It is 2019 . . . Do You Know Where Your Data Is?
We are living in a rapidly changing world (trite, I know) where companies have to focus on data privacy and security for a variety of reasons. Consumers and constituents are concerned about the safety and privacy of personal and financial information. In this era of “sharing” and posting of private information, consumers and constituents have broad and reasonable expectations concerning their personal and financial information.
Companies have to anticipate and respond to these concerns. Cyber-attacks and breaches have raised the risk profile for every company. Companies can experience serious harm from poor data management and security practices. Just look at the headlines over the last five years of data breaches and harm to major global companies.
The reputational damage to these offending companies is one thing but the collateral consequences are significant as well – companies that fail to protect consumer data are subject to class actions, state and federal enforcement actions, including potential securities disclosure issues.
As an initial step to addressing data security and cyber risks, companies have to answer some basic questions:
- What types of data do we store?
- Where is the data located?
- How is the data protected?
These are basic questions. You would be surprised, however, how many companies cannot answer these basic questions. Companies have difficulty defining what kinds of data they store. Every company interacts with customers, vendors, suppliers and essential parties. The interesting issues surround other types of relationships – internal research and development, clinical trial for pharmaceutical and medical device companies, and an infinite number of business interactions with a variety of parties. Identifying all of these interactions, understanding the data and how it is stored is essential to the risk and security process.
Companies are migrating a lot of data to the cloud – which means server farms maintained by well-established “tech” companies. At the same time, data is being generated outside the company through interactions with third parties who have their own data privacy and security practices.
It is clear that in time the old configuration of data being stored on information systems on company premises will be eclipsed by data in the cloud, with third parties (who may be using the cloud as well) and to technologies outside company premises that are generated through the Internet of Things (IoT).
The location of a company’s data can have broad implications for applicable regulatory requirements. If data is maintained in the United States, a specific state may regulate such data, or different countries regulate data with different regimes. Monitoring and sensitivity to these issues is an important aspect of a company’s information governance.
Wherever the data is stored, companies have to focus on keeping the data secure and designing storage strategies to avert potential disasters through storage redundancy. Maintaining service when a disaster or cyber-attack strikes can be critical to protecting the company.
If a company relies on cloud-based security and high-tech support, physical security arrangements for data centers are important, as well as data security and technology protections. If a cloud-based service is used, such centers have to be certified in accordance with international standards and have to include basic protections such as:
- DDoS protection systems;
- Encryption at rest (automatic encryption under Advanced Encryption Standards);
- Tokenization security solutions to protect data across a variety of environments (enterprise, cloud, mobile)
- Web and email security encryption
- Maintenance of encrypted SSL/TLS channels; and
- Compliance with applicable legal and regulatory requirements
These are basic elements of a data security system. Depending on risks and operations, this list should be modified, particularly for companies that rely on consumer payment systems.
One thing that may be overlooked is that when a company decides to store data on the cloud, the data privacy rules of the country where the server is physically located, apply. I have seen cases where a company could not access its own data pertaining to staff, as the country of data residence had strict DP controls and required additional authority from the staff member> this maybe difficult to obtain when the data is required for an investigation. So: data owner be aware! The ‘cloud’ is a concept only and the physical country of storage is important to know and its DP laws important to understand