sensitive data and document its compliance.
Data Discovery and Classification:
A company’s data landscape may contain several hidden or unused locations that may contain confidential data which when compromised may cause severe repercussions. A manual data discovery process, while possible, can be extremely time-consuming and far-less efficient than an automated discovery process that scans databases in real-time.
It is important that a company follows its data discovery process with a thorough classification mechanism. This process of data classification assigns a tag to the identified sensitive data according to its level of sensitivity. Sensitive data is classified by automated data classification tools into four groups- Restricted, Confidential, Internal, and Public. This enables the company to employ security measures according to the group that the particular data belongs to.
Achieving holistic compliance with data regulation can be challenging, expensive, and time-consuming when done entirely in-house. It would require upskilling your employee base and/or hiring experienced employees who can support such an activity. Instead, organizations can explore third-party vendors who can offer you the appropriate skillset and technical abilities to accelerate your data compliance efforts.
What should you look for in an automated data compliance cum security solution?
-Does it monitor access patterns? Since your sensitive databases carry the highest significance, it is best to restrict access to a few chosen employees alone. An automated data classification system should be able to monitor access patterns and requests 24/7 and alert the user in case of an access violation or a deviation in the pattern.
Companies can opt for AI-centric data security solutions that study access patterns and instantly notify users upon any deviation. This can enable companies to proactively identify insider data threats and stop them from turning into full-blown data breaches.
-Does it accelerate your data compliance efforts? Regulations such as CCPA, HIPAA, GDPR, etc. require that you are aware of the following:
-Where is the sensitive data located in your organization’s landscape?
-Who has access to it?
-If and how is it being altered? etc.
An effective data security solution should scan through your entire data landscape to discover all the databases that contain sensitive information. This lays the groundwork for a successful compliance program. The next step in this effort is data classification. An automated data classifier can notify you which data falls under the ‘restricted’ and ‘confidential’ categories so that you can secure them and move further ahead in your journey to achieve compliance.
-Does your solution provider offer compliance with a variety of data regulations? While there are vendors who sell solutions that cater to one particular data regulation, it is recommended to opt for providers who can cater to any number of evolving data regulations. They can serve as one-stop-shops for your regulatory needs.
-Does it offer encryption technology? Data Masking techniques, such as encryption, can serve as efficient remediation measures to secure sensitive databases. These techniques minimize the exposure of sensitive data by rendering them indecipherable.
Data privacy regulations such as CCPA and GDPR regulate how data should be stored and handled in organizations.
-1798.150 under CCPA states-
Any consumer whose non encrypted or non redacted personal information as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
- (A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
- (B) Injunctive or declaratory relief.
- (C) Any other relief the court deems proper.
Data masking techniques can effectively help your business avoid such penalties by encrypting or redacting your clients’ and customers’ sensitive data.
-Article 32 under GDPR states that organizations that store/access sensitive data should take appropriate measures to ensure the security of the data through methods such as pseudonymization, encryption, etc.-
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymization and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
In conclusion, if your business stores, uses, or manages personal data, compliance with appropriate data regulations is a must. An effective data compliance solution is an integral part of your broader data security strategy. This increases your customers’ trust in your business and shields your business from data hackers, data threats, and the severe aftermaths.
As already mentioned, while an in-house compliance program is possible, integrating with a compliance solution provider can ease up the complexities involved in the process and accelerate your compliance efforts.