Security Controls and Automation: Protecting Sensitive Data in the Cloud
Read Our Post
Data-first businesses are showing they will outperform their competitors in nearly every kind of market. These days, storing and analyzing data about your business and customers is basically table stakes: you need it to play. But with the power inherent in data comes great responsibility, and that means data compliance.
Data compliance is essential because it protects you from non-compliance fines and helps prevent data breaches and loss of reputation and trust. In this article, we’ll start by defining data compliance and cover the basics of what it entails. Then, we’ll dive into top data compliance considerations, so whatever business you’re in, you can be well-prepared to be an excellent steward of the data in your trust.
What is data compliance?
Data compliance is the combination of practices and policies a business enacts to ensure they store, track, analyze, and delete data in keeping with all applicable regulations.
If you store any kind of data—even email addresses—then there are regulations in different territories that lay out what your obligations are. In Europe, if your business involves monitoring any kind of personal data, you are required under GDPR to appoint a data protection officer. In California, users have the right to request the categories of personal data you keep, what your purpose is in gathering it, who you sell it to, and more in a readable format twice a year under the provisions of the law called CCPA. These privacy laws protect how businesses treat the personal data of anyone living in their territory, so the moment you have a customer (or even a web visitor) in a new jurisdiction, new laws are going to apply.
Data compliance means knowing the rules of the road wherever you’re going to drive your business and playing your part to protect your customers’ fundamental right to privacy.
The 3 major types of applicable regulations
For anyone new to data compliance, it’s fundamentally important to understand which regulations your company needs to comply with. And if you’re an established IT professional who also finds this overwhelming, you are not alone. A survey of 100 IT decision-makers conducted by Vanson Bourne in the UK in March 2021 showed that 31% had difficulty understanding their data compliance obligations.
The fact is that there’s a jumble of federal and state regulations that your company may or may not need to comply with, but we can start to sort that jumble out by breaking down the three broad types of regulations you need to worry about:
- Sector-specific regulations: For example, HIPAA regulates companies that deal with protected health information. FERPA regulates any company that collects educational information. And COPPA regulates any company that collects information from children under 13 years of age.
- Geographic-specific regulations: Who are you collecting data from, and where are those people located? If you’ve got data subjects in the EU, then you’re going to be regulated by GDPR; if you’ve got data subjects in California, then you’re going to be regulated by CCPA. Colorado and Virginia have passed laws similar to CCPA, and several other states—including New York, Maryland, Massachusetts, Hawaii, and North Dakota—are considering similar laws. Full data compliance means knowing every geography your customers are located in and fully understanding which regulations you need to comply with.
- Section 5 of the FTC Act: Section 5 of the FTC Act gives the Federal Trade Commission (FTC) the authority to bring enforcement action against any company that engages in unfair or deceptive practices that endanger the security or privacy of personal data. The FTC has brought over 80 privacy lawsuits and 70 cases against companies that have inadequately protected personal data, including Equifax, after its data breach.
8 top data compliance considerations for any company
The good news is, almost regardless of what industry you’re in and which specific regulations you need to comply with, the main compliance considerations will be the same. So let’s break those down:
1. What data is collected?
Before you dig into the nitty-gritty of complying with regulations, take stock of all the sensitive data you collect and manage.
Start with a data audit—talk with the different departments in your company, conduct a survey, or automatically scan your cloud environment for sensitive data. You may be surprised to learn about data classes and caches you didn’t even know you had. Once you’ve got a sketch of your data types made from these conversations, follow up with a digital data scan and see if the manual and automatic data maps you create match up.
As you identify gaps and grey areas, work on making a data flow chart, so everyone in your company knows exactly where (and what) your sensitive data is and how it needs to be protected.
Then identify which data fields are protected by which regulations. A specific field might be protected by multiple regulations, so make sure your data inventory system is sufficiently flexible to keep track of overlapping regulations.
2. Disclosure and consent around data collection
The heart of privacy law is making sure users know what you are doing with their private data and that they are able to give their informed consent to that usage. Once you know what and where your private data is, you need to make sure your disclosure and consent practices are appropriate for what the law requires of businesses in your sector. Analyze your systems with these questions in mind:
- Are you currently providing information to users about your disclosure of their data?
- Are you collecting their informed consent?
- Are you aware of the limitations of the consent and disclosure constraints you have in place?
- Is everyone on your team aware?
3. Where is the data stored?
An often overlooked area of data compliance is the actual physical location of data. Just because your data is in the cloud doesn’t mean that the data can reside anywhere in the world.
There are many countries that have data residency or localization requirements and limitations, including but not limited to:
- The EU (as part of GDPR)
- Russia
- India
- China
- Vietnam
- Indonesia
- Nigeria
In order to understand data residency requirements, you’ll first need to analyze where your customers are located. Then you’ll need to determine if any countries where your customers are located have data residency requirements.
For example, if all your customers are based in the United States, chances are, no data residency or data localization laws apply to you.
4. How is the data stored?
It’s not only important to know where your data is being stored -- it’s also important to know how your data is being stored.
Most companies that gather data today are doing so on the cloud. Many laws require that those cloud storage companies adhere to data protection best practices and that you have a contract from them that outlines how they enact their privacy compliance. But laws also require you to do your own analysis of those systems and ensure their security.
In fact, while the security of the cloud storage service is the provider’s responsibility, making sure that the databases are correctly configured to protect from breaches is your responsibility. Database misconfigurations are the number one cause of data breaches on the cloud and your company will be liable when they happen, so it’s important to get this right.
To address the problem, 95% of IT professionals surveyed in the 2021 State of Cloud Security Report by Fugue said they need “automated detection and remediation to detect cloud misconfiguration.” Take your cue from them and find a software solution for this problem; save your team thousands of expensive hours playing misconfiguration whack-a-mole.
Data store configurations can include whether data is encrypted at rest; whether data stores can be accessible over the public internet; and whether or not a data store is regularly being backed up. In addition to encryption at rest, your company may choose to tokenize or mask sensitive data. These configurations and practices will help make sure you are compliant with the rule in GDPR and others that personal data needs to be private by design, as well as by default.
5. Who has access to the data?
User error combined with intentionally malicious behavior from insiders accounts for a huge number of data breaches—of the 204 organizations surveyed in the 2020 Cost of Insider Threats GlobalReport, 60% had more than 30 insider-related incidents per year.
Start by getting a deep understanding of who has access to your private data. Investigate your permissions and check for out-of-date accounts or group aliases that can make it hard to know exactly who is accessing your data.
6. How is the data actually used?
For many, keeping up to date and accurate access control lists is the primary way to stay compliant with data regulations. With more and more sensitive data being collected, it’s becoming increasingly apparent to many companies that access control is necessary but not sufficient to achieve compliance -- companies need to protect sensitive data from misuse, even among those with access.
That’s why many companies are starting to monitor data in use in order to get a true, detailed view of how your employees are using sensitive data, much of which might be protected by law.
In addition to monitoring for data misuse, you should also be aware that some combinations of certain sets of data are prohibited by some laws in order to protect vulnerable users, e.g., patients, children, and students. Depending on your sector, you’ll need to analyze the relevant sections of the law and make sure certain protected categories of data aren’t being combined.
Many laws also address when and how you can share private data with third parties. This one can be tricky because even if you aren’t selling or sharing data as part of your business, if you’re using any third-party applications to process your data, you are effectively sharing it, and these laws may come into play.
7. What retention policy applies to the data?
Privacy laws require companies to retain certain kinds of data for set periods of time, sometimes five years or more, and to delete other kinds almost immediately. Do you already have a data retention policy? If so, spend some time making sure it addresses all the different kinds of data you found in your audit.
If not, knowing what kinds of data you steward is a good start as you analyze the requirements and begin to put an appropriate policy in place. Next, dig into the data retention regulations to understand what you are obliged to retain and when you are obliged to delete. Then you can help your team understand and implement your retention policy so that data compliance can become a daily part of how you do business.
8. How do you respond to data subject requests (e.g., deletion, correction)?
Do you have a set of procedures in place for responding to data requests? This includes the language you will use to communicate with the person making the request, as well as how you will track where their data has ended up within your systems and your means of making sure it is deleted or corrected everywhere. Under certain laws, users have a “right to be forgotten,” and it is your job to enact policies that guarantee that right.
Data compliance is required, but it also pays dividends
Of course, if your data isn’t compliant, you’re breaking the law. But thinking broadly and proactively about data compliance is a good business strategy. Regulations are a moving target—the laws change nearly every year as governments work to stay ahead of evolving technology and security threats. Stay ahead of the curve. Focus on understanding your data’s lifecycle in-depth rather than on doing the bare minimum to be compliant with today’s laws.
It’s easy to get lost in sorting out your obligations under all the different acronyms—HIPAA, GDPR, PCI DSS, etc. So before you do, take the time to follow the considerations above. Use sector and geographic-specific regulations to give you a framework of what to look for, understand what data is considered privileged and how the law treats it, and map exactly what data your business is collecting, where it’s going, how it’s used, and who has access.
This will save you money in fines and protect you from breaches and fines, but even better: there’s a huge amount to learn from your data and potentially huge value in the data itself. Mapping your data and really understanding both the risks and value inherent in the kinds of data you collect will help you take your business from those table stakes you started with to playing in the deep end of big data’s big potential.
When you’re ready for help, we’ll be here.
