As we continue through our dedicated #Infosec13 series, my blog this week turns to the topic of data protection legislation and what the implications are for you.
As the volume of breaches increases and national governments impose hefty fines, the pressure to protect the integrity and confidentiality of mission-critical information has never been greater. However, it’s not just the fear of financial penalties that’s putting the organisations I speak with under pressure, it’s the changing nature of the laws and regulations surrounding data protection.
One thing I’ve noticed of late is a stronger focus on encryption for personal information – not only of laptops and storage media, but also databases, unstructured data, the cloud and application data. In many jurisdictions, encryption technologies are a mandatory legal requirement and it’s likely that we’ll see the law becoming more prescriptive on embracing encryption technologies.
Legislation under the microscope
With the long list of regulations potentially affecting your enterprise, it’s impossible to go through every requirement in a blog post (for a run-down of the legal obligations for encryption of personal data in Europe and Asia check out the Field Fisher Waterhouse whitepaper on the subject). Given this, what follows is a limited selection of the more pertinent regulations I believe might affect any company doing business in Europe in the future:
- European Data Protection Directive and pending regulation – plans are afoot to reform this 1995 directive, with an expected implementation date of 2015. The exact details of the pending regulation are not final, but it’s expected to harmonise European legislation so that the same rules apply to all businesses providing services to EU residents. The Data Protection Regulation is expected to include data breach exclusions if the data has been rendered unintelligible (in other words, encrypted!).
- Data protection in the cloud – 2012 saw the UK Information Commissioner’s Office publish guidelines that underline organisations’ sole responsibility for data protection, even if it has been outsourced to third-party cloud network providers. The guidelines include tips for businesses, including securing assurances from cloud service providers on how the data will be kept safe, as well as suggesting written contracts between the involved parties. Suffice to say that how data is managed in the cloud should be a key consideration for every organisation.
- European cybersecurity strategy – the European Commission recently announced new proposals that include a requirement for EU member states to appoint an independent Computer Emergency Response Team (CERT) and for each to create a national authority to whom companies must report data breaches. This body would be responsible for deciding whether to make the breaches public and whether to fine companies. The intention of these proposals is to consolidate various cyber-crime strategies and should be a welcome move in bringing this issue to the fore.
- Payment Card Initiative Data Security Standard (PCI DSS) 3.0 – in October 2013 the PCI DSS will be updated. This regulation covers the processing of data relating to electronic payments. Details on the changes are set to be announced throughout 2013. That said, the PCI Security Standards Council (PCI SSC) released a new guidelines supplement earlier this year to advise organisations on how best to meet the compliance mandate. Watch this space for further developments on what we can expect from the new iteration of this regulation
- Data processing – the European Article 29 Working Party (Art. 29 WP) recently announced a reform to the way personal data is processed outside of the European Economic Area (EEA). The recent change enables 'data processors' to put in place 'binding corporate rules' (BCRs) that commit those organisations to certain data security and privacy standards relating to their processing operations. Previously only organisations primarily responsible for individuals' personal data – ‘data controllers’ – were able to put in place BCRs. This move to implement stronger controls over the management of data should be welcomed as we seek to bolster data security efforts on an international scale.
My advice...
We’ve all seen enough news to know what can happen if you don’t get your compliance right and you fall foul of data protection legislation. As an organisation, you don’t want to be airing your dirty linen in public – risking your brand reputation, incurring financial penalties and creating customer churn.
Laws are going to keep evolving, and the challenge is how to keep up – particularly if you operate on a global scale! As the custodians of your customers’ data, you must place security controls around sensitive data, as this ultimately is the target of cyber attacks. In the face of today’s penalties and sanctions for security negligence, the encryption of sensitive data is no longer optional; it’s an absolute necessity.
As a company, you must ensure that any security solution implemented is transparent, gives your customers and partners the reassurance that their information is safeguarded appropriately, and ultimately, keeps the auditors at bay. It’s a tall order, but I’ve seen enough customers do it well enough to know that it’s achievable.
We’ll be talking about this issue more during Infosecurity in April, so do pop over to our Infosec13 stand to discuss your data security in the context of the changing legislative landscape.
Paul Ayers is Vormetric’s VP EMEA.