November 2017 saw one of Australia’s biggest ever data breaches, in which sensitive personal information regarding almost 50,000 consumers and 5,000 public servants was exposed online. Around the same time, US fashion retailer Forever 21 admitted that hackers had collected customers’ credit card information from its stores’ point of sale terminals over much of 2017, and the information of nearly 1.2 billion Indian citizens was reported to have been made publicly available when the country’s national ID database was breached.
One thing all of these incidents have in common is how accessible the leaked information was after the breaches themselves occurred, something that could have been avoided had the data been encrypted.
In my last post, I wrote about how much of the data being generated by an organisation’s digital transformation isn’t necessarily secure, and that businesses must find ways of protecting that data throughout its lifecycle.
Government regulations such as the EU General Data Protection Regulation (GDPR), South Africa’s Protection of Personal Information (PoPI) Act, and the Data Privacy Act in the Philippines, are all aimed at protecting the privacy of consumer information, and all share a common need for businesses to ensure the data they hold isn’t breached or leaked.
Such a regulation , the Privacy Amendment (Notifiable Data Breaches) Act 2017, was passed by the Australian Senate as an amendment to Australia’s Privacy Act from 1988, and says that a company should disclose any breach of individual data, or face fines of up to AU$1.8 million.
Effective from February 2018, the Act also states that if the company has technology in place that will make the leaked data meaningless to people not authorised to have it, then it is protected and the breach notification is unnecessary.
Here then, as with the breaches mentioned above, we can see the importance of an “encrypt everything” strategy, as referred to in my previous post.
Using Vormetric Transparent Encryption from Thales, for example, organisations are able to encrypt all of their data and protect it, ensuring that, even if it is leaked, it’s impossible for anyone to make sense of it without the proper permissions. Vormetric Data Security Manager (DSM) would offer further protection by ensuring that a separation of duties and granular controls were in place around these permissions, and around the keys that generate the encryption in the first instance.
Around the world, regardless of location, compliance with government data privacy regulations fundamentally comes down to protecting citizen data, and with these provisions in place, any data relating to victims of breaches would be rendered worthless.
By enabling encryption, separation of duties, and the use of intelligence logs to identify where a leak may have occurred, find out how Thales can help you become fit for compliance, wherever your business is based.