What are Data Privacy and Security Regulations?
A significant number of Data Privacy and Security Regulations are in effect and increasing in expanse worldwide, relating to the protection of private and sensitive data. While some focus on the protection of specific industry information, others are more concerned with data loss and exposure incidents, often with serious consequences for non-compliance.
Many compliance standards today are concerned with the protection of data-at-rest. Some make specific technology recommendations for compliance. For all of them, however, encryption can be deployed to strengthen and satisfy protection requirements. Implementing appropriate encryption technologies can help you significantly reduce the threat of a breach and improve your security posture, all while complying with a number of data privacy regulations.
What is NIST and FISMA?
The National Institute of Standards and Technology (NIST) develop and publish standards and best practices for data and cybersecurity in the U.S. Government. These publications are often referenced in various data privacy and security regulations, such as HIPAA, PCI and FISMA.
The Federal Information Security Management Act (FISMA) is a U.S. legislation that defines a comprehensive framework to protect government information, operations and assets. FISMA applies to all U.S. federal agencies, contractors and other entities that handle federal data. Since FISMA is developed and implemented by the U.S. Government, it is considered a common framework for policy, and is regularly used by the private sector to meet compliance requirements.
What is Data-at-Rest?
Data-at-Rest is data stored on desktops, laptops, removable media devices, in databases or file servers, or in Cloud infrastructure as a Service (IaaS). Unlike data-in-transit – data that’s actively moving from one location to another – data-at-rest is data that is not actively in transit or in use. While data-at-rest is sometimes considered to be less at risk than data-intransit, attackers often find data-at-rest a more valuable target.
Why protect Data-at-Rest?
Sensitive data can be exposed to risk if a device is lost or stolen, or through vulnerabilities in virtual and cloud infrastructure. Encryption plays a major role in data protection and is a popular tool for securing data-at-rest from loss, theft or unauthorized access in physical, virtual and cloud environments. Protecting data-at-rest with encryption is also mandated by a number of data privacy and security regulations.
What types of Data are often affected?
Personally Identifiable Information (PII)
PII can include data such as social security number, address, phone number, and other personally identifiable data that could potentially be used for identity theft or other criminal activity.
Personal Health Information (PHI)
PHI includes sensitive patient and health data such as insurancerelated information, medical records, biological data and other patient-identifiable information which should not be publicly available.
There are many types of financial data, but they often include credit card account numbers, tracking data, associated financial information or other credit-related information. For example, the Payment Card Industry Data Security Standard (PCI DSS) applies to all companies that accept, process, store or transmit credit card information.
Military and Government Data
Any data related to government programs, especially those related to military departments and operations is strictly regulated.
Proprietary Business Data
Data that should not be made publicly available, such as trade secrets, research and business intelligence, management reports, customer information or internal sales data.