Data Breach Disclosure Regulation:
Starting with California in 2004, more and more U.S. states and countries around the world require organizations to disclose instances of data loss or theft when they occur. Regulations specify which data is relevant, what volume of records constitutes a breach, what must be disclosed, within what timeframe, and to whom. The goal of these requirements is not to punish companies, but rather to protect consumers, enabling them to take swift action to limit their risk. While regulations initially focused on credit card records and other financial data, in many cases their scope has expanded to cover healthcare records and other personal data. Gone forever are the days of sweeping data breaches under the carpet.
As most of us know from reading the headlines, these public disclosures are a public relations nightmare—they embarrass the organization and delight competitors. But the impact may long outlive the news cycle, with lost brand equity, customer trust, and market share taking months or years to recover. Depending on the organization and the nature of the breach, the organization may also need to provide substantial additional services beyond notifying individuals—to re-issue credit cards or other credentials, provide insurance, counsel consumers, or even provide compensation. They may even face legal action from classes of consumers or partners.
Given that it is unrealistic to assume that all thefts or even accidental loss of sensitive data can be avoided, organizations striving to fulfill data breach disclosure obligations are challenged to:
- Understand the organization’s obligations clearly. Identifying the data breach disclosure regulations that apply to you is rarely as simple as it sounds, and even analyzing the flow of data in your organization is a challenge. New applications, staffing changes, and new procedures—even transitions to outsourced systems and cloud computing—can be frequent occurrences that might never be reported back to those responsible for compliance. Even if you do know where your data is, the landscape of breach disclosure laws is constantly shifting and varies widely by region and industry. Data that is “out of scope” in one location or timeframe may be “in scope” in another.
- Reduce the risk of data breaches in the first place. Data has a nasty habit of moving between multiple systems, crossing organizational domains, and therefore being “owned” by different security regimes. With the increased threat of insider attack and targeted malware, spotting the weak links in the paths over which data flows is quite a complex task. In the end, disclosure laws don’t care if you can secure your database, for example; they care only that you can protect your data—wherever it goes. Finally, remember that many—maybe even most—data breaches result from basic errors and accidents rather than from external attack.
- Establish systems to detect data breaches. No matter how hard you try, breaches are still going to happen; the question now becomes can you spot them when they do? Traffic analysis and activity monitoring within your corporate environment can certainly help, but when data leaves your direct control, traveling to off-site archives or external service providers, it becomes much harder to detect a breach. Notification of attacks on outsourced systems, and in particular shared systems such as cloud services, should be factored into service level agreements.
- Develop a response plan and know how to execute it. Finally, even when you do know a breach has occurred, it’s usually good to have an incidence response plan already written, Some breach disclosure requirements impose time limits on disclosure. After all, what is a consumer to do with a notification that is 6 months out of date? Determining when a breach actually happened, which data was actually lost, who might be affected, and how the information might be exploited can take considerable forensic effort that still provide only an incomplete picture. In the face of imperfect information, decision making and response management become more complex.
- Data loss or theft can result in an obligation to disclose the breach to affected consumers and the general public—causing embarrassment, reputational damage, and loss business.
- Organizations that do not disclose data breaches can incur fines and legal challenges.
- Data breaches have the potential to impact far more than your own customer relationship. The loss of passwords can have cascading effects if similar passwords are used across multiple services.
- Failure to establish a clear view of disclosure obligations can force you to adopt a “protect everything, just in case” mentality, driving up cost and limiting flexibility.
- An overly compliance-centric approach might create the opposite, “disclose everything, just in case” mentality, which again can drive up costs and internal disruption, sometimes unnecessarily.
Data Breach Disclosure Regulation: Thales e-Security Solutions
Products and services from Thales e-Security can help your organization protect regulated data to reduce the risk of breach—and therefore the need for disclosure. Many data breach disclosure laws include a “safe harbor” that enables organizations to avoid public disclosure if the data that was compromised is not in readable form and is therefore of no use to an attacker or to anyone else who might inadvertently get access to that data. The argument is that if the data is useless then there is no need to inform the person whose data was lost. Organizations have a number of ways to render data unreadable, such as encryption, tokenization, masking and hashing; while they all have advantages, encryption is the approach most commonly referenced directly by the legislation. As a result, data breach disclosure laws are frequently an important factor considered when an organization defines its data encryption strategy.
Thales offers a range of products and solutions to support a diverse array of encryption strategies. Proven products in the Datacryptor family of network encryption platforms protect data in motion; nShield and payShield hardware security modules (HSMs) offer security hardening for a wide range of business applications and critical infrastructure. Thales also focuses on the protection of stored data because the theft of storage media or attacks on storage systems such as databases can yield large volumes of sensitive data.
Although encryption provides an extra layer of protection and can significantly reduce or even remove the need to disclose, it does raise important operational questions about key management. The value of any form of encryption is directly related to the security and integrity of key management processes. Failure to ensure the availability of encryption keys creates serious risks to business continuity. Quite literally, if you lose the keys, you will lose the data.
Whether you are deploying dedicated encryption platforms, storage devices with embedded encryption capabilities, software encryption solutions, or writing your own encryption applications, you can rely on Thales to help you establish high levels of assurance and security.
- Exploit encryption to reduce the scope and impact of data breach disclosure laws.
- Take advantage of native encryption capabilities within commercial storage and database systems.
- Establish centralized key management systems and policies to span multiple encryption activities.
- Employ high assurance and security-certified key management techniques to simplify compliance and forensic activities and to assist in incidence response.
- Build confidence that deployment of compliance-driven encryption technologies does not risk overall business continuity.