IT pros agree new technology presents a mix of new responsibilities, problems and benefits. The technology used to collect, store, share and secure data is no different. Compliance with legislation on data security is a key focus for businesses. They all must exercise due diligence when managing data so it doesn't result in costly penalties or lawsuits from customers that suffer a breach of confidential information.
What should U.S. companies know about today's data protection laws? How about those with foreign clients?
Personally identifiable information (or PII) is typically the focus of data protection, regardless of jurisdiction or industry served. Therefore, IT administrators must segregate their data according to best practices, ensuring their data is handled in compliance with the privacy regulations governing your region, your clients' region (if sharing data) and your market. Those that handle credit card processing or store medical records are subject to additional standards — such as Payment Card Industry Data Security Standard (PCI-DSS) or the Health Insurance Portability and Accountability Act (HIPAA).
A Patchwork Quilt
Unfortunately, there is no single U.S. federal mandate governing the collection and use of personally identifiable information (PII). Instead, there's a nice, confusing list of federal and state data protection laws on top of individual regulations that may or may not coincide with the aforementioned laws. And it is this ambiguity, along with the actions of Edward Snowden (which illuminated the extent of cyber-surveillance programs practiced by the NSA), that prompted the EU to nullify the Safe Harbor provision for U.S. companies sharing data with Europe. In other words, according to the National Law Review, Safe Harbor compliance is no longer sufficient for American business.
On that note, the primary federal privacy laws include:
- The Federal Trade Commission Act, designed to act against unfair or deceptive practice and applies to online and offline privacy and security methods
- The Financial Services Modernization Act, referring to financial data collection and management
- The Health Insurance Portability and Accountability Act, covering identifiable patient data and health records
- The HIPAA Omnibus Rule, wherein health-care providers must disclose when a data breach occurs
Others include the The Fair Credit Reporting Act, the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, which are self-explanatory. State laws vary by jurisdiction, though, with California most resembling the European approach to data protection. Privacy and the use of personally identifiable information, as explained by the International Association of Privacy Professionals, is a central focus in its legislation.
By early 2016, the EU's Data Protection Directive will be replaced by the General Data Protection Regulation (GDPR) — emphasis on "regulation." In other words, it's a mandatory requirement and not a recommended "best practice" wherein self-regulation is allowed. Enforcement is expected by late 2017 and will affect U.S. companies that operate in the EU, even if based outside of Europe. Data governance, compliance, privacy, the right to be forgotten and breach notification are all part of this incoming policy, and companies will require a data protection officer (if the company has more than 250 employees).
Of these, the "right to be forgotten" is perhaps most difficult to enforce and will likely change to "right to be erased," especially in search engine results pages (SERPs). Currently, a search engine will remove the offending results for EU users, at least for those few who have never heard of VPN usage in order to, say, change their reported location to watch Hulu.
Non-compliance will result in fines and sanctions.
Once you assess your compliance requirements, you need to change how you manage your data. Consider the many ways data is shared or collected today; for instance, smartphones, tablets and mobile devices are now commonplace.
Big data, social media, unified communications and public cloud storage all complicate the tracking of increasing data volumes. WebRTC adds to this, offering real-time browser-based communication and file sharing on any website. As if this weren't bad enough, throw in e-discovery. A client file is shared company-wide and has been stored in the public cloud by a disgruntled employee, shared over VoIP programs and on social media.
Against this backdrop, ask yourself three questions: Can you track storage and movement of customer PII when your client discovers it online? Is your data currently segregated by region of origin and level of confidentiality required for each file or record? How secure is your file-transfer process? You'll never know if it's fully compliant until you find out it wasn't.