Threats to data security are growing on a regular basis, with many highly publicized breaches compromising public information, including at government agencies. This has led to a debate about public policy and how laws should be implemented to dictate data and security governance. A number of data security regulations for data protection have ensued.
Meanwhile, the public policy debate over data security and governance continues. The Wikileaks episode brought about by Edward Snowden, revealing that U.S. government agencies were collecting massive amounts of data on individuals without court approval, has led to a worldwide debate about public data regulation. The integrity and privacy of the personal information handled and stored by companies and governments has been called into question. Last year, as a result of this, the European courts invalidated Safe Harbor agreements.
Complicated Data Security Regulations
The end result is a more complicated worldwide picture for data security regulations for IT professionals, as organizations are driven by compliance requirements that are escalating in many different jurisdictions.
An inability to adhere to relevant rules and regulations can have a huge impact on the bottom line of corporations. The Information Technology and Innovation Foundation estimates that U.S.-based cloud providers may lose as much as $35 billion over the next three years if they cannot maintain the security of their information. According to a survey by the Cloud Security Alliance, 10 percent of non-U.S. companies have already canceled contracts with American cloud providers, after the court ruling on Safe Harbor.
There is a host of industry and country/regional data security regulations designed to assist organizations in mitigating their exposure to risk. Most have provisions designed to ensure organizations are implementing measures to protect sensitive data and personally identifiable information (PII). Many can inflict penalties or fines when organizations are found to be lacking appropriate protective measures. Some mandate reporting incidents/breaches. (Note: IDC found that 52 percent of corporate information that requires protection – e.g., corporate financial data, PII – is not currently protected.)
Some Common Data Security Regulations
It is important to note that many of these regulations are not clear-cut, instead providing general guidelines that can be up to interpretation by an organization. Below is a sampling of the many data regulations worldwide:
- Freedom of Information Act (FoIA). Found in many countries – U.S., U.K., Australia – FOIA defines the access rights of the public around certain types of information/documents.
- General Data Protection Regulations. Slated to come into effect in 2018, the European Union’s GDPR follows the invalidation of the Safe Harbor agreement. It tries to consolidate laws across Europe and impose strict requirements to protect a citizen’s privacy rights. It includes mandatory data breach notifications, as well as fines of 4 percent or €20 million for serious breaches.
- Health Insurance Portability and Accountability Act. HIPAA contains privacy and security rules designed to protect the integrity, privacy, and availability of personal health information in the U.S. Fines for violations can reach six figures.
- Payment Card Industry Data Security Standards. PCI DSS offers guidance to maintain payment security and applies to anyone or any company that processes payment transactions.
- International Traffic in Arms Regulations. ITAR includes provisions to limit and protect the electronic transfer of controlled technology, technical data, and software by U.S. manufacturers.
- Gramm-Leach Bliley Act. GLBA governs data shared by financial institutions, requiring them to implement “administrative, technical, and physical safeguards” for customer records and information.
- Sarbanes-Oxley Act. This requires companies to put internal controls in place to ensure financial reports are accurate and complete (cyber security isn’t explicitly required, but rather implied).
- Family Educational Rights and Privacy Act. FERPA protects access to U.S. citizens’ educational information and records.
- Cybersecurity Information Sharing Act. A U.S. federal law, signed in December 2015, CISA allows technology and manufacturing companies to share Internet traffic information with the government around cyber threats (some fear it may weaken privacy protections).
- Personal Information Protection and Electronic Documents Act. Canada’s data privacy law, PIPEDA governs how organizations can collect, use, and disclose personal information during the course of their business.
- California SB 1386. This is a breach notification act for companies operating in California.
With the proliferation of security risks, the complexity and pervasiveness of cloud computing, and the rising regulatory requirements for data, it’s clear that data security compliance and management is a growing field – one that’s going to have no shortage of technology challenges over the next 10 years.