Cybersecurity and Compliance Are Like Peanut Butter & Jelly
You’ve undoubtedly heard of the Health Insurance Portability and Accountability Act, or HIPAA, which has been around since 1996. Although the data protection requirements were written with healthcare providers in mind, they have come to apply to all employers that provide health insurance benefits to their employees.
Then there’s Europe’s General Data Protection Regulation, known informally as GDPR, which imposes additional regulatory measures on businesses and helped set the stage for the California Consumer Privacy Act, which is set to go into effect at the beginning of 2020. Add in the Colorado Consumer Data Privacy Act passed into law in 2018, and others such as the Payment Card Industry Data Security Standard, and it’s clear that businesses are juggling an intimidating number of compliance standards.
The Crux of Compliance
For almost all organizations, there are two fundamental obligations when it comes to compliance. The first relates to data retention. Essentially, if you have a record that constitutes business information, whether it’s a paper document or an email or a social media post, you’re obligated to retain it. The second obligation is about security. All of those data assets? They need to be secured and protected.
Archiving and security aren’t just compliance issues — they’re complementary areas that are critical to business performance. Whether you’re a sole proprietor or you have 100,000 employees, a strong grasp of archiving and security will help you use information effectively and keep it out of the wrong hands while checking the wide variety of compliance boxes regulating your organization.
The Art of the Archive
Regulations from the Financial Industry Regulatory Authority and the Securities and Exchange Commission require you to preserve information for three years and six years respectively. That requirement is not limited to communications such as email but instead includes instant messaging applications, social media communications, and text messaging. What’s more, if FINRA conducts an audit, you need to be able to produce the requested information within 48 hours.
A strong archival tool is nothing without the means to protect the data, and compliance requires a strong focus on cybersecurity. Start with an accurate assessment of asset inventories and exert tight control over which users have privileged access to sensitive data. Other precautions include patch management, vulnerability scanning, and penetration testing. Most regulations require you to protect personally identifiable information with “reasonable” security procedures. It’s a loose term, but you should have reasonable security precautions in place even without the compliance requirement.
Complementary Compliance Requirements
Securing and archiving are the two cornerstones of compliance obligations, no matter what governing body might be imposing them. They should be viewed as two sides of the same coin because you can’t have either in a vacuum: Powerful archival tools are dangerous without the means to protect them, and protection is pointless if you aren’t defending the right data.
Archiving solutions should WORM storage capabilities, and granular retention policies will help you meet obligations by allowing you to retain data based on content. A high-performance search function will ensure you can search through large, complex data sets to find emails and files, and both search and archival functions should be flexible to allow for new types of records in the future.
All this data represents a treasure trove to hackers and cybercriminals looking to sell it on the dark web. To protect your data assets, rely on encryption both when data is in transit and when it is at rest. With this defensive measure, your data will be safe even if hackers break through your other layers of protection.
Regardless of industry, compliance is an essential issue for nearly every organization. No matter how big or small your company may be, there are almost certainly regulations that apply to your specific situation. In many cases, there are quite a few. Whatever regulations you’re subject to, archiving and security will be critical elements of compliance, and you should view them in conjunction with one another to achieve the best results.
With talks of a U.S. version of GDPR on the horizon, it seems clear that additional privacy regulations are likely. More data is being generated than ever with customers clamoring for additional protections. To help keep your organization out of the headlines and firmly in the compliant category, look to archiving and security as important priorities.