Uncle Ben, a character in Marvel's "Spider-Man" franchise, famously once said "With great power comes great responsibility." This is especially true for businesses that have access to sensitive information, whether it belongs to consumers, clients or employees. As technology and online and cloud-based platforms evolve, it's becoming increasingly important to understand how to maintain, store and control it with care. Read on to find out how to do just that.
Governments across the world have implemented legislation governing what organizations (for-profit companies and charities alike) can and can't do with the information stored on their databases, also known as data privacy or protection laws. For example, the European Union (EU) enacted the General Data Protection Regulation in 2016 as part of the EU's privacy and human rights law.
According to the ICLG, in the United States, businesses are mandated to comply with hundreds of pieces of legislation at both the federal and state levels. These laws also determine which bodies can enforce them. Examples include the Federal Trade Commission Act and sector-specific bills such as the Cable Communications Policy Act. The legislature may soon enact a federal bill called the American Data Privacy Protection Act which will supersede state laws, as explained by Osano.
"Personal data" is typically defined as sensitive personal information, but there is no general legal definition, making it hard to know which details are the most important to handle with care. According to Polar Security, you can usually consider information like banking details, social security numbers, personal addresses and biometric data (such as retinal scans or fingerprints) as sensitive and in need of extra protection.
Typically, sensitive information is data that can cause harm to its owner if leaked or stolen. As F-secure explains, data theft most often takes the form of identity theft, siphoning bank accounts, fraud and blackmail. To a less severe degree, contact details like phone numbers and email addresses can also be sold or traded (sometimes legally) for marketing and/or solicitation.
It's vital to ensure that your database has adequate security controls to avoid breaches, which can be costly, should victims decide to pursue legal action against the company or if industry-specific regulatory bodies issue fines for non-compliance. Beyond a monetary value, leaks can damage a brand's reputation irreparably.
To prevent these outcomes, you'll need to take several steps. First, you must identify and classify all the information on your database appropriately, as each type will require a different level of security. Categories range from confidential to public. Next, you need to map your data flow to understand which individuals or departments have access to it and why. This step will help you trace liability and see where and why the accident occurred. Then, ensure you have the necessary network policies, data encryption and controls in place to intercept potential cyber attacks or leaks. It's essential that you monitor data continuously and, lastly, educate your employees on the importance of data protection and how to do it.