Data Security: Privacy Laws and Compliance

Government and business security policy is not yet sufficiently prepared to calculate the risks associated with the loss of sensitive data. A significant amount of security dollars are being allocated to keep, for example, Internet hackers at bay, but businesses are neglecting the threat against the data lying at rest on mobile devices that reside outside the security perimeter. In today’s business environment, information security is at even greater risk with the increasing popularity of mobile devices (e.g.; laptops, handhelds and removable storage media), and the ease in which they can be transported anywhere, carrying all sorts of sensitive information. An astounding number of high-profile data break-ins have occurred recently and continue to occur, and they come at a time when public and legal authorities expect even more accountability from organizations that hold private data.

More than 150 million data records of US residents have been exposed due to security breaches since January, 2005.1

In recent years, governments around the globe have implemented new data protection rules, regulations and privacy laws to facilitate protection of digital and computerized personal information. In 2003, with the unfortunate rise in the number
of cases of identity theft, the state of California took the proactive step of enacting California SB 1386, which requires that anybody that maintains computerized data that includes personal information owned by another must inform any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Since then, 34 states have passed similar legislation.

To go a step further, a selection of such national and international laws is forcing companies to take data security more
seriously by imposing strict penalties, including public announcements, financial penalties and imprisonment, on those who
are non-compliant. Accordingly, security experts have identified data encryption as the most effective means to mitigate data loss or breach, and in turn, comply with the regulation litany.

TJX Co., the parent company of T.J. Maxx and other retailers, recently announced in a Securities and Exchange Commission filing that more than 45 million credit and debit card numbers have been stolen from its IT systems. Information contained in the filing reveals a company that had taken some measures over the past few years to protect customer data through obfuscation and encryption. But TJX didn’t apply these policies uniformly across its IT systems and as a result still has no idea of the extent of the damage caused by the data breach.2

Should Encryption Be a Choice?

On June 23, 2006, OMB M-06-16 raised the bar for securing laptops and other mobile computing devices across the federal government. In that memorandum, Office of Management and Budget Deputy Director for Management, Clay Johnson III, officially recommended that all departments and agencies encrypt all data on “mobile computers/devices” that is not explicitly determined to be non-sensitive. Previously, only data that was determined to be “high impact,” as defined in FIPS 199, and deemed to be in transit, needed be encrypted, per NIST SP 800-53.

In other words, in response to the rash of incidents of personal information being lost or breached in the last year, the standard for encrypting data held by federal departments and agencies was changed from “encrypt the really sensitive stuff” to “encrypt everything unless you can prove it isn’t sensitive.”
Although no one likes to make defensive product selections, today’s compliance environment demands that we consider not only how to do the right thing, but also how to prove we did the right thing. Simply protecting information is no longer enough for an information security program or professional. In the wake of major incidents at the VA, the Census Bureau, Agriculture and many others, information security must proactively demonstrate that the protection is in place and be able to definitively prove it after the fact.

A recent audit of the IRS found that 490 computers had been stolen or lost since 2003, jeopardizing the personal information of more than 2,000 taxpayers. The audit discovered that the lost laptops lacked adequate password controls and encryption software that would protect taxpayer information and other data. The computers were lost in 387 incidences. 76% of incidences were not reported to the IRS security personnel.3

Free

for qualified subscribers

Subscribe Now Current Issue Past Issues

KMWorld 2024 Is Nov. 18-21 in Washington, DC. Register now for Super Early Bird Savings!

Data Security: Privacy Laws and Compliance

How Knowledge Graphs Make Generative AI Consumable in Enterprise Environments

Building a KM Foundation for Enterprise AI

TRANSFORMING ENTERPRISE KNOWLEDGE: THE JOURNEY TO SAFE, SECURE, AND TRUSTWORTHY AI

More

Knowledge Revolution with Generative AI: Megatrends and Success Stories

Unlocking Enterprise Knowledge with Microlearning

Intelligent Content Management: Game-Changing Technologies and Strategies

Optimizing LLMs with RAG: Key Technologies and Best Practices

More Webinars