By Cindy Provin, CEO, Thales eSecurity
Every year, new regulations and compliance orders come into play that impact businesses across the world. This year the major regulation to be implemented is the European Union’s General Data Protection Regulation (GDPR), which took effect on May 25, 2018. GDPR enables consumers to view, limit, and control how companies collect and process their personal data.
Though GDPR is getting a lot of attention, there are a number of other regulations that have been newly implemented this year, and many more that have been in place for many years. Some impact specific countries while others focus on individual industries, but each regulation is an indication that companies must be more accountable in terms of how they manage data privacy and people’s data, or they risk having to pay large fines.
In the United States alone, companies across different industries have been following regulations to comply with privacy laws. For years now, Health Insurance Portability and Accountability Act (HIPAA) has required the healthcare industry to implement technical safeguards to protect all electronic protected healthcare information (ePHI), making specific reference to encryption, access controls, encryption key management, risk management, and auditing and monitoring of ePHI information.
At the state level, New York’s Cybersecurity Regulation came into effect on February 15, which requires financial institutions to report their activity and take specific steps to protect the privacy of their customers’ data. This is designed to promote the protection of customer information as well as the information technology systems of regulated entities.
And this isn’t just happening in New York. Business Insider recently reported that “…at least 42 states introduced more than 240 bills or resolutions related to various cybersecurity issues, according to the National Conference of State Legislatures.”
Encryption is key when it comes to protecting data. Using encryption solutions companies can encrypt their data, rendering the data unintelligible in the event of a breach
In the APAC region, South Korea has had a regulation in place since 2011. As one of the world’s strictest privacy regimes, South Korea’s Personal Information Protection Act (PIPA) places many obligations on organizations in both the public and private sectors, including mandatory data breach notification to data subjects and other authorities including the Korean Communications Commission (KCC).
Australia has a privacy act from 1988 that was updated last year to now include an amendment that directs companies to disclose any breach of individual data, or face fines of up to AU$1.8 million. However, the act also states (as of last month) that if a company has technology in place that will make the leaked data meaningless to people not authorized to have it, then it is protected and the breach notification is unnecessary.
Moving to Africa, South Africa’s Protection of Personal Information (POPI) Act will be enforced later this year, and it aims to ensure that organizations operating in South Africa exercise proper care when collecting, storing, or sharing personal data. While this regulation may only cover South Africa, it is worth noting that POPI applies to any company that has information—in any databases—on anyone who’s a South African citizen.
In Europe, GDPR isn’t the only regulation impacting the region. Just last year, The UK Ministry of Defence’s (MOD) DEFCON 658 went into effect; it aims to protect the defense supply chain from cyber threats and applies to organizations that are suppliers or wish to become suppliers to the MOD on contracts that handle MOD Identifiable Information (MODII). Across the pond, the United States has had several supply chain mandates in place for quite some time.
How can your company comply with these data privacy regulations? First and foremost, ensure that you know what data your company stores and identify where it is located. Whether the data sits on a server in Germany or lives in a multi-cloud environment, data needs to be protected.
The only true way to protect data is to encrypt it. Encryption is key when it comes to protecting data. Using encryption solutions companies can encrypt their data, rendering the data unintelligible in the event of a breach. Many of the data privacy mandates state that by encrypting the data, you avoid the breach notifications requirements. This is the case with GDPR Article 34.
In addition to avoiding a costly breach notification process, this also prevents substantial reputational damage resulting from a publicized breach, as well as, protects your customers, making the data useless in the event of a breach.