What You Should Know About Data Privacy – And How to Get Started

Managed IT Services for Law Firms
Managed IT Services for Law Firms

What You Should Know About Data Privacy – And How to Get Started

Data privacy is an issue of significant concern in the digital age, in large part because data breaches keep occurring, revealing the personal data of millions of people worldwide. Even one isolated breach can have profound consequences. Individuals may be subjected to identity theft or blackmail, while companies might run the risk of financial losses as well as harm to the public, investors, and customer trust.

It can be difficult to balance the need to utilize personal data for business purposes against an individual’s right to data privacy. In this article, we’ll explore the significance of data privacy, how it relates to data protection, which compliance regulations are centered around data privacy protection, and what you should be aware of when implementing a data privacy policy.

What You Should Know About Data Privacy – And How To Get Started

What Is Data Privacy, And Which Data Is Involved?

Data privacy, also referred to as information privacy, centers around how data should be gathered, stored, controlled, and shared with any third parties, along with complying with all applicable privacy laws.

To properly characterize data privacy, it’s helpful to specify precisely what is going to be protected. Several types of data that are customarily regarded as sensitive, both by the general public and by legal mandates, include:

  • Personally Identifiable Information (PII):  Data that could be utilized to identify, reach out to, or track down an individual, or to differentiate one person from another.
  • Personal Health Information (PHI):  Medical history, insurance information, and other private data accumulated by healthcare providers and could possibly be connected to a particular person.
  • Personally Identifiable Financial Information (PIFI):  Credit card numbers, bank account details, or other data regarding a person’s finances.
  • Student Records:  An individual’s grades, transcripts, class schedules, billing details, and other academic records.

More generally, in its “Guide to Protecting the Confidentiality of Personally Identifiable Information,” the National Institute of Standards and Technology (NIST) offers the following examples of information that might be considered PII:

  • Name: Full name, maiden name, mother’s maiden name, or alias personal identification numbers, such as social security number (SSN), passport number, patient ID number, or a financial account or credit card number.
  • Address Information:  Street address or email address.
  • Personal Characteristics: Photographic images (particularly of the face or another distinctive characteristic), X-rays, fingerprints, or other biometric images or template data (e.g., retinal scans, voice signature, facial geometry, etc.).
  • Information About an Individual That’s Linked or Linkable to One of the Above: Date and/or place of birth; race; religion; activities; geographical indicators; and employment, education, financial, or medical information.
What You Should Know About Data Privacy – And How To Get Started

Which Data Is Not Subject to Data Privacy Concerns?

There are two main categories of data that aren’t subject to data privacy concerns:

  • Non-Sensitive PII: Information that is already in the public record, such as a phone book or online directory.
  • Non-Personally Identifiable Information: Data that can’t be used to identify an individual. Examples include device IDs and cookies. (Note: Some privacy laws consider cookies to be personal data, since they can leave traces that could be used in conjunction with other identifiers to reveal a person’s identity.)
How Can Manufacturing Companies Benefit from Managed IT Services?

Personal Data Protection and Privacy Regulations

Data breaches continue to make the news all too regularly, and the public realizes they’re gradually losing control over their confidential information. Industry research demonstrates that 71% of Americans occasionally or frequently worry about their personal data getting hacked, and that 8 in 10 U.S. adults are concerned about businesses’ ability to protect their financial and personal information.

In light of escalating public concerns, governments are tirelessly working to establish and improve privacy data protection laws. Indeed, the need to confront modern privacy issues and safeguard data privacy rights is a worldwide trend. The EU’s General Data Protection Regulation (GDPR) is the most noteworthy law, but a number of nations – including Brazil, India, and New Zealand – have instituted new privacy regulations or reinforced existing regulations to govern how personal data can be collected, maintained, used, disclosed, and disseminated.

Currently, there are a number of prominent U.S. federal privacy laws in effect which obstruct companies from improper transmission of personal data, each designed to address particular types of data. These include:

  • Health Insurance Portability and Accountability Act (HIPAA) / Health Information Technology for Economic and Clinical Health Act (HITECH): Intended to secure personal health information.
  • Gramm-Leach-Bliley Act (GLBA): Limited to financial information.
  • Children’s Online Privacy Protection Act (COPPA): Protects children’s privacy by enabling parents to manage what information is collected.
  • Family Educational Rights and Privacy Act (FERPA): Safeguards students’ personal information.
  • Fair Credit Reporting Act (FCRA): Regulates the collection and use of consumer information.

 

Shadow IT: How Your Company’s Data Is Silently Being Leaked Online

Data Protection vs. Privacy Protection

Data privacy is closely connected to data protection. Both share the same goal: shielding sensitive data from breaches, cyberattacks, and unintentional or deliberate data loss. Whereas data privacy focuses on guidelines for how organizations may gather, store, and process confidential information, data protection concentrates on the security controls that take into account the confidentiality, integrity, and accessibility of information. Furthermore, data protection typically involves protecting not only personal information but other all-important data as well, including trade secrets and financial information.

Strictly speaking, data protection demands enacting policies, controls, and procedures to uphold data privacy guidelines, such as the following standards outlined in the ISO/IEC 29100 framework

  • Accountability
  • Accuracy and Quality
  • Collection Limitation
  • Consent and Choice
  • Data Minimization
  • Individual Participation and Access
  • Information Security
  • Openness, Transparency, and Notice
  • Privacy Compliance
  • Purpose Legitimacy and Specification
  • Use, Retention, and Disclosure Limitation
What You Should Know About Data Privacy – And How To Get Started

How to Get Started with Data Privacy Protection

Merely putting into action one or more data security technologies doesn’t assure that you will bring about total data privacy. Rather, when framing your data privacy protection policies, make sure to observe these best practices:

12 Benefits of VoIP for Small Businesses

Know Your Data

It’s imperative to understand exactly what information is being gathered, how it’s being used, and whether it’s being hawked to or shared with third parties. Since various types of PII and their manifestations are unequal in value and some personal data can become sensitive in certain circumstances, you must classify your data by way of a quality data discovery and classification solution.

6 Indicators That You Need to Overhaul Your Data Recovery Plan

Take Control of Your Data Stores and Backups

Be sure not to retain personal data without a clear purpose. Establish retention policies and moderate personal data in line with its value and risk.

What You Should Know About Data Privacy – And How To Get Started

Manage and Control Risk

Data privacy protection has to incorporate periodic risk assessment. Rather than creating a framework from the ground up, you can implement one that’s already well-established, such as the NIST risk assessment framework defined in Special Publication SP 800-30.

What You Should Know About Data Privacy – And How To Get Started

Hold Periodic Training Sessions for Users

Ensure that employees are familiar with the subtleties of data privacy and security. Clarify privacy basics from the outset, specifying which devices can be employed when working with sensitive data and how this data may be transmitted and shared. Occasionally, it’s appropriate to advise personnel that they aren’t permitted to alter other people’s records, whether out of curiosity or for personal reasons, nor are they at liberty to take proprietary data with them when they part ways with the organization.

Social Media Data Breaches: Reducing the Risk

Final Thoughts

In times past, individuals’ personal data could be gathered discreetly and shared freely – but those days are gone. Now, any organization that collects and utilizes financial, health, and other personal information must manage that data with regards to its privacy.

By applying the best practices detailed above, your organization can establish a baseline privacy structure for becoming a conscientious and principled steward of personal data.

If you need help implementing a data privacy protection plan, DataGroup Technologies can help! Give us a call at 252.329.1382 today!

Related Posts

Increased Connectivity Means More Cyber Risks

Why Increased Connectivity Means More Cyber Risks
Why Increased Connectivity Means More Cyber Risks

Why Increased Connectivity Means More Cyber Risks

In an increasingly connected world, it’s only natural that there will also be a significant increase in cyber risks. With each day that passes, we get more and more reliant on social media and messaging platforms for both social and professional functions. And our smartphones are not the only smart devices that are taking over our lives. Today, an estimated 10.07 billion connected or smart devices are in use across the planet. And by the end of the decade, Statista expects this to rise to 25.44 billion devices. And while this will greatly improve how people across the world communicate with each other, there is also the increased risk of cyberthreats.

Why Increased Connectivity Means More Cyber Risks

The Connected Planet

Today, platforms like Facebook and LinkedIn have become part and parcel of life and business. The 2020 lockdown orders which forced people to stay at home across the country further increased our reliance not just on social media, but other connected technologies.

For modern and digitizing enterprises, it’s become crucial to have an IT support staff that can facilitate the creation and development of safe, connected, and streamlined platforms for online work.

This rapid rise in connectivity is even more apparent in the latest industrial smart tech applications.

Today, connected technologies are revolutionizing operations across the global supply chain. Verizon Connect details how modern cargo fleets are increasingly utilizing vehicle-to-vehicle (V2V) and other smart technologies to address pain points and streamline productivity.

Through wireless protocols similar to Wi-Fi, the wealth of data from V2V technologies is now being leveraged to improve a host of smart logistics tech.

This includes semi-autonomous fleets, smart fuel optimization systems, and vehicle-to-network (V2N) technology, which expands V2V applications to include traffic systems and other transport infrastructure.

Why Increased Connectivity Means More Cyber Risks

The Risks of Global Connectivity

While these advances in connectivity certainly make our lives easier, they also exponentially increase cyber risks. Every new digital connection enabled by any of the above-mentioned technologies could be leveraged by hackers in an attempt to take money from your bank account, compromise your organization’s network, or use stolen data to take down the systems of large government or corporate entities.

While V2N technologies are enabling the creation of efficient and intelligent transport systems (ITS), they’re also exposing global logistics to potential distributed denial-of-service (DDoS) attacks – a strategy in which hackers overwhelm a system with more actions than it can process.

DDoS attacks can be particularly effective at not only shutting down but controlling the world’s emerging ITS. Cybersecurity firm Trend Micro Incorporated estimates that over 125 million vehicles with V2N connectivity will ship across the world from 2018 to 2022. This is creating an increasingly complex ecosystem of connected devices – each of which is a potential vulnerability for hackers to exploit.

With the arrival and continued evolution of 5G, there will be exponential increases in both connectivity and cyber risks. These developments can already be observed in the cargo fleets and logistics systems that run the global supply chain – on which food, health, retail, and other major global industries depend.

Why Increased Connectivity Means More Cyber Risks

The Modern Hacker

This underscores a crucial aspect of examining and responding to cyber risks. Every smart object or device has the potential to become the perfect tool for persistent hackers. In fact, even basic cybersecurity protocols designed to reduce connectivity risks can be leveraged for attacks.

Business software integration company SolarWinds learned this the hard way when its network, which was built to create and protect the networks of other enterprises, was used to hack its clients. The attack happened on the tail end of 2020.

Malicious code was disguised as a regular software update from SolarWinds. As any IT support staff can attest to, making sure that your software is constantly updated significantly decreases cyber risks. In this case, however, the exact opposite occurred.

Before the attack was discovered and ended, large amounts of sensitive data had already been stolen from every company diligent enough to quickly update their SolarWinds software.

Following the combined and months-long investigations of private and government entities, Deputy National Security Advisor Anne Neuberger said that “9 federal agencies and about 100 private sector companies were compromised,” including several national U.S. departments such as the Treasury, Commerce, Energy, State, and even Homeland Security.

Alarmingly, it also pierced the defenses of several tech giants and Fortune 500 companies, including Intel, Cisco, Nvidia, and VMWare.

Why Increased Connectivity Means More Cyber Risks

Final Thoughts

The SolarWinds attack was ultimately traced back to a criminal group originating in Russia, according to the FBI. According to Microsoft, the same group may have struck again. The software giant identifies the attacker as an entity called “Nobelium.” After examining patterns of attack and entryways which again were traced back to connected technology, Microsoft says that Nobelium’s more recent attacks were focused on gathering intelligence from 3,000 individuals and 150 companies. 

Alongside malicious updates, the attacks now include customized emails and diplomatic invitations for each target – all of which are involved in a variety of international development, human rights, and humanitarian work in 24 different countries. Microsoft explains that “when coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers.”

With stellar connectivity comes greater risk. In an increasingly connected world, there is an even more pressing need to focus on reducing cyber risks and strengthening IT security. This is as true for technology providers and enterprises as it is for individuals who go online on a daily basis. While defending networks is a task that’s best left to the experts, in the age of exponentially increasing connectivity, managing the cyber risk is everyone’s job.

At DataGroup Technologies, Inc. (DTI), we offer a wide variety of cybersecurity services to help protect your business from cyberthreats, including security risk assessments, email security solutions, web and DNS filtering, next-generation firewalls, network security monitoring, operating system and application security patches, antivirus software, and security awareness training. If you’re interested in learning more about your cybersecurity services, please call 252.329.1382 today or contact us here.

***************

This article was written exclusively for dtinetworks.com by Alicia Rupert.

Related Posts