By Ruben Lugo, Strategic Product Marketing Manager at Kingston Technology
Even in a divided, conflicted world, there is one thing everyone can pretty much agree: security breaches and cybersecurity issues leading to the use of stolen or compromising of personal data is a major, major issue. Not just in a few isolated places around the world, but in every corner of this round planet we call Earth.
Recently, several new regulations went into effect that takes giant steps in requiring businesses to do something about protecting people’s identity. Or, if not, face some unpleasant penalties.
These new stronger regulations are the European Union’s General Data Protection Regulation (EU-GDPR) and the New York State Department of Financial Services’ 23 NYCRR 500. The former, which has an enforcement date beginning May 25, 2018, pertains to any organization – EU or non-EU – that works with information relating to EU citizens. The latter, which went into full effect on February 15 of this year, relates to New York insurance companies, banks, and other regulated financial services institutions as well as anyone who provides a service or is on contract as a vendor to these industry firms, including agencies and branches of non-US banks licensed in the state of New York.
Both of these, quite simply, require all businesses or organizations that fall into the categories above and who process or hold personally identifiable information (aka PII) to implement adequate security measures – including the use of encryption – to protect said data, regardless if it is “at rest” or “in-transit,” or be ready to face sanctions and lawsuits.
In the EU regulation, personally identifiable information refers to data held about EU citizens that, if disclosed, could result in damages to those whose information has been compromised. It can include medical records, biometric data, passport numbers, and personally identifiable financial information (PIFI), such as social security and credit card details. Information that might not be considered PII, such as first name and surname, can become PII if linked to other data.
New York’s says personally identifiable information, or sensitive personal information (SPI), is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. The National Institute of Standards and Technology’s (NIST) Special Publication 800-122, which the state referred to in its regulation, defines PII as “any information about an individual maintained by an agency, including,
(1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date, and place of birth, mother’s maiden name, or biometric records; and,
(2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
In either case, an organization’s data assets should be identified as part of a risk assessment, including how data is stored and accessed, what level of risk it’s exposed to and whether it contains PII. Data assets might be stored in application databases, server file systems, and on end-user devices.
Both regulations require notification of a data breach within 72 hours of learning of an occurrence.
So, what kinds of penalties are we talking about? As you might imagine, drastic times take drastic measures.
Under the GDPR regulation, non-complying organizations can be fined up to 4 percent of annual global turnover or €20 million (in the neighborhood of $24 million USD) or whichever is greater. Companies can also be fined 2 percent for not having their records in order, not notifying the supervising authority and data-subject about a breach, or not conducting an impact assessment.
The New York regulation does not specifically detail any potential penalties or the impact of noncompliance. Instead, it passes enforcement to the superintendent of the New York State Department of Financial Services, who will be guided by the New York Banking Law.
Under that scenario, penalties would range from license revocation and/or fines up to
(a) $2,500 per day during which a violation continues, (b) $15,000 per day in the event of any reckless or unsound practice or pattern of misconduct, or (c) $75,000 per day in the event of a knowing and willful violation.
So far, we have provided you a broad overview of the regulations. Now, let’s take a closer look at each.
European Union general data protection regulation (EU-GDPR)
There are five primary areas to concern yourself with in order to meet compliance:
1. Encryption of sensitive data, both in-transit, and at-rest
2. Appointment of Data Protection Officers (for companies of 250 or more people)
3. Establishment of a cybersecurity program
4. Documented accountability
5. Understanding consent
This is hardly a complete listing, but here are five things you should do to ensure compliance:
1. Self-evaluate – have your Data Protection Officer conduct an internal review of the handling of personally identifiable information of your employees and customers.
2. Map internal and external products/devices that store data – log and require company equipment used, to be covered under your data security policy and ensure data encryption is utilized with items such as servers, hard drives, USB flash drives, computers, and mobile devices.
3. Take Inventory Analysis – evaluate the total amount of personal data in your system.
4. Purge – eliminate archives of unnecessary PII.
5. Controllers of Information – review privacy risk and impact assessments.
Two more things to know about the EU-GDPR. The first is consent. The conditions for consent have been strengthened, and companies will no longer be able to use long unintelligible terms and conditions full of legalese. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
The second is the right to be forgotten, also known as Data Erasure. The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing the data. The conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subject withdrawing consent.
23 NYCRR 500
Similar to those listed in the EU-GDPR section, here are five primary areas to be concerned with in order to be compliant with New York State’s 23 NYCRR 500:
1. Encryption of sensitive data, both in-transit, and at-rest
2. Appointment of a Chief Information Security Officer (CISO)
3. Establishment of a Cyber Security Program
4. Adoption of a Cyber Security Policy
5. Manage third-party service providers, by including
- Annual penetration tests
- Bi-annual vulnerability assessments
New York’s sweeping regulation holds state-chartered banks, foreign banks licensed and operating in New York state, insurance companies, private bankers, mortgage companies, and other financial service providers strictly accountable for shielding both in-transit and at-rest data. It also mandates that companies define criteria, have an incident response policy, and update vendor management with minimum standards to do business with the financial institutions. Organizations are also required to include these enhanced data-encryption standards in their contracts with third party service providers.
Encryption is key
The best way for an organization to be sure that it is complying with either regulation is to implement appropriate safeguards, technical standards, and policies, including data encryption of personal data. Both regulations require organizations who process or hold personally identifiable information to implement adequate security to protect personal data loss.
Likewise, to somewhat differing degrees, both require organizations to encrypt sensitive data, both in transit and at rest to ensure a level of security appropriate to the risk. This can be achieved through the use of secure, encrypted USB flash drives, such as Kingston’s lines of Kingston and IronKey Encrypted USB drives; security solutions for outside the firewall.
Of these, a USB drive with hardware-based encryption is an excellent, simple security solution to protecting data from breaches, while also meeting evolving governmental regulations. Such devices that meet tough industry security standards offer the ultimate security in data protection to confidently manage threats and reduce risks.
A hardware-centric/software-free encryption approach to data security is the best defense against data loss, as it eliminates the most commonly used attack routes. This same software-free method also provides complete cross-platform compatibility with any OS or embedded equipment possessing a USB port and file storage system.
About the Author
Ruben Lugo is the Strategic Product Marketing Manager for Kingston’s encrypted USB line, including the globally respected IronKey line of ultimate security encrypted USB drives as well as Kingston’s Server Premier DRAM and Enterprise SSD / NVMe solutions for today’s high-performance servers. As a solution, technology and security enthusiast with over 18 years’ experience, he leverages his unique expertise in the development, delivery and sales/marketing management from the CE, AV, and IT Networking industries. He’s contributed to the initiation of new trends in technology from launching the first reliable wireless high definition audio video distribution system to high-bandwidth fiber optic networking solutions.