Celebrated this year from January 21 to 27, Data Privacy Week provides great ideas for securing your data
It’s no accident that Data Privacy Week occurs the first month of every year. For enterprises and small businesses, Data Privacy Week is a timely reminder of how important it is to secure our private, sensitive, and proprietary data all year long. Our annual New Year’s Resolutions serve a similar purpose.
Innumerable threats jeopardize the confidentiality, integrity, and availability of our data every day. According to the FBI, cybercrime isn’t just a plague for large enterprises. Small and mid-sized businesses have become prime targets for cybercrime as well.
Cybercrime Reported to FBI in 2022
In the recently released 2022 Internet Crime Report, the FBI’s Internet Crime Complaint Center (IC3) confirmed that cybercriminals continue to attack critical infrastructure, hold our money and data for ransom, facilitate large-scale fraud schemes, and threaten national security. In 2022, the IC3 received 800,944 reports of cybercrime with losses exceeding $10.3 billion.
Phishing schemes topped the list at 300,497 complaints and, for the first time, investment scams caused the greatest economic loss to victims. Cybercrime is clearly here to stay, and our best response to this offensive activity is a good defense.
Most Regulations Include Data Privacy Requirements
Protecting data privacy is not just a best security practice. Most security regulations include data privacy components along with security safeguards. The Health Insurance Portability and Accountability Act (HIPAA) imposes both a Security Rule and a Privacy Rule on healthcare providers, health insurance plans, and their business associates. Similarly, the Payment Card Industry Data Security Standard (PCI DSS) includes privacy requirements, as does the Gramm-Leach-Bliley Act (GLBA) and most other financial services regulations.
Privacy Requirements for Healthcare. A major goal of the HIPAA Privacy Rule is to assure that individuals' health information is properly protected, while still enabling health information to be shared in the interest of providing high-quality healthcare and protecting the public's health and well-being.
The Privacy Rule defines and limits the circumstances in which an individual's protected heath information (PHI) may be used or disclosed by covered entities, which include healthcare providers, health plans and insurers, and business associates or suppliers to the healthcare industry. To illustrate, following are just a few examples of privacy requirements imposed upon these covered entities.
-
The individual's written authorization must be obtained for any use or disclosure of PHI that is not for treatment, payment or healthcare operations or otherwise permitted or required by the Privacy Rule.
-
All authorizations must be in plain language and contain specific information regarding the information to be disclosed or used, the person disclosing and receiving the information, expiration, right to revoke in writing, and other data.
-
Policies and procedures must be developed and implemented to reasonably limit uses and disclosures to the Minimum Necessary amount of PHI needed to accomplish the intended purpose of the use or disclosure request.
-
Policies and procedures must be developed and implemented that restrict access and uses of PHI based on the specific roles of the members of their workforce. They must identify the persons, or classes of persons, in the workforce who need access to PHI to perform their duties, the categories of PHI to which access is needed, and other specific requirements.
Privacy Requirements for Payment Cards. The PCI Data Security Standard includes privacy as well as security requirements, and version 4.0 modified the 12 requirements to promote even more robust security and privacy protections. The following requirements in particular address privacy concerns relating to account data and cardholder data. Sub-requirements provide specific instructions for implementing each, so that privacy best practices become standard across the board, and risks to data are reduced.
-
Protect stored account data.
-
Protect cardholder data with strong cryptography during transmission over open, public networks.
-
Restrict access to system components and cardholder data by business' need to know.
-
Identify users and authenticate access to system components.
-
Restrict physical access to cardholder data.
-
Log and monitor all access to system components and cardholder data.
Privacy Requirements of GLBA. The Gramm-Leach-Bliley Act governing financial services organizations includes a Privacy Rule to ensure the protection of consumers’ personal financial information, as well as a Safeguards Rule specifying information security safeguards. Below are two key components of the GLBA Privacy Rule as updated in 2000.
- Customers must be provided with notice of their financial institutions’ privacy policies and practices.
- Customers’ nonpublic personal information may not be disclosed to nonaffiliated third parties unless the financial institution satisfies various disclosure and opt-out requirements, and the consumer has not elected to opt out of the disclosure.
Data Privacy Tips from the National Cybersecurity Alliance
The National Cybersecurity Alliance website offers many tips to help businesses protect the privacy and security of their sensitive data and information assets. Following are just a few samples.
Cybercrime is an equal opportunity exploit. Don’t think that just because you’re a smaller business you won’t be targeted. Cybercrime happens to organizations of all types and sizes. Cybercriminals are opportunistic and often exploit the weaker cybersecurity defenses of small and medium-sized businesses simply because it is easier and faster. Here are four essential actions for protecting your business and keeping your information private:
- Regularly conduct security audits to identify vulnerabilities in your networks, systems, websites, and software.
- Encourage employees to use strong passwords, and require them to be changed frequently.
- Train employees to identify phishing attempts and how to thwart them.
- Keep your software up to date.
Why social engineering is so popular. Most cyberattacks nowadays occur through social engineering, in which a cybercriminal infiltrates a system or otherwise accesses data through your employees. Individuals who click on suspicious links, open attachments from unfamiliar sources, use weak passwords, or inadvertently share sensitive information by phone or email can compromise the security of your entire business and the privacy of your data. Following are five essential actions to reduce risks to your data privacy:
- Develop comprehensive security and privacy training programs for employees.
- Implement clear cybersecurity policies and guidelines and train employees.
- Reward and recognize employees who demonstrate good cybersecurity habits.
- Make security and privacy a responsibility of all employees and a fundamental part of your company culture.
- Don’t overlook physical security! Always escort visitors, don’t let strangers simply walk in, install and use cameras, keep network equipment behind locked doors, and always shred sensitive documents.
The value of an ounce of prevention. Cybersecurity and data privacy measures do not have to be expensive, with many cost-effective options now available, including cloud-based and outsourced services.
- Consider cloud-based services that offer robust cybersecurity features, such as data encryption and access controls.
- Make the most of your security budget by commissioning a risk assessment that will identify your vulnerabilities and enable you to prioritize the most critical in order to help you focus your remediation actions.
- Explore the value of outsourcing certain security elements to a reputable service provider, allowing you to pay only for what you need without the cost of maintaining an in-house security team.
- Weigh the cost of a data breach against the cost of maintaining an effective cybersecurity program. Data breaches create a host of expenses most businesses never think about until it is too late.
According to Statista, in 2022 the cost of a data breach in the healthcare industry was $10.93 million, compared to $5.9 million in the financial industry. Very few businesses have a spare six to eleven million dollars readily available to cover the onerous costs of a data breach they didn’t anticipate.
Summary
Data privacy isn’t just about protecting your organization’s proprietary information or intellectual property. Data privacy also concerns the data you collect, use, and store on behalf of your customers, clients, patients, employees, suppliers, investors, and other stakeholders.
Why not take the unique opportunity of Data Privacy Week, January 21 to 27, 2024, to renew your commitment to protecting the privacy of this sensitive data all year long? Implementing robust privacy measures will help you resolve vulnerabilities and reduce risk—and will make you a less attractive target for cybercriminals looking for easy exploits.