Privacy compliance and security: Are you collecting too much data?
Enterprises today must cope with a jumbled mess of data collection and privacy legislation. Data security policies are created in response to the problems organizations encounter with collecting personal identification information (PII) and the security surrounding online payments.
But as online fraud has escalated, hackers and social engineers have been increasingly able to access consumer data, which has led to understandable consumer skepticism in e-commerce.
Something had to change. Payment Card Industry (PCI) and other standards emerged to provide identity verification, data access controls, encryption and other safeguards. This paved the way for setting standards and rules around data privacy. However, these regulations are being enforced against a longstanding enterprise mindset geared toward storing all data collected.
Once organizations realized that storage was very affordable, they decided to keep everything they possibly could, hoping that, in the future, they would have the AI or analytics capabilities to mine it for valuable insights to better serve their consumers.
“There’s been no real mandate for IT to do anything other than keep data for a rainy day,” said Steven Cavey, Co-Founder and Chief Evangelist of Ground Labs, on a recent Cyber Work Podcast.
Wait, what data are we storing?
The people who had begun managing and storing data over the years have since moved on or retired. That’s one of the reasons why companies often don’t realize how much data they have stored or the breadth of personal or sensitive data.
Based on surveys and interviews done by Ground Labs, it became clear that many were unaware that such data privacy compliance existed. Organizations were surprised to realize that they hadn’t been tracking the location or extent of data retained by the company. In addition, IT security teams didn’t have an accurate concept of the many data processes in the enterprise.
“It often takes an event like a data breach for organizations to learn what they were really storing,” said Cavey. “Such events force them to reassess the situation and look at every bit of data across the entire organization. Only by doing so is it possible to put the right security controls in place.”
Minimizing data breach damage with privacy compliance
Cybercriminals have gotten so adept at penetrating security defenses or phishing users that data breaches are inevitable. So, how do you minimize the damage that could come from an event like that?
Get in front of the problem by enacting a company data collection and retention policy. And then, get to work hunting down any PII, credit card numbers or other sensitive information that may be stored within the enterprise, and take care of it based on data privacy laws before hackers can expose it.
That will help reduce the risk of hefty fines, penalties and PR nightmares if a breach should occur.
Phishing simulations & training
PCI standards and privacy rules
Cavey believes the PCI standards were written so that financial institutions and commercial businesses clearly understand what they need to do with payment information to achieve compliance. Banks and credit card companies police these rules.
Any e-commerce website processing credit cards must show evidence of the implementation of good security practices and the ability to safeguard payment details from exposure.
But now that government policymakers are getting involved, the situation is becoming less well-defined. The EU, as well as national and state bodies, are passing sweeping data privacy regulations.
They are good at laying out many rules but need to improve when educating companies regarding the steps required to achieve compliance. And because there is such a patchwork of regulations, it can be difficult for businesses to appreciate the precise privacy rules that must be followed.
For example, a California business might focus on compliance with the California Consumer Protection Act (CCPA) but unintentionally miss out-of-state or international privacy standards that must be considered, such as the EU’s General Data Protection Regulation (GDPR).
“If you are selling to customers in Europe and have an e-commerce website or are collecting data from customers in Europe, you need to also be concerned about Europe’s data security laws, which are far harsher [than those in the U.S.],” said Cavey. “The GDPR is one of the toughest data security laws in the world.”
Key privacy questions your organization should consider
Cavey advised organizations to search and find the answers to these data privacy questions:
- Are you collecting data with people’s permission?
- Do you have a data protection officer in place?
- Are you putting the proper security controls around your collected data?
- Are you getting rid of data when it’s no longer needed, or do you no longer have a legitimate purpose?
- Do you have the internal resources to adequately cover the locating and securing of sensitive information?
Phishing simulations & training
Cavey also called for a change of mindset around collecting data.
“Everyone’s been talking about data is the new oil. That’s how chief marketing officers and CEOs have considered the data they gather,” he said. “But when you consider the many data privacy laws, all that sensitive data might be better regarded as uranium. It is more like a toxic substance that needs to be treated and handled with the utmost care.”
In this Series
- Privacy compliance and security: Are you collecting too much data?
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Cybersecurity and Windows 11: What you need to know
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization