Data breach regulations don’t go away do they? Like an annoyed bulldog they just get more aggressive. With the pain felt by governments world-wide from the one-two punch of critical infrastructure data breaches and the big costs to society and negative impact on consumer confidence, the response of increasing compliance requirements should surprise no-one.
In the EU, ever stronger rules have been on the cards for a long time with plenty of open debate and analysis. Meanwhile, some jurisdictions like the UK embraced tighter breach notifications through the ICO and FSA. In the EU Telecoms sector, breach regulations took hold some time back but as with all sector specific regulations, without strong enforcement the effects may not be as desired. But now the EU is taking things to the next level, especially to the large online data brokers and related services. The proposal is a unified breach disclosure model across all 27 EU member states with strict enforcement. This will mean the critical infrastructure and data brokerages will be affected - and could impact many global firms operating on large amounts of online data with its origins in the EU.
There's a nice article here.
The impact is big - with possibly over 42,000 firms in scope if the reports are accurate.
The upshot here is that e-commerce providers, financial services firms, energy networks, large scale retailers gathering consumer data, social networks and "big data" oriented businesses will need to seek new ways to stay agile against this ever changing regulatory landscape without slowing down the growth demanded by the markets, or impacting customer service to stay competitive.
The good news is that it’s a solved problem as many leading firms already know: data-centric security’s already here to keep the attackers away from live data while driving the data-hungry machines of commerce without increased risk, even across the most complex data processes.
Even if your enterprise is embracing the latest Hadoop variation and worried about privacy barriers, or pushing data into a complex aggregation of enterprise and cloud services, then protecting data from capture to destruction can be easily achieved. When the data itself is protected end-to-end over its lifecycle without compromising its value to the business process or analytics, it’s a win-win for business and IT. Innovations like Format-Preserving Encryption and Stateless key management deliver consumable data-centric security that’s never been easier to use.
Data-centric security is both an enabler and a powerful risk management tool – with the ability to protect structured and unstructured data anywhere. In fact, just in the last two weeks we helped a new, innovative cloud-based business that provides online social network based retail services to secure its sensitive personal and payment data in the cloud in just a few days from start to finish – all nicely integrated into an agile Ruby on Rails applications using NIST FFX mode Format Preserving Encryption to protect data from the moment its captured. They're now privacy regulation ready and minimizing risk to sensitive customer data anywhere it goes, including into their IaaS provider's systems. They are the only ones with control over their keys - and thus control to data. That’s in line with general best practices as outlined last year by Gartner, which reflect our data-centric advice we've been pioneering for several years as readers know.
So, when the next sophisticated privacy regulation comes along, having a data-centric strategy in place for security probably means you're already won compliance boxing match - but more importantly, already many steps ahead of the attackers.
It’s never too late to see how data-centric security can give your business the protection it needs from modern risks - for more information, don’t hesitate to drop me a line at firstname.lastname@example.org, or send us a request for more information right here.