The complex dynamics of compliance with privacy regulations
The sensitive data is replaced by a token or encrypted value that takes its place in the cloud-based application. The "real" data is retrieved from local storage when the token or encrypted value is retrieved from the cloud. Thus, even though the application is in the cloud, the sensitive information is neither stored in the cloud nor viewable there. It physically resides behind the firewall and can only be seen from there.
That capability is especially useful in an international context where data residency and sovereignty requirements often specify that data needs to stay within a specific geographic area. "A loan origination company operating in Australia did not want certain fields to go to a hosting center outside the country," says Morrissey. "Australia has its own set of privacy principles, as does any country. If the data is stored in the cloud, there is the possibility that an overflow backup will go to another location, thus exposing sensitive data. With PercepSys, the data does not leave its location in Australia."
Challenges for small organizations
Small to medium-sized businesses generally do not have a dedicated compliance or privacy officer, and may be at a loss as to where to start. "Recent updates to HIPAA pushed out the privacy compliance requirement to smaller vendors," says David Lineman, president of Information Shield. "These organizations are likely to have an IT staff person wearing both the security and privacy hat." Lineman also points out that privacy compliance is not as advanced as security. "It's a more recent phenomenon, more fluid with the changes in laws and less consistent across countries," he notes.
Information Shield provides a set of best practices including a policy library with prewritten policies, detailed information on U.S. and international privacy laws, checklists and templates, as well as a discussion of the Organisation for Economic Co-operation and Development (OECD) Fair Information Principles. Those resources are aimed at companies that may not have privacy policies in place but need to do so to provide services to larger healthcare or financial services organizations.
Among the resources is a list of core privacy principles based on OECD principles. Each principle has a question, brief discussion and suggested policy. For example, the purpose specification principle states, "The purposes for which personal information is collected should be specified no later than the time of data collection, and the subsequent use should be limited to fulfilling those purposes or such others that are specified to the individuals at the time of the change of purpose." The discussion includes comments on international laws and a citation of several related rulings.
Sometimes the biggest risks in privacy compliance stem from the failure to take some basic steps. "Often when a breach occurs, it was because the company did not know where its sensitive data was stored," Lineman says. "They had not done an inventory and did not know they had PII. It's important for organizations to identify and properly classify all their data."
For the future
Business users and consumers alike have become accustomed to the efficiency and speed of digital data, and it is not going to vanish. However, more stringent regulations are inevitable. "Organizations are becoming more aware of having to prevent privacy breaches, and are making sure they have the systems in place to do this," says Deema Freij, senior VP and deputy general counsel at Intralinks, which provides secure collaboration environments. "Companies are also concerned about reputational damage, which can severely affect business. Along with reliable systems, the best way forward is to follow best practices and abide by the highest watermark with respect to data privacy. Technology is essential, but it also has to be supported by people
and practices."