A Country in Crisis: Data Privacy in the US

March 4, 2020 at 4:17 pm by Heidi White

In 2019, the United States held the world record of having the highest average cost per data breach at $8.19 million (IBM Security and Ponemon Institute, 2019), and healthcare data breaches affected 80% more people than just two years prior in 2017. (Statista, 2020). In today’s data-driven environment, it seems not a day goes by without hearing of a data breach or leak. Data privacy in the US is a growing problem caused primarily by the exponential increase of digital data, the trend of moving data storage to the cloud, and lack of a federal data privacy regulation.

Over the past several years, digital data has been increasing at an unprecedented rate. To put it into perspective, in 2019 the overall global population increased at just over 1% to 7.7 billion, while the number of unique mobile phone users increased by 2% to 5.8 billion. In addition, the number of internet users increased 9% to 4.4 billion, which is 57% of the global population. (Hootsuite & We Are Social 2019). As global urbanization continues, the sheer number of people utilizing data in their day-to-day lives will continue to grow. Combining personal use with the fact that nearly all businesses have a website and run their organizations using computers, it becomes clear that the use of data will only continue to increase in the coming years. All of this data, which moves across continents in seconds, needs to be stored and managed somewhere. This exponential increase in the use of digital data has required an equally aggressive increase in data storage capabilities.

data centerAs digital data increases, so does the trend of moving data storage to the cloud. Often misunderstood, the cloud is not some mystical Cumulus floating in the sky with ones and zeros suspended in it. Rather, the cloud is nothing more than large data centers that house racks and racks of servers and drives that run 24/7. These constantly moving parts create an immense amount of heat, so data centers utilize massive cooling mechanisms to keep temperature down. Understandably, data centers therefore use an excessive amount of energy, making operation fairly expensive. While larger businesses previously owned their own data centers or used in-house data storage, there has been a rapid shift to cloud service providers over the past five years. From 2017 to 2019, the number of cloud service data centers rose from 7,500 to 9,100, with 2020 expecting to see that number top 10,000. On the flip side, there were 35,900 data centers owned by non-technology firms in 2018, and that number is expected to significantly decline to 28,500 by the end of 2020. In fact, it is expected that the number of large companies in North America shifting away from using their own data centers to cloud service providers will increase from 10% in 2017 to 80% by 2022. (Loten, A. 2019). The move to cloud service providers is further evidenced by the increasing number of mergers and acquisitions in the cloud service sector. But how does this affect data privacy? It puts the onus of maintaining data privacy into the hands of technology giants rather than individual organizations who know that a breach could literally destroy their businesses. As data increases exponentially and its storage shifts inexorably to the cloud, concerns over data security and privacy escalate in parallel, leading to much-needed data privacy legislation.

data breach costsIn 2018, the European Union (EU) implemented the General Data Protection Regulation (GDPR) in an effort to protect the privacy of European consumers. And while Canada had implemented the similar Personal Information Protection and Electronic Documents Act (PIPEDA) in 2000, GDPR proved to be far more aggressive legislation both in terms of reach and monetary penalty. GDPR requires that all organizations that do business with EU citizens adhere to the legislation, meaning that global organizations such as Apple, Facebook, and Google, as well as smaller US companies that sell to Europeans, are required to follow GDPR. Since its inception in May of 2018, GDPR has leveraged hundreds of millions of Euros in fines and is only getting more aggressive with enforcement; however, GDPR only affects organizations that have dealings with EU citizens. Conversely, the United States has fallen behind in data privacy legislation, leaving the onus of maintaining data privacy to individual states. As of February 2020, only California, Nevada, and Maine have implemented data privacy legislation, with only the California Consumer Privacy Act (CCPA) requiring deletion of personal data if requested, similar to GDPR. (Noordyke, M. 2020). Considering that well over half of all global data breaches occur in the United States and, as previously discussed, those breaches are increasing due to the exponential increase in global data, the lack of a federal data privacy law is concerning. Unlike their European counterparts, Americans are largely left to their own devices when it comes to data privacy and have little recourse when a breach occurs. In fact, one of the largest breaches of 2012 occurred with major online retailer Zappos, affecting 24 million customers. In 2019, the agreed upon settlement to a class action lawsuit provided reparation to the affected individuals in the form of a 10% Zappos discount code that was only good through 31 December 2019. Needless to say, a 10% discount code (which actually helps Zappos rather than punishes them) in exchange for breached personal data hardly seems equitable. (Doe, D. 2019). Until the United States takes federal data privacy as seriously as their European and Canadian counterparts, the privacy and security of American citizens will continue to erode.

Data privacy and security is a serious and growing global issue, even more so in the United States where the bulk of data breaches occur. As more and more people embrace technology, the need for data storage increases, increasing the need for larger and faster data centers. Additionally, the dramatic shift from on-premise to cloud storage only exacerbates the problem of data privacy by relying on technology giants to protect organizations’ consumer data. Breaches will only escalate in line with our digital footprint, of that there is no question. Without a federal data privacy law, the privacy of American citizens’ data will continue to be at serious risk. And 10% off a pair of shoes simply isn’t the answer.

 

Heidi White is Director of Marketing at SEM and is a self-proclaimed data security fanatic. Contact Heidi at h.white@semshred.com.

 

References

IBM Security and Ponemon Institute (2019). Cost of a Data Breach Report. Retrieved from  https://www.ibm.com/security/data-breach

Statista (2020). Number of U.S. residents affected by health data breaches from 2014 to 2019.  Retrieved from https://www.statista.com/statistics/798564/number-of-us-residents-affected-by-data-breaches/

Hootsuite & We Are Social (2019), Digital 2019 Global Digital Overview. Retrieved from https://datareportal.com/reports/digital-2019-global-digital-overview

Loten, A. (2019, August 19). Data-Center Market Is Booming Amid Shift to Cloud. Wall Street Journal. Retrieved from https://www.wsj.com/articles/data-center-market-is-booming-amid-shift-to-cloud-11566252481

Noordyke, M. (2020). US State Comprehensive Privacy Law Comparison. Retrieved from https://iapp.org/resources/article/state-comparison-table/

Doe, D. (2019, October 18). Zappos data breach settlement: users get 10% store discount, lawyers get $1.6m. Retrieved from https://www.databreaches.net/zappos-data-breach-settlement-users-get-10-store-discount-lawyers-get-1-6m/

Data Security Regulation Compliance: Challenges and Solutions

July 1, 2019 at 8:28 pm by Paul Falcone

GDPR. GLBA. FACTA. These are just a few of the recent onslaught of acronyms that have risen to govern federal and state privacy and data security regulations for businesses and organizations. Some are truly new, while others have been established for quite some time and are just getting more attention now. Indeed, consumer privacy laws and protocols have been the focus of society’s conversation at large for the last two years. And, this global conversation is only just getting started.

If you’re just joining in on the discussion, or even if you’re not and you want a quick refresher, continue reading for a quick overview of the most important national and international data security regulations currently in effect.

The Top 8 Data Security Regulations

HIPAA Privacy & Security Rules

Providers, professionals, and clearinghouses (hereto referred as covered entities) in the healthcare industry that are covered under HIPAA must also adhere to specific security regulations for all Protected Health Information (PHI) that the organization collects.

The HIPAA Privacy Rule requires the covered entity to implement appropriate physical (e.g., facility access and control; workstation and device security), technical (e.g., access control; audit controls; integrity controls; transmission security), and administrative (e.g., security management process; security personnel; information access management; workforce training; policy and procedure evaluation) safeguards for PHI to avoid prohibited as well as incidental use and disclosure of the PHI data. See 45 CFR 164.530(c). In addition, the HIPAA Security Rule also requires the covered entity to set policies and procedures for the disposal of electronic PHI (ePHI). As part of this mandatory safeguard process, covered entities must also train their workforce members on the proper disposal policies and procedures erected and enforce these policies. See 45 CFR 164.310(d)(2)(i).These rules hold especially true with the disposal of PHI and requires the covered entity to not only destroy the ePHI and the hardware or electronic media on which it is stored, but to first properly dispose of the ePHI data on the media before that media is made ready for reuse. Failure to adhere to the HIPAA Security and Privacy Rules could result in unlawful release of PHI, and consequently, the potential for identity theft, employment discrimination, or even harm to the individual’s reputation. Moreover, the covered entity can face serious penalties for noncompliance.

FACTA

The Fair and Accurate Credit Transactions Act (FACTA) is an addendum to the Fair Credit Reporting Act (FCRA) and covers creditors, accountants, lawyers, financial institutions, and other organizations dealing with consumer credit information. FACTA limits how consumer information can be shared as well as controls how this private data is disposed of, to ensure protection of the individual to whom the information pertains from identity theft.

When it comes to the proper disposal of consumer information, FACTA stipulates that reasonable measures must be taken by the organization to prevent the theft or otherwise unauthorized access and use of the protected data. The Rule mandates said data be destroyed by the pulverization, shredding, or burning of all papers in which the consumer information is printed, rendering the information unreadable and otherwise unable to be reconstructed in any manner. FACTA disposal policies also extend to the electronic media housing the protected consumer information.

Organizations under FACTA may also need to incorporate their data disposal policies into the organization’s security information program as required by the Federal Trade Commission’s Standards for Safeguarding Customer Information, 16 CFR part 314 (“Safeguards Rule”) and for persons subject to the Gramm-Leach-Bliley Act.

GLBA

The Gramm-Leach-Bliley Act (GLBA) of 1999 mandates that financial institutions and any other companies that offer financial products to consumers such as loans, financial or investment advice, and insurance must have safeguards to protect their customers’ sensitive data and must also disclose in full their information-sharing practices and data security policies to their customers.

Check-cashing businesses, payday lenders, real estate appraisers, professional tax preparers, courier services, mortgage brokers, and nonbank lenders are examples of businesses that don’t necessarily fall under the “financial institution” category yet are included in the GLBA. Because these organizations are significantly involved in providing financial products and services, they therefore have access to personally identifiable and sensitive data like social security numbers, phone numbers, addresses, bank and credit card numbers, and income and credit histories.

GLBA-covered organizations must develop a written information security plan that details the policies put in place at the organization to protect customer information. The security measures must be appropriate to the size of the business and the complexity of the data collected. Moreover, each company must designate an employee or a group of personnel to coordinate and enforce its security measures. Lastly, the organization must continually evaluate the effectiveness of its developed security measures, identifying and assessing risks to improve upon the policy and measures taken as needed.

FISMA

To ensure the protection of proprietary United States data within government agencies and affiliated organizations, legislation to regulate proper data and information security management was passed as part of the Electronic Government Act of 2002. Called the Federal Information Security Management Act (FISMA), this law focuses on the importance of data security as it relates to the economic and national security interests of the US. As such, FISMA stipulates that all US government agencies, government contractors, and any organization that exchanges data directly with a government system must safeguard all of their information technology (IT) systems, including stored data, by developing, documenting, and implementing an information security program.

In 2014, this law was amended to the Federal Information Security Modernization Act (FISMA 2014) to bolster the authority of the Department of Homeland Security (DHS) to administer, implement, and provide technical assistance with policies for information security for non-national (civilian) security federal Executive Branch systems. FISMA 2014 also updated and clarified the oversight authority of the Office of Management and Budget (OMB) and its ability to eliminate inefficient and wasteful reporting of any organization under FISMA. It also sanctions DHS’ role in assisting OMB with this responsibility.

The purpose of FISMA is to protect government information, assets, and operations against natural threats and criminal activity, whether from within the US or outside. Therefore, any US organization directly related to or doing business with the US government, including federal- and state-level government agencies and contractors, state government departments, military subcontractors, and even data clearinghouses fall under FISMA regulations.

Failure to pass a FISMA inspection by DHS or OMB can result in unfavorable publicity for the organization and an IT budget cut, as well as significant administrative ramifications to the organization. However, failure to comply with FISMA, especially when it comes to breach-avoidance and proper data destruction, can have much grander and more catastrophic implications. Should any private, secured federal data be compromised and the organization was found to be noncompliant, there are serious civil and criminal federal consequences.

GDPR

While a security regulation of the EU, the General Data Protection Regulation (GDPR) of 2016 is applicable to those US-based organizations that do business internationally. GDPR effectively puts the customer first over the business, ruling that all private data is owned by the customer and not the business in which it was collected.

GDPR ensures the protection and privacy of consumer data as it is handled, stored, disclosed, and disposed of by the organization that holds it. Following GDPR requires obtaining consumer consent before collecting any data, providing consumers with a full report on what data has been collected and how it’s used if they request it, as well as a copy of the data itself and the immediate and proper destruction of data if the consumer requests it to be deleted. The organization must also have proper security controls in place for the safeguarding of consumer data and must place someone within the company to oversee and manage these compliance policies, including for data disposal.

gdpr-data-center

An organization under GDPR that is found to be noncompliant is subject to a fine equaling two to four percent of its global annual revenue for the most recent fiscal year (on average, calculated at as much as $11-24 million).

PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal privacy law for the handling of personal information by all federally regulated organizations as well as private-sector commercial organizations, regardless of the industry.

Like GDPR, organizations covered by this law must first obtain a consumer’s permission and consent before collecting, using, disclosing, and/or storing any personally identifiable information (PII). In addition, PIPEDA mandates that the information obtained can only be used for the purpose in which it was originally collected or else the organization needs to obtain renewed consent by the consumer for the use change. Moreover, consumers have the right to access their stored personal information as well as the right to challenge its accuracy. (The only organizations exempt from PIPEDA are those that are already subject to the similar privacy laws for private-sector organizations within Alberta, British Columbia, and Quebec provinces.) Canadian-based organizations that handle PII crossing provincial or national borders are also subject to PIPEDA compliance.

SOX

Aptly referred to as the “Corporate and Auditing Accountability and Responsibility Act” or the “Public Company Accounting Reform and Investor Protection Act,” the Sarbanes-Oxley (SOX) Act of 2002 addresses the standards by which the management and board of directors of any US-domestic public company handle the financial information and financial reporting of the organization. The SOX Act also extends to public accounting firms as well as to other companies that do business with publicly traded companies, even if said company is not a publicly traded entity.

The SOX Act is made up of two main clauses. According to Section 404 under the Management Assessment of Internal Controls, Clause A requires these publicly traded companies to create a commission on behalf of the company that develops and enforces rules for maintaining an internal control report for each annual financial report by section 13(a) or 15(d) of the Securities
Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)). This internal control report must include information and policies on how management establishes and maintains an adequate structure for internal control as it pertains to the financial reporting of the company. Clause A also requires the commission to write up an annual report on the effectiveness of the internal control policies and financial reporting procedures at the end of each fiscal year.

Clause B expands on the regulations for the internal control evaluation and reporting, adding in required responsibility of the commission or registered public accounting firm issuing the audit report to accurately prepare the audit as stated in Clause A. That is, said commission or public accounting firm is also held liable to the reported information claimed about the management of the stated financial information in the internal control report.

Maintaining compliance with the SOX Act therefore means ensuring all financial information and reporting that pertains to the organization is kept secure and protected from unauthorized personnel and possible theft.

PCI DSS

The Payment Card Industry (PCI) Data Security Standard (DSS) protects consumer cardholder data by helping to alleviate the vulnerabilities experienced by credit card merchants for payment card transactions and processing systems.

Following common sense, PCI DSS mandates the credit processing merchant organization adhere to the following three steps: 1) Assessment, as in analyzing the IT assets and payment card processing protocols for the organization to identify any vulnerabilities with regard to the storage of cardholder data; 2) Remediation, as in the fixing of all identified vulnerabilities, and also applicable to ensuring cardholder data is not stored unless it is needed by the business; and 3) Reporting, as in the compilation of records to ensure validity of any remediation actions and the submission of all compliance reports to the bank and card brands with whom the organization does business. Finally, these DSS rules apply to all entities globally that store, process, and/or transmit cardholder data, and with guidance for software developers and manufacturers of applications and devices used in those transactions.

A Standard for Compliance

Depending on the type of business you manage or own, your organization may be subject to one or more of these data and privacy security laws. Rather than create varied sets of rules and policies for each, which could cause issues in overhead and personnel costs, not to mention unnecessary protocol confusion and training needs, it would behoove your business to develop one data security protocol to cover all applicable regulations.

Data Disposal Best Practices

This one-size-fits-all mindset is especially cost-effective when it comes to the data destruction policies under the various laws and regulations.

No matter which regulation your organization follows, it’s recommended that you first create a private space within your organization to house a data and/or drive destruction machine rather than work off-site with a third party at their establishment. You should also create a limited group of personnel with the sole authorization to oversee all data security compliance processes as it pertains to the destruction of data that’s reached end-of-life.

Furthermore, when it comes to the end-of-life cycle, both data and the device in which the data is housed must be destroyed via shredding, degaussing, disintegrating, incinerating, melting, or pulverizing machinery so that neither device nor data can be read or otherwise reconstructed. It may also behoove your organization to keep a record audit of all data destruction events to prove your company’s compliance if a breach at this level does occur.

To ensure these procedures remain as cost-effective as possible, you’ll want to choose a third-party vendor like SEM that has both documentation software, like the iWitness, as well as NIST- and NSA-approved data destruction machinery to purchase and keep at your organization.

The Poorly Stitched Patchwork of US Data Security Policy

May 9, 2019 at 5:24 pm by Paul Falcone

Every few months it seems like we have a new data breach that exposes hundreds of thousands – if not millions – of individual’s personal and private data. From the Equifax leak in 2017, to Yahoo in 2013, to the Marriott in 2018, customers are losing faith in companies to properly handle their private data. In fact, as of 2017, over 64 percent of Americans have personally experienced a data breach, and with the latest leaks over the last two years, it’s fairly safe to assume that the number has grown even higher.

As the rest of the world continues to move towards a singular, comprehensive, and consumer-focused data security protection plan, the United States continues to fail to pass any meaningful legislation. This lack of forward movement, coupled with the fact the U.S citizens are more concerned for their data than ever, has led to individual states taking the responsibility onto themselves. The problem, however, is this only makes more headaches for both consumers and companies as a whole.

So what laws are in place right now?

Right now, instead of a unified regulation for personally identifiable information (PII), individual industries are given regulations. The healthcare industry and the credit card industry are two examples of this, governed by HIPAA (Health Insurance Portability and Accountability Act) and PCI-DSS (Payment Card Industry Data Security Standard), respectively. While having some sort of regulation can provide clarity for companies and more transparency for citizens, the truth is states can pass their own regulations within these industries, making a state by state case of how a singular company might have to respond. Confusing, right?

To fix this, some states, like California, have decided to try and lay the groundwork for a more uniform consumer-focused, approach. The California Consumer Privacy Act (CCPA) that was passed in 2018 will be going into effect January 1, 2020 and looks a lot like Europe’s General Data Protection Regulation (GDPR) that went into effect in 2018. The Act, which would affect any company who does business with customers who are citizens of California, would provide the following protections to consumers:

    • A consumer must be notified of what personal information is being collected, how it is collected, and whether it will be disclosed or sold.
    • Consumers must have the right to easily opt out of having their personal information sold.
    • Consumers must be informed that they have the right to have their personal information deleted. The process to do so must be easy and straightforward.
    • A consumer exercising these new rights cannot be discriminated against as a customer for opting out of any data sharing or for having their information deleted.

This is a good start for not only consumers in California, but across the U.S. As stated above, this Act would affect any company that does business with consumers in California; meaning that companies that exist in other states, but still sell to California, will be affected.

Other states including Colorado and New York also have their own state laws that they have passed. In Colorado, the Protection for Consumer Data Privacy Act was passed in September 2018, while in New York the Stop Hacks and Improve Electronic Data Security Act was first introduced in 2017. In fact, 35 U.S. states currently have some form of data privacy and disposal regulation in place. And all of these regulations have variations from the California Act, which makes it even more difficult for companies to comply to when doing business across state lines.

 

So why isn’t this happening at the federal level yet? There seems to be bipartisan support with bills being submitted from both sides of the aisle, but progress has been slow. As these data breaches continue to happen, policy at the federal level will have to jump in sooner or later.  Over the last year, five separate bills have been drafted and submitted to Congress with varying takes on the governments roll on regulation. The bills include the following:

    • The Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act by Richard Blumenthal (D) and Ed Markey (D).
    • The Social Media and Consumer Rights Act of 2018 introduced by Amy Klobuchar (D) and John Kennedy (D).
    • The Consumer Data Protection Act introduced by Ron Wyden (D).
    • The Data Care Act introduced by Brian Schatz (D).
    • The American Data Dissemination Act (ADD) introduced by Marco Rubio (R).

Each of these bills looks at the issues of data security from a different point of view and has various opinions on the role of government, how much access a customer should have, and what the consequences for responsible parties should be in the result of infractions.

The CONSENT Act by Blumenthal and Markey was proposed in April of 2018 and looks to have the Federal Trade Commission (FTC) draft a set of federal rules around suggested guidelines. These suggestions are for the consumer to have to opt-in to have their data collected and used as opposed to having to opt-out, like so many companies do now. The Act also suggests that the consumer would have the right to know, if they opted in, how their data was used and to whom it was going. It would also prohibit companies from refusing service to consumers who refuse to share their data.

The Social Media and Consumer Rights Act of 2018 was introduced in April of 2018, just two days after the CONSENT Act. The Act was drafted by Klobuchar and Kennedy and shared many similar ideas to the CONSENT Act. This Act aimed to make data collection from companies more transparent and give the consumer the ability to both opt out of data collection and the ability to view what data has been collected. A following key point was that in an event of a data breach, all affected parties must be notified within the first 72 hours of detection. The FTC would be the governing body and individual states attorney generals would act as the civil enforcement.

The Consumer Data Protection Act by Wyden was introduced in late fall 2018 and carries a lot of the same ideas as the previous two. The Act suggests that consumer have the right to opt out instead of opting in to data collection, and that companies be more transparent with how the data is used. He also suggests that the FTC be provided with increased funding to be able to properly oversee these new regulations. However, the big difference in senator Wyden’s Act comes from the penalties companies should face.

In the Act, Wyden suggests that any company that has revenue exceeding one billion dollars or warehouse data on over 50 million customers must submit an “annual data protection report” to the government detailing the steps taken by the company that year to protect customer data. The catch is that if there is any misinformation or attempt to willingly mislead the FTC, there can be a five million dollar fine and up to 20 years in prison for executives. The severity of the penalties make it a strong contrast to the two acts the came before it.

Next was Brian Schatz’s The Data Care Act, which was proposed on December 12 in 2018 and builds on all the bills proposed before it. The Act calls for companies to be more secure in handling their consumers data and states that consumers must be notified in the event of a data breach. The FTC would be given the power to penalize companies that are misusing consumer data, as well as hold them responsible for all information given to third parties that originated within that company. The Data Care Act broke down its mission into these bullet points:

    • Duty of Care – Must reasonably secure individual identifying data and promptly inform users of data breaches that involve sensitive information.
    • Duty of Loyalty – May not use individual identifying data in ways that harm users.
    • Duty of Confidentiality – Must ensure that the duties of care and loyalty extend to third parties when disclosing, selling, or sharing individual identifying data.
    • Federal and State Enforcement – A violation of the duties will be treated as a violation of an FTC rule with fine authority. States may also bring civil enforcement actions, but the FTC can intervene.
    • Rulemaking Authority – FTC is granted rulemaking authority to implement the Act.

The Data Care Act had the largest following, with 14 other Congress members co-sponsoring the proposal.

Rubio’s American Data Dissemination Act takes a different angle. Proposed in February 2019 with no co-sponsors, his bill suggests that the FTC themselves draft up the rules, like the CONSENT and Data Care Act, and send them to Congress for approval. It is stated that the FTC would seek to create rules for the “tech giants” while exempting smaller companies from the same rules, allowing them a chance to be competitive within their industries. The Act would prioritize consumer welfare over corporate welfare and would preempt state law, meaning that this would supersede the state laws that are being drafted and implemented in individual states. Unlike the previous proposals, Rubio’s was more open to the FTC drafting the ruleset with fewer suggestions beforehand from him directly.

So where are we now?

While none of these proposals have gained a lot of traction, they serve as a spark that spreads into a conversation among consumers, politicians, and companies alike. The fact that these proposals keep coming show that it’s not a matter of if, but a matter of when the U.S. will have a federal data privacy policy.

Around the world, Europe, Japan, and Canada are all making uniform approaches to keep data security laws the same across their countries. This makes the guidelines easy to follow for companies and easy to understand for consumers. In Europe, GDPR has seen a launch with increased consumer rights and companies already being penalized for failing to comply. Canada had the Personal Information Protection and Electronic Documents Act (PIPEDA) go into effect November 1, 2018, further protecting the personal information of their citizens and holding companies responsible for breaches. In Japan, a Personal Information Protection Commission was created to enforce a regulation that would be in compliance with GDPR’s new guidelines.

Soon the U.S will have to follow suit, and it will make everyone’s data safer in the process. But it’s not hard to make something that is safer than the poorly stitched together patchwork of polices that we have in place now. A patchwork where we’re one data breach crisis away from it all ripping apart.

Security Engineered Machinery is the Global Leader in High Security Information End-of-Life Solutions. 

 

 

 

 

The Impact of GDPR on US Companies and Organizations

March 28, 2019 at 4:59 pm by Heidi White

With GDPR (General Data Protection Regulation) in effect for almost a year now, even US-based companies are feeling its impact and the need to comply with stricter data security policies. Indeed, it likely won’t be long before the US creates its own set of national data privacy laws that all organizations will have to follow. In 2018, leading US-based technology companies called on the federal government to pass a law similar to GDPR, and in February of this year, the US Government Accountability Office made the same recommendation.

For those organizations that do business internationally, the European security mandate must be adhered to as if it were already a rule from the US federal government. If you don’t, the cost could be catastrophic.

gdpr-data-center

The Criticality of Following GDPR

Not complying means subjecting your organization to a fine equaling two to four percent of your global annual revenue for the most recent fiscal year (on average, calculated at as much as $11-24 million). But, it’s not enough to simply ensure your current privacy policies comply with GDPR. Breaches happen to even those US organizations whose existing practices meet those compliance requirements.

You should instead look at the bigger picture and take a thoughtful approach to your data security measures using GDPR as your guide. For one, the GDPR looks at data differently and poses that all private data is owned by the customer, not the business in which it was collected. For another, just because you’ve protected the data from breaches from within the US doesn’t mean the data from your global company couldn’t be improperly accessed outside the country.

Using GDPR to improve all your data-related policies can help you to find any gaps in your current security that could be closed, especially as it relates to data destruction and hard drive end-of-life practices. By putting the customer first over your business, as GDPR stipulates, you can better ensure the protection of personal and otherwise private information when it is no longer necessary to your business.

cloud-data-storage

Think about your customer data and how it is stored. If you’re using a cloud system (as almost all of us are), your data isn’t just housed in one data center, but many, and that data is duplicated across multiple drives to prevent against data loss if a drive fails. For businesses operating outside the US, that means data centers housing this private information you are charged with protecting are not just within the US, but across the globe. Your data destruction policies therefore must address practices for drive end-of-life—something that happens on a regular basis since these drives operate for 24 hours a day, seven days a week, all year long.

Even if you don’t house your data across global centers, but you do business with EU customers who share their private information with your company, your business still has access to their data and therefore you must protect it, even upon disposal. More importantly, under the GDPR, any EU citizen has the right to request their information be eradicated and you must comply and delete the data while maintaining protection even after disposal.

So, how do you ensure your data disposal policies comply with GDPR for drives as well as for customers halfway across the world?

GDPR-Compliant Data and Drive Destruction Best Practices

GDPR requires your organization to place someone within the company in charge of overseeing and managing the compliance policies. Dubbed the Data Protection Officer, this person will be your key authority on data disposal and drive destruction as it relates to the GDPR. Along with this person, you’ll want to create a small group of personnel also within the US that will have the authority to access your company’s data.

data-protection-officer

At the very least, your Data Protection Officer should be on-site for drive destruction that occurs outside the US, such as if a drive in one of the data centers where your data is housed reaches end-of-life. It is crucial to have this person on-site to ensure your GDPR-compliant data and drive destruction policies are being followed. For one, this ensures control over who is accessing your data. For another, without this person present, you are blindly trusting that your data and drives have been properly disposed of, and that the person carrying out the disposal is not lying to you when they tell you the proper practices have been completed. What if this person, who reported to you that the data was properly destroyed, instead sold that data to a third party in another country or to a cybercriminal on the dark web? Sure, you can take legal action against this person after the breach has come to light. But the fallout from the breach itself can’t be stopped once it’s begun.

It’s therefore extremely important to require your Data Protection Officer or someone within your authorized personnel group to be on-site for outside-US data and drive destruction, and that this person must provide an audit report for the data and drive destruction event.

For drive destruction within the US, your Data Protection Officer and authorized personnel should manage the disposal process from start to finish. It’s recommended that you create a private space within your organization to house a data and/or drive destruction machine, rather than work with a third party off-site. We have data destruction machinery that is compliant with GDPR stipulations. It may also behoove your organization to keep a record audit of the disposal to prove your company’s compliance to GDPR in the event a breach does occur.

hard-drive-shredder
Hard drive shredders are the most efficient and secure method of destroying rotational hard drives.

Weighing the True Costs of Data Breaches

We already mentioned the massive fine that will be issued by the GDPR Supervisory Authorities for an organization under GDPR that is found to be noncompliant when the breach occurs. Then there’s the typical range of costs associated with data breaches including legal fees for any counselling or action taken by the company in its defense, civil and criminal penalties under US federal regulations and, of course, potential lawsuit payouts. Factor in the non-financial costs to your business, such as a loss to your reputation and integrity, along with a loss in your customer base, and you’re looking at a total cost to your organization that could severely impact its existence.

The irony is that by planning for the worst and investing in a team as well as the necessary on-site data destruction machinery, you can save your company’s standing as well as its revenue. Operating under GDPR rules includes making sure your company has the proper data and drive disposal methods that are deemed GDPR-compliant. SEM has plenty of affordable options, and when all things are considered in the aftermath of a breach, this technology provides protection at a fraction of the price it would cost if you were to experience a breach.

Is Your Data Disposal Plan GDPR-Ready?

November 21, 2018 at 3:29 pm by Heidi White

gdpr-readyWith GDPR just around the corner, data security has been enjoying some much-needed time in the limelight. Never before has there been such a hyper-focus on the protection of sensitive data, particularly confidential and personally identifiable information (PII) such as healthcare records, personal data, financial information, and legal records. While data privacy conversations have more traditionally revolved around identify theft issues, the new GDPR regulation prioritizes the fiduciary responsibility of all sensitive and personal information.

Savvy organizations began planning and implementing their GDPR compliance programs months ago. Because of the numerous ways in which GDPR mandates data privacy across all storage media and within all facets of an organization, a comprehensive compliance program requires a well-researched, detailed approach with multi-departmental buy-in and execution.

healthcare-data-securityFor example, a healthcare provider possessing sensitive patient data in the form of medical records is obvious. What would not be so obvious would be the numerous other places where a patient’s PII may reside. The scheduling department keeps PII such as address and birthdate, the billing department has financial and insurance information, while the marketing department may possess email and browsing data for patient communications. And let’s not forget the backup servers. Personal data is literally everywhere.

Safeguarding sensitive data throughout an organization is critical, and many organizations are well aware of the need for firewalls, passwords, physical security measures, encryption, and employee training. What may be more of a need and challenge for some organizations is GDPR’s Article 17 Right to Erasure, also known as the “right to be forgotten.” While it is not an absolute, the basic premise of Article 17 is that an individual’s request to have his data removed must be honored within 30 days. In some instances, the request is not realistic. For example, banks must retain records for a minimum of seven years, so deleting the data would be in direct conflict to an existing legal mandate. However, Article 17 states that individuals have the right to have their personal data erased without undue delay if the data is no longer necessary for the purpose for which it was originally processed or collected, and this applies in a large number of cases with consumer transactions.

online-data-securityConsumer transactions typically include the storage of personal information such as address, phone, and payment information. While large organizations may have their own servers and storage solutions and are therefore more easily able to purge a consumer’s data from their system, the thousands of smaller organizations typically rely on outside vendors and cloud storage providers to manage their data. Data stored in the cloud is actually housed in data centers, where data is duplicated across multiple drives in an effort to create redundancies that help to mitigate data loss when drives fail — and drives DO fail on a very regular basis. After all, these drives are running 24 hours a day, seven days a week, year-round, so their life expectancy is understandably rather short. When a drive fails, the data it contains is still for the most part intact. Therefore, a comprehensive data disposition program should always include drive destruction so that personal data is not compromised at end-of-life. But end-of-life is only part of the problem. Smaller organizations and others who outsource their data storage must confirm with their providers that their data removal policy is GDPR compliant and must include policies and procedures for the Right to Erasure in their GDPR programs.

GDPR is a broad and encompassing regulation that is actually long overdue. While implementing a GDPR program is proving to be more challenging than organizations may have originally thought, particularly with regard to Article 17 and the Right to Erasure, the safeguarding of data and the diligent focus on data privacy have been positive results of GDPR. In a time where data breaches and identity theft are increasing exponentially, the implementation of a means by which to protect our privacy and security is most welcome.