Data Privacy in the Age of Regulations

This current year was a big year for data breaches, new privacy laws and cracking down on existing regulations. British Airways faces a £183m fine after hackers stole credit card details from nearly 400,000 customers. Many other big names were hit too. Facebook. Equifax. Twitter. Marriott. Google. They’ve all been hacked.

The reason? Sometimes it was due to outdated security systems and other times it was the funny idea that big corporations can only fall victim to attacks from Mission Impossible-type massive spy operations.

The fact is most of the companies are susceptible to attacks – and the attacks don’t have to be very sophisticated in order to work. With the latest technology on the market, hackers with just a basic skill level can use commonly available tools to overcome the most expensive security measures. So now it’s no longer a question of “if I’m attacked” but “when”.

The world is changing, your network is changing and hackers are on a winning streak. But enterprises can limit the effects of these attacks through awareness and preparation.

To provide guidance on what businesses should be doing to protect themselves and their customers from data theft, several compliance mandates have sprung up in recent years. Compliance with these standards include strict cybersecurity measures, software and sometimes hardware requirements, together with regular vulnerability testing, storage policies, access management, data breach notification, installation of security patches and more.

It would be impossible to cover all privacy regulations here, but let’s look into some of the important ones below. These include the PCI-DSS, GDPR, CCPA HIPAA, ECPA, CDSA and NERC CIP. This may sound a bit like alphabet soup, but if you manage an enterprise or you are responsible for its IT security, at least one of these regulations probably applies to you.

THE PERSONAL DATA PROTECTION BILL, 2018 (DPAI)

This Act may be called the Personal Data Protection Act, 2018 (INDIA).

It seeks to protect the privacy of personal data, regulate the processing of "sensitive" and "critical" personal data and establish a Data Protection Authority of India (DPAI) for regulations.

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements created by the major credit card companies to protect both consumers and businesses from credit card fraud.

GDPR

The General Data Protection Regulation (GDPR), which is an especially hot topic these days, was created about 3 years ago but implemented just last year in an attempt to reform data protection for European consumers. .

CCPA

Signed into law two years ago, and going into effect New Year’s Day, the California Consumer Privacy Act (CCPA) is California’s answer to the GDPR. But the bill, meant to protect consumer data, will likely spread to the rest of the United States due to the impact it will have on California’s many nation-wide industries.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was created to protect health insurance coverage in the event of a job loss or change as well as health data privacy, integrity and availability.

Non-compliance could cost businesses $100 to $50,000 per violation (or per record) and penalties up to $1.5 million per year and imprisonment in severe cases.

ECPA

The Electronic Communications Privacy Act (ECPA) was passed in 1986 in an effort to protect citizens from unnecessary surveillance and data theft by law enforcement and the government. There have been many provisions since, including the Wiretap Act, the Stored Communications Act, the Pen Register Act, the USA Patriot Act and the Email Privacy Act.

Businesses who do not honour that right are subject to fines up to $500,000 and those held responsible for non-compliance may face lawsuits and imprisonment.

CDSA

The Content Delivery and Security Association (CDSA) was founded in 1970 as a non-profit to protect entertainment, software and information content. Earlier in the year, the CDSA updated its guidelines to include TV and film cybersecurity.

It’s unclear what penalties will be incurred if productions or individuals on these productions are found to be non-compliant, but these standards are a great step in this evolving industry that suddenly found itself dealing with the same types of threats as software companies.

NERC CIP

The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) is a set of security standards meant to protect electronic systems from cyber threats.

Summary

Data privacy and protection regulations provide businesses with checklists to manage the risks from both known and unknown vulnerabilities and a way to make sure they conform with the regulations. The end goal is security improvement and awareness.

Most businesses will be attacked, but if you comply with these data privacy standards and perform regular security testing, you can protect your business and your customers from loss of data. You can then rest assured, even in the event of an attack, knowing you did everything you could do to protect your business from fines, legal action and damaged reputation.