Data is among a company’s key assets. Business leaders have to juggle several priorities when it comes to managing and protecting their company’s data, all while staying in compliance. The challenges they face are getting bigger and more complex. Consider the following statistics about data and data loss:
- 2.5 quintillion bytes of data are created daily.
- In the first six months of 2019 alone, more than 3,800 publicly disclosed breaches exposed 4.1 billion compromised records, with 3.2 billion of those records exposed by only eight breaches.
- Data breaches cost enterprises an average of $3.92 million.
- Nearly 90% of security leaders say they don't have adequate visibility of the data that they are required to protect.
Compliance regimes and policies are one way to protect individuals and companies from the devastating impacts of data loss. But simply knowing the laws and regulations isn’t enough. Organizations must put these regimes into practice every day to protect their data and their customers. Understanding three critical steps — discover, classify, and protect — will help business leaders adhere to the compliance standards specific to their industry, and will make it easier for them to choose the right solutions to manage these essential functions of a data loss prevention (DLP) program.
This post outlines how each of the three steps of DLP supports compliance and regulatory standards, with a look into a hypothetical case study covering business associate agreements required for HIPAA compliance. Finally, we’ll share how a solid DLP solution can take on your company’s data governance.
It all starts with data discovery
Data discovery is a process involving a scan of an organization’s data across various applications, networks, or endpoints. As we mentioned above, data is massive and growing every day, in both volume and complexity. Organizations must think of best practices when storing, accessing, and using this data — and ask questions that will shape their data discovery frameworks:
- Who? The individuals, teams, and systems that have access to the data
- Where? The locations the data is being stored and where it travels to (think of the cloud and data in motion).
- What? The specific types or categories of data sets a company collects.
- Why? The purpose and intent of data usage and collection.
Pulling data from different sources and systems into the cloud means a lot of policies might come into play: your own security policies, privacy for your users, and other privacy and compliance needs.
Each step of DLP helps compliance and privacy standards. The Federal Trade Commission (FTC) developed a set of best practice guidelines for businesses to follow called the Fair Information Practice Principles (FIPPS). These guidelines are based on principles of U.S. state and federal laws as well as international laws.
FIPPS covers five core ideas for businesses to follow when collecting data, which can extend to how an organization structures its data discovery policies and requirements for tools: transparency (notifying users of the organization's privacy practices before allowing their information to be collected), choice (allowing users to opt in or out of having their data used for purposes other than the main need for collecting that information), information review and correction (allowing user access to their data to verify and correct its accuracy), information protection (organizations should take steps to ensure user data is accurate and kept safe), and accountability (enforcing these principles through self-regulation).
Many regulatory and compliance regimes cover these guidelines, like the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR). Methods and standards for collecting the data influence how the data is stored, accessed, and used. Data discovery compliance needs are easily met with a DLP solution that adheres to the most common regulatory regimes in use today. And DLP can take the neverending task of reviewing your data while staying in compliance.
The next step of DLP is one of the biggest challenges in infosec: how to classify the data. Compliance also plays a big role in this step.
Classifying data is more than just sorting
Each organization has its own privacy and compliance paradigms to uphold. Data classification procedures, applications, and roles must be clearly defined and documented to ensure that sensitive customer data is handled properly within systems and apps.
Carnegie Mellon University has a good example of guidelines for data classification within the university’s information security policy. It was written specifically for the CMU staff, but the framework can provide a starting point for organizations looking to create or solidify their own data classification policies and requirements.
As stated on the CMU website, classification of data will aid in determining baseline security controls for the protection of data. The data classification guidelines define who the policy applies to, the roles and responsibilities for everyone working with data during the classification stage, and the different privacy categories that data can fall into, like private, restricted, confidential, or sensitive data. Nightfall’s DLP solution also classifies sensitive data that fall into canonically defined categories like personally identifiable information (PII), protected health information (PHI), payment card information (PCI), and more. Finally, the CMU information security department includes a matrix of the different privacy categories with the potential impacts of unauthorized disclosure of information. These help the department define its security objectives: confidentiality, integrity, and availability of information — which is also part of the standard CIA (confidentiality, integrity, availability) model of infosec that many industry practitioners follow.
Data classification isn’t standard across organizations, and sometimes it’s hard to tell which privacy or compliance regimes specifically target the data classification stage. But DLP can help classify the massive amounts of data with an organization while keeping sensitive information safe from data exfiltration. No guesswork is required for security practitioners.
The last piece of DLP is protection. When an organization can gather and identify its business-critical data, they must also protect this data from being altered or lost in a breach. DLP and compliance regimes work together to make data protection a seamless, instantaneous process.
Protecting the data that matters most
Data protection is the backbone of many widely used compliance standards, like the Health Insurance Portability and Accountability Act (HIPAA). If you’re in an industry that isn’t required or encouraged to follow specific privacy or compliance guidelines, it’s still important to put some kind of data protection framework in place.
A Thomson Reuters article on the subject has a few suggestions for how to create a data protection policy that puts safety for customer data first:
- Create an overall compliance strategy that is based on key principles that matter most to the company. Document everything, from procedures to defining measures the organization will take with respect to personal data as defined by applicable laws and regulations. All key stakeholders and areas in the organization must be represented. Remember: data security isn’t just a role for the IT department. It’s everyone’s responsibility.
- Establish data protection policies and procedures from an administrative and technical standpoint to ensure confidentiality, integrity, and availability of data. Include a response strategy and plan for when a breach does happen. Cyberattacks and data breaches can beat even the best systems. A threat response plan will help your organization recover quickly and save face with customers after an incident.
- Provide proof of compliance to present for external or internal inquiries. Your organization's compliance should be clearly verifiable and readily accessible through reports and documentation. Stay up to date on compliance and privacy requirements through appropriate monitoring, auditing, and certifications where applicable.
As you can see, discovering, classifying, and protecting data is not an easy task, especially when compliance regimes and privacy policies determine how companies must act during every step of DLP. Let’s take a look at a brief case study into how complex just one aspect of HIPAA compliance can be.
HIPAA compliance relies on BAAs
Organizations that handle personal health information (PHI) must comply with HIPAA standards to protect patient and customer data. There are many pitfalls that can expose this data, but one of the most common source of problems is inadequate Business Associate Agreements (BAAs).
HIPAA Journal has information on how BAAs work and how business associates (BAs) must handle data and adhere to data protection policies when working with businesses that provide healthcare services. Simply put, a BAA is a contract that stipulates the types of PHI that will be provided to the BA, the allowable uses and disclosures of PHI, the measures that must be implemented to protect that information (like encryption for data at rest and in transit), and the actions that the BA must take in the event of a security breach that exposes PHI. The BAA contract should stipulate that the BA (or subcontractor) must implement appropriate administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of PHI and meet the requirements of the HIPAA Security Rule.
Subcontractors working with businesses that handle PHI must also adhere to HIPAA standards. When the Health Information Technology for Economic and Clinical Health (HITECH) Act was incorporated into HIPAA in 2013 via the HIPAA Omnibus Final Rule, the new rules determined that subcontractors used by BAs are also required to comply with HIPAA. This also includes subcontractors using vendors that require access to PHI — everyone working with this type of sensitive data must enter into BAAs with their subcontractors.
The healthcare industry moves slowly and is already strained by challenges like budget cuts and understaffing. Essential considerations like up-to-date BAAs are likely the furthest thing from the minds of healthcare business leaders. But leaving HIPAA compliance standards to chance like this exposes patients to loss of privacy and can cost a business untold damages to revenue and reputation. A HIPAA-compliant DLP solution paired with a BAA can help satisfy the three steps of discovering, classifying, and protecting PHI and other sensitive data.
DLP brings it together for total data security confidence in the cloud
One of the biggest challenges with data protection is how quickly everything is moving to the cloud. In the haste to get on board with the newest technologies, compliance and regulation are often afterthoughts. Cloud adoption is now mainstream, and many organizations face the problem of business-critical data being sprayed across cloud services and infrastructure. Tools that provide data discovery and classification must adjust for this by being designed specifically for the cloud.
Cloud-native DLP checks an organization's systems for unstructured data, which carries its own unique set of risk factors. Internal communications and collaboration platforms like Slack, Confluence, and other SaaS applications where many people do their daily work and communicate with colleagues allow unstructured data to pass through massive networks to be shared, copied, accessed and stored unprotected.
Keeping up with data security compliance is impossible without help. A DLP solution can monitor and provide visibility into your data and systems, filter data streams to restrict suspicious or unidentified activity, log data for incident response and auditing, and pull everything together to help you make smarter decisions about risks and suspicious activity around your business data.
Prepare for success with the right DLP solution that can support your compliance and regulatory needs. Start with the tips and insights from this article to make the right choices for how to build a better compliance regime within your company.
Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack & GitHub as well as IaaS platforms like AWS. You can schedule a demo with us below to see the Nightfall platform in action.