The National Cybersecurity Alliance describes Data Privacy Week as “an international effort to empower individuals and encourage businesses to respect privacy, safeguard data and enable trust.” So, this week is an ideal time for organizations to consider whether they’re doing enough to protect sensitive data—even though data privacy should be a high priority for businesses every day of the year.
Proofpoint supports the principle that all organizations share the responsibility of being conscientious stewards of personal information. And we’re proud to be recognized by the National Cybersecurity Alliance as a Data Privacy Champion for 2022. Proofpoint stands with many other corporations, nonprofits, academic institutions, government entities, municipalities, and individuals who are committed to helping amplify the important role that data privacy plays in today’s digital society.
For the past several years, we’ve seen U.S. states and countries around the world adopting or tightening data privacy laws. Accelerating digitization is one factor for this heightened focus on data privacy. But laws such as the General Data Protection Regulation (GDPR) are also governments’ response to their citizens’ concerns about information protection.
More than ever, people want to know how their data is being collected—by whom and why—and how and if that information is being safeguarded appropriately. And now, because of the COVID-19 pandemic, even more sensitive data about individuals is being generated and tracked, raising questions about the balance between personal privacy and efforts to maintain public health and economic activity.
People do have reason to worry about the risk of malicious actors targeting their personally identifiable information (PII). According to the Ponemon Institute Cost of Insider Threats Report, 44% of data breaches involve the compromise of customer PII, and 26% of breaches include employee PII. And malicious attacks are at the root of more than 50% of data breaches.
These incidents have bottom-line impacts for businesses to consider as well: Data breaches involving customer PII are the costliest for organizations at $180 per record, according to Ponemon’s research. And data breaches due to malicious attacks cost businesses more than $4 million, on average.
Enhance information protection by adhering to security best practices
Organizations are under constant—and intensifying—pressure to ensure data privacy, maintain proper governance, and achieve compliance with relevant data privacy laws like the GDPR, the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA), and other mandates, without undermining their business success.
Information protection is a delicate balance to achieve, as both the security and privacy sides of the business overlap. Focusing on one cannot come at the expense of the other. With that in mind, we offer three tips for organizations to help ensure their data privacy and governance efforts for protecting PII are effective:
1. Use appropriate security safeguards for PII
While some PII is more sensitive than others, it’s important to think about the ramifications in the event this kind of information is lost or breached. The more sensitive the data, the more powerful the protections need to be.
For example, a list of customer names and email addresses doesn’t require the same security protections as a list of customer names and credit card numbers. That said, both sets of PII need to remain very secure and only shared on an as-needed basis. It’s certainly not information you’d like to have openly distributed, especially within competitive organizations.
2. Only collect PII your organization truly needs—and ensure proper data handling and storage
Organizations often need to collect different kinds of data to provide customers with effective service. This information might include mailing lists, medical records, payment details, and unique ID numbers. That said, the best practice is to limit PII collection to business-critical items only. Think hard about the information you’re requesting because your business will be responsible for safeguarding it.
The same thoughtful approach to data collection can also be applied to the issue of PII processing and storage. An organization’s risk exposure level increases as the volume of PII rises. So, before you store this data, consider if it’s business-critical. If not, dispose of it securely and document every touchpoint when processing PII to be able to assess all the risks.
If storing the PII is essential to the business, be sure to apply the appropriate safeguards, such as physical security measures for paper files, and an encrypted, secure server for electronic files. Also, take care to examine your stored data frequently and purge anything that’s out of date or no longer needed.
3. Apply security best practices to PII when appropriate
Combine information security with data governance programs that identify, classify, and protect critical and sensitive data assets. Organizations can reduce the risk of data exposure by using technical controls and making data privacy a business priority.
Encrypt customers’ PII and store it on internal servers, or within properly vetted cloud environments that are separate from any external-facing servers. Those barriers will slow down any threat actor who might make it through your “front door.” Place a firewall between the servers to add obstacles and limit attackers’ lateral movement.
Adhering to basic security measures, such as protecting secure systems with hard-to-crack passwords, is essential. So, too, is keeping those passwords secure. Don’t let unauthorized individuals access secure areas or systems. Apply access controls such as multi-factor authentication to systems that house personal data.Similarly, don’t be too quick to disclose personal data about your customers, coworkers, or yourself over the phone or on social media.
Stay on top of evolving data privacy laws
For many forward-thinking organizations today, an effective data privacy strategy means combining IT investments around cybersecurity and information protection, as good governance and compliance results in the best security posture.
Also, it’s critical for businesses to stay up to date with how data privacy laws are evolving. For example, because more countries are aligning their privacy laws with the GDPR, many organizations will want to consider taking a proactive stance toward ensuring they comply with relevant GDPR mandates—even if they don’t need to, yet.
To learn more about data privacy laws like the GDPR and get more tips on how to manage data privacy risk, register for the 30-minute Proofpoint webinar, “Respect Privacy, Protect Data and Enable Trust.” It’s happening this week—on Thursday, January 27, at 10 a.m. PT/1 p.m. ET. Be sure to sign up today!