A recent report from IBM found that data breach costs rose from $3.86 million to $4.24 million in 2021. This year’s estimate is the highest average total cost in the 17-year history of the IBM Cost of a Data Breach Report.
Partly, the record-setting cost of a data breach has to do with the fact that so many companies are working remotely. “The average cost was $1.07 million higher in breaches where remote work was a factor in causing the breach, compared to those where remote work was not a factor,” noted IBM.
Remote work that requires the use of cloud platforms puts companies at a much higher risk for cyberattacks. And, the costs are astronomical, not just in dollar terms. Many businesses that suffer from a data breach are forced to shut down completely.
Protecting sensitive customer data in cloud platforms starts with a solid understanding of what information needs to be secured. Here’s what you need to know to find the right cloud DLP tool and help your business stay compliant while protecting data..
What is sensitive data?
There are a few variations of the definition of sensitive data, depending on which regulation or set of best practices you must follow. Generally speaking, there are two broad categories that businesses should know when protecting customer information:
- Personal data: any information that can be used to identify, with some degree of accuracy, a living person.
- Sensitive data: a subset of personal data that is subject to specific processing conditions under GDPR.
Sensitive data is defined by the GDPR as personal data that includes someone’s race or ethnic origin, political opinions, religion or philosophical beliefs; trade-union membership; genetic and biometric data; health-related data; and information about someone’s sex life or sexual orientation.
GDPR is just one regulation that governs the protection of sensitive data. Other compliance regimes, such as FERPA and HIPAA, further define the different types of sensitive data.
Types of sensitive data
Although sensitive data is a smaller subset of personal data, it’s still relatively broad. Sensitive data is further categorized into regulated versus unregulated sensitive data. Regulated data is specifically covered under laws such as GDPR, while unregulated data may contain publicly available information that may still be highly sensitive. For instance, job applications, customer surveys, or contracts are examples of files that could contain unregulated sensitive data.
Sensitive data can be stored in different forms, from audio files to photographs to documents. Here are some common types of regulated sensitive data that are subject to data protection laws.
Protected Health Information
Protected health information (PHI) is regulated by the Health Insurance Portability and Accountability Act (HIPAA). PHI is defined by 18 identifiers that set the bar for “identifiable” medical information that can be traced back to a specific individual. The list of identifiers includes things such as Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, and names of patients, relatives, or employers.
“Education records” is a broad term that is determined under the Family Educational Rights and Privacy Act (FERPA). Regulated sensitive data under FERPA includes information like grades and transcripts, student schedules, exams and papers, student email, advising records, and any personally identifiable information (PII). Educational records do not include law enforcement records, employment records, medical records, or post-attendance records.
Customer financial data
The GLBA requires financial institutions to be transparent about how they share and protect their customers' information. The PCI-DSS sets security rules to protect customer credit and debit card data for any business that accepts their cards.
At a minimum, businesses that deal with these types of regulated sensitive data need to take concrete steps to make sure information is secure to avoid fines and penalties. However, businesses shouldn’t limit themselves to meeting these compliance regimes. Cloud compliance is different from cloud security. Data leaks that expose any type of personal information — sensitive, regulated, or unregulated — can damage a brand significantly and force businesses to close.
[Read more: The Economics of Data Loss Prevention]
How to protect sensitive data with cloud DLP
As companies continue to work remotely, the need to protect sensitive data in cloud environments remains. Unfortunately, common cloud platforms like Slack, Dropbox, Google Drive, and Atlassian aren’t fully compliant with DLP regulations out-of-the-box.
And, while many compliance regimes require protecting the same data (e.g., credit card numbers or Social Security numbers), some have more stringent requirements than others. While Google Drive has some settings that enable the protection of some regulated sensitive data, more integrations and settings are needed to make sure Google Drive is HIPAA compliant.
In fact, HIPAA compliance is one of the hardest benchmarks to achieve, especially for health industry companies that have shifted to working remotely. This is where a cloud DLP tool can help.
Nightfall is a cloud DLP tool that uses AI and machine learning in the sensitive data discovery process. Using over 100+ machine learning detectors for a variety of PII, PHI, and other industry-specific data, Nightfall can scan structured and unstructured data to find a range of regulated sensitive information, including: patient names, addresses, medical record numbers, social security numbers, as well as a number of industry codes like ICD, FDA, DEA, NPI, DOB, and more.
Nightfall can help IT teams discover and classify PII, PHI, and PCI that must be protected and take immediate steps to remediate issues by notifying admins or quarantining or deleting data. Nightfall can filter data streams to restrict suspicious or unidentified activity, log data for incident response and auditing, and pull everything together to help you prevent customer data from falling into the wrong hands.
Of course, cloud DLP is just one aspect of data loss prevention. Read more about protecting personal information in our guide, “Best Tools for Building Your DLP Tech Stack.” And, to learn more about Nightfall, schedule a demo at the link below.