It’s no accident that Data Privacy Week occurs the first month of every year. For enterprises and small businesses, Data Privacy Week is a timely reminder of how important it is to secure our private, sensitive, and proprietary data all year long. Our annual New Year’s Resolutions serve a similar purpose.
Innumerable threats jeopardize the confidentiality, integrity, and availability of our data every day. According to the FBI, cybercrime isn’t just a plague for large enterprises. Small and mid-sized businesses have become prime targets for cybercrime as well.
In the recently released 2022 Internet Crime Report, the FBI’s Internet Crime Complaint Center (IC3) confirmed that cybercriminals continue to attack critical infrastructure, hold our money and data for ransom, facilitate large-scale fraud schemes, and threaten national security. In 2022, the IC3 received 800,944 reports of cybercrime with losses exceeding $10.3 billion.
Phishing schemes topped the list at 300,497 complaints and, for the first time, investment scams caused the greatest economic loss to victims. Cybercrime is clearly here to stay, and our best response to this offensive activity is a good defense.
Protecting data privacy is not just a best security practice. Most security regulations include data privacy components along with security safeguards. The Health Insurance Portability and Accountability Act (HIPAA) imposes both a Security Rule and a Privacy Rule on healthcare providers, health insurance plans, and their business associates. Similarly, the Payment Card Industry Data Security Standard (PCI DSS) includes privacy requirements, as does the Gramm-Leach-Bliley Act (GLBA) and most other financial services regulations.
The Privacy Rule defines and limits the circumstances in which an individual's protected heath information (PHI) may be used or disclosed by covered entities, which include healthcare providers, health plans and insurers, and business associates or suppliers to the healthcare industry. To illustrate, following are just a few examples of privacy requirements imposed upon these covered entities.
The individual's written authorization must be obtained for any use or disclosure of PHI that is not for treatment, payment or healthcare operations or otherwise permitted or required by the Privacy Rule.
All authorizations must be in plain language and contain specific information regarding the information to be disclosed or used, the person disclosing and receiving the information, expiration, right to revoke in writing, and other data.
Policies and procedures must be developed and implemented to reasonably limit uses and disclosures to the Minimum Necessary amount of PHI needed to accomplish the intended purpose of the use or disclosure request.
Policies and procedures must be developed and implemented that restrict access and uses of PHI based on the specific roles of the members of their workforce. They must identify the persons, or classes of persons, in the workforce who need access to PHI to perform their duties, the categories of PHI to which access is needed, and other specific requirements.
Privacy Requirements for Payment Cards. The PCI Data Security Standard includes privacy as well as security requirements, and version 4.0 modified the 12 requirements to promote even more robust security and privacy protections. The following requirements in particular address privacy concerns relating to account data and cardholder data. Sub-requirements provide specific instructions for implementing each, so that privacy best practices become standard across the board, and risks to data are reduced.
Protect stored account data.
Protect cardholder data with strong cryptography during transmission over open, public networks.
Restrict access to system components and cardholder data by business' need to know.
Identify users and authenticate access to system components.
Restrict physical access to cardholder data.
Log and monitor all access to system components and cardholder data.
Privacy Requirements of GLBA. The Gramm-Leach-Bliley Act governing financial services organizations includes a Privacy Rule to ensure the protection of consumers’ personal financial information, as well as a Safeguards Rule specifying information security safeguards. Below are two key components of the GLBA Privacy Rule as updated in 2000.
The National Cybersecurity Alliance website offers many tips to help businesses protect the privacy and security of their sensitive data and information assets. Following are just a few samples.
Cybercrime is an equal opportunity exploit. Don’t think that just because you’re a smaller business you won’t be targeted. Cybercrime happens to organizations of all types and sizes. Cybercriminals are opportunistic and often exploit the weaker cybersecurity defenses of small and medium-sized businesses simply because it is easier and faster. Here are four essential actions for protecting your business and keeping your information private:
Why social engineering is so popular. Most cyberattacks nowadays occur through social engineering, in which a cybercriminal infiltrates a system or otherwise accesses data through your employees. Individuals who click on suspicious links, open attachments from unfamiliar sources, use weak passwords, or inadvertently share sensitive information by phone or email can compromise the security of your entire business and the privacy of your data. Following are five essential actions to reduce risks to your data privacy:
The value of an ounce of prevention. Cybersecurity and data privacy measures do not have to be expensive, with many cost-effective options now available, including cloud-based and outsourced services.
According to Statista, in 2022 the cost of a data breach in the healthcare industry was $10.93 million, compared to $5.9 million in the financial industry. Very few businesses have a spare six to eleven million dollars readily available to cover the onerous costs of a data breach they didn’t anticipate.
Data privacy isn’t just about protecting your organization’s proprietary information or intellectual property. Data privacy also concerns the data you collect, use, and store on behalf of your customers, clients, patients, employees, suppliers, investors, and other stakeholders.
Why not take the unique opportunity of Data Privacy Week, January 21 to 27, 2024, to renew your commitment to protecting the privacy of this sensitive data all year long? Implementing robust privacy measures will help you resolve vulnerabilities and reduce risk—and will make you a less attractive target for cybercriminals looking for easy exploits.