Data Security and Privacy Changes Around The World Impacting Your Business
As data has become increasingly important to almost every business, organization, government, and citizen, the threats to data security have grown as well. Over the last few years we have seen a dramatic escalation in the number of hacks, espionage, leaks, and, in some instances, a gross mishandling of both customer and citizen data. The 2015 Cost of Data Breach Study showed that the average total cost of a data breach increased by 23% over the past two years (2014-2015) to $3.79 million. This has led governments around the world to craft new, tougher laws and regulations on how businesses and organizations should protect their data. So, what does this mean for your business and why should you care?
This is the first post in a new series that will explore different aspects of the security landscape in 2016. We will explore topics like Masking vs. Encryption, Automated Security, and much more.
Why This Trend Matters To You
If I had to break down why securing your organization's customer data matters to you, I would divide it into two categories. The first being the fact that it is the law, and violating it can lead to massive fines and other consequences. The second is that customers and users value their privacy and expect a certain level of protection.
Recent trends in consumer confidence have shown that the public is very concerned about privacy, their trust in companies to protect their data continues to slip, and most importantly, they avoid companies that do not protect their privacy and data.
Governments and Lawmakers Have Taken Notice
With the ever-increasing concerns from consumers, governments around the world have taken action - the New Year ushered in a number of new regulations pertaining to the security of personal data and organizations are required to implement safeguards under both state and federal data privacy laws. How these changes are handled by any given organizations could impact their ability to conduct business and achieve sustained growth.
It is important to note that these major steps by governments are not solely localized to the United States or North America. The European Union, Russia, United States, and Canada all took major actions in 2015 to legislate new policies to protect user data. As a growing number of organizations expand globally, they are now handling data from countries all around the world, each with different legal requirements. As such, it is important for them to understand and grasp what these different laws mean - in one country an organization would have to take certain precautions, but in others it would not.
The Big Changes in Data Security and Privacy in 2015 - 2016
In order to better understand some of the new regulations affecting businesses across the globe, we broke down some of the major changes in data security and privacy laws across several countries and regions that have been enacted since the beginning of 2015. It is important to note that this is a very broad analysis of each of the changes these countries have made.
- The Cybersecurity Act of 2015 allows organizations to share data with others ( private entities, non federal government agencies, state, tribal, and local governments, the public, and entities under threats) for security purposes if a threat is detected. “Data” in this case means a “Cyber Threat Indicator.” The Cyber Threat Indicator describes the cybersecurity threat, as well as the defensive actions to be taken before and after the attack. This includes preventative measures such as threat detection. However, the act is careful to explicitly state that this data can be shared only after personal data has been adequately protected. Examples of this type of data include credit card numbers or social security numbers; masking this data is critical in protecting individuals and preventing additional harm.
- The state of California has also taken action to protect its own residents’ data. Civil Code Section 1798.5(c) requires businesses that disclose personal data about a California resident to any third party must implement and maintain specific data security procedures to protect residents’ personal information from unauthorized access.
- In Oregon, the attorney general must be notified of data breaches that affect the personal information of 25 or more people. It also expands the definition of “personal information” to include additional data such as health insurance plan numbers and medical information.
Most data security experts would argue that the EU took the most dramatic action in reforming data protection and security regulations and frameworks during the past year.
“This is a strong, consistent, future-proof framework for the next decades,” says European Justice Commissioner, Viviane Reding.
This new framework and set of regulations directly dictates legal requirements to EU countries and leaves them no room for interpretation. It creates a single set of rules for all members of the EU and allows businesses to operate under the same set of expectations and laws even when crossing borders. While not every business agrees with that conclusion, European Justice Commissioner, Viviane Reding states that it will “reduce the administrative burden on companies and save an estimated 2.3bn euros a year.” While it may take up to two years for these new regulations to be adopted, it is important for both european companies and international companies operating in europe to be aware of the major changes, which include:
- A single set of rules across all EU countries instead of individual regulations in each country.
- Organizations must notify the national supervisory authority of major data breaches as soon as possible.
- Organizations are only required to engage with one national data protection authority in the EU (wherever they have their main establishment).
- People now have the right and ability to transfer their personal data between providers and companies.
- The right to be forgotten allows individuals to delete their data from companies like Google as long as there are not legitimate grounds to keep it.
- EU rules apply to international companies operating in the EU and that offer services to EU citizens.
- National data protection authorities have strengthened abilities to enforce the EU rules. They can charge penalties of up to 1 million euros or up to 2% of global annual turnover.
Canada took dramatic action in 2015 to protect the health information of Canadian patient data. The Health Information Protection Act of 2015 (“Bill 119”) emphasizes the need to have well documented policies and effective systems to protect patient data. The proposed amendment includes:
- Reporting of privacy breaches (required)
- Removing the requirement that prosecutions be started within six months of the breach
- Increasing the maximum fines by 2x
The bill even recognizes the fact that managing health data is complicated and involves multiple parties, including third parties and contractors that need access to data. This bill requires organizations take the necessary steps to make sure third parties or agents properly control health data and then perform audits and reviews of the agents and third parties.
While the new EU data protection laws have taken up most of the spotlight in cybersecurity in the last few months, new important regulations that are being implemented in one of the world’s biggest markets have gone relatively unnoticed. The Russian Data Localization and Right to be Forgotten Laws will be crucial for organizations doing business in Russia as well as for cloud and search providers servicing Russian businesses.
The Right To Be Forgotten -The Russian Right to be Forgotten Law took effect on January 1, 2016. The Law requires search engines to remove information that is unlawfully disseminated, untrustworthy, outdated or irrelevant. This is significant because it allows both individuals and the government to request certain information available on the web be removed and unsearchable. This is a new trend that has been spreading from the EU to other countries around the world.
Data Localization - In September, Russia’s new Federal Law No. 242-FZ became effective. This regulation says that companies holding personal data must retain the data in databases located physically in the Russian Federation. This includes multinational companies having employees in Russia. To take it a step further, Law No. 242-FZ also applies to websites that focus on Russia or Russians. This would apply to domain names that are relevant to Russia as well as Russian language versions of websites. Finally, the new law allows organizations to transmit personal data of Russian citizens outside of Russia as long as there is a copy of the data maintained in Russia; the law permits remotely accessing a database located in Russia.
There’s a lot of work to be done. The lack of a worldwide consensus on improving data security has led to a fragmentation in the laws businesses and governments must comply with. Organizations are also constrained by budgets and a lack of knowledgeable personnel required to react to the fluidity of a changing security landscape. As a result, organizations are looking to develop frameworks and infrastructures to automate security policies and procedures as well as the controlled distribution of data. Handling each of these as one-offs is a recipe for disaster.
Stay tuned for number of future blog posts that will dive deeper into some of these frameworks and many other data security related topic.
For more on data security, visit Delphix.com to find out how we helps clients protect their data.