Data Privacy and Security Compliance
Global Regulations and Standards: Where Encryption for Data-at-Rest Applies
What are Data Privacy and Security Regulations?
A significant number of Data Privacy and Security Regulations are in effect and increasing in expanse worldwide, relating to the protection of private and sensitive data. While some focus on the protection of specific industry information, others are more concerned with data loss and exposure incidents, often with serious consequences for non-compliance.
Many compliance standards today are concerned with the protection of data-at-rest. The ultimate protection for personal information/data is to either purge it or at least the identifying elements. Some make specific technology recommendations for compliance. Encryption is an important technique to protect data that is in your custody. Some regulators have taken the position that since encryption uses a mathematical equation, it can be reversed (unless the keys are thrown away). Encryption is therefore considered a “time-delay“ mechanism, and that time is significant.
What are NIST, FISMA and ISO?
The National Institute of Standards and Technology (NIST) develop and publish standards and best practices for data and cybersecurity in the U.S. Government. These publications are often referenced in various data privacy and security regulations, such as HIPAA, PCI and FISMA.
The Federal Information Security Management Act (FISMA) is a U.S. legislation that defines a comprehensive framework to protect government information, operations and assets. FISMA applies to all U.S. federal agencies, contractors and other entities that handle federal data. Since FISMA is developed and implemented by the U.S. Government, it is considered a common framework for policy, and is regularly used by the private sector to meet compliance requirements.
The International Standard Organization (ISO) is an independent, non-governmental international organization of national standards bodies that brings together experts to share knowledge and develop voluntary, consensus-based, market relevant International Standards that support innovation and provide solutions to global challenges. In Europe, ISO is seen as a leader in setting the standards for data security, with particular focus on ISO 27001.
What is Data-at-Rest?
Data-at-Rest is data stored on desktops, laptops, removable media devices, in databases or file servers, or in Cloud infrastructure as a Service (IaaS). Unlike data-in-transit – data that’s actively moving from one location to another – data-at-rest is data that is not actively in transit or in use. While data-at-rest is sometimes considered to be less at risk than data-intransit, attackers often find data-at-rest a more valuable target.
Why protect Data-at-Rest?
Sensitive data can be exposed to risk if a device is lost or stolen, or through vulnerabilities in virtual and cloud infrastructure. Encryption plays a major role in data protection and is a popular tool for securing data-at-rest from loss, theft or unauthorized access in physical, virtual and cloud environments. Protecting data-at-rest with encryption is also mandated by a number of data privacy and security regulations.
What types of Data are often affected?
Personal Information, including Personally Identifiable Information (PII)
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data, often known as Personally Identifiable Information (PII). PII can include data such as social security number, address, phone number, and other personally identifiable data that could potentially be used for identity theft or other criminal activity.
Personal Health Information (PHI)
PHI includes sensitive patient and health data such as insurancerelated information, medical records, biological data and other patient-identifiable information which should not be publicly available.
Financial Data
There are many types of financial data, but they often include credit card account numbers, tracking data, associated financial information or other credit-related information. For example, the Payment Card Industry Data Security Standard (PCI DSS) applies to all companies that accept, process, store or transmit credit card information.
Military and Government Data
Any data related to government programs, especially those related to military departments and operations is strictly regulated.
Proprietary Business Data
Data that should not be made publicly available, such as trade secrets, research and business intelligence, management reports, customer information or internal sales data.
