Making sure that the organization complies with the regulations is the most important part of DLP. This is true because non-compliance can lead to severe finantial penalties, damage the organization's reputation or even put the organization out of business.
The following are the most important regulations that affect DLP:
- GDPR (General Data Protection Regulation): Applies to organizations handling EU residents' personal data
- PCI-DSS (Payment Card Industry Data Security Standard): Applies to organizations handling credit card information
- HIPAA (Health Insurance Portability and Accountability Act): Applies to healthcare organizations and their business associates in the US
GDPR (General Data Protection Regulation)
One of the most famous cases of financial penalties for breaking GDPR is the €746 million fine imposed on Amazon in July 2021 by Luxembourg's data protection authority. This record-breaking fine was issued for alleged violations of GDPR related to Amazon's advertising practices and how it processed personal data.
Key aspects of GDPR
- Requires organizations to have "Lawfulness of processing". It means that the organization must have a valid reason for processing the data, such as consent from the data subject or a contract.
- Mandates the appointment of a Data Protection Officer (DPO) for certain organizations, responsible for ensuring that the organization complies with the GDPR. The DPO is not personally liable for data protection compliance, but the organization remains responsible for compliance and may face penalties for non-compliance.
- Requires implementation of appropriate technical and organizational measures to ensure data security. This includes measures such as encryption, access control, and data minimization.
- Mandates conducting Data Protection Impact Assessments (DPIA) for high-risk processing activities (like training an AI). It can be done internally or by an external DPO.
- Requires maintaining a record of processing activities. For example: What data you are collecting, how you are using it, how you are storing it, how you are securing it, etc.
- Requires obtaining explicit consent for processing sensitive personal data. This is known as "Consent". It means that the data subject must actively agree to the processing of their data.
- Requires organizations to report data breaches to supervisory authorities within 72 hours. This is known as "Breach notification".
- Mandates the inclusion of specific clauses in contracts with data processors. This is known as "Standard Contractual Clauses".
PCI-DSS (Payment Card Industry Data Security Standard)
One of the most notable cases of PCI-DSS non-compliance is the 2018 British Airways data breach, which resulted in a £20 million fine from the UK's Information Commissioner's Office (ICO). The breach exposed the personal and financial data of approximately 429,000 customers and staff. While this fine was primarily under GDPR, it highlighted severe PCI-DSS violations in the company's data protection practices.
Key requirements for PCI-DSS compliance:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data through encryption
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software on all systems
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
Each of these requirements involves specific sub-requirements and implementation guidelines that organizations must follow to achieve and maintain PCI-DSS compliance.
HIPAA (Health Insurance Portability and Accountability Act)
One of the most significant HIPAA violation cases occurred in 2018 when Anthem Inc., one of the largest health insurance companies in the United States, agreed to pay $16 million to settle potential HIPAA violations. This record-breaking settlement followed a series of cyberattacks that resulted in the largest U.S. health data breach in history, affecting nearly 79 million people.
To ensure HIPAA compliance, healthcare organizations and their business associates must implement the following specific measures:
- Conduct regular risk assessments to identify potential vulnerabilities in PHI handling
- Implement strong access controls, including unique user IDs and strong passwords
- Encrypt all electronic PHI (ePHI) at rest and in transit
- Maintain detailed audit logs of all access to PHI
- Develop and implement a comprehensive incident response plan
- Provide regular HIPAA training to all employees handling PHI
- Establish Business Associate Agreements (BAAs) with all third-party vendors who handle PHI
- Implement secure disposal methods for PHI, including proper destruction of electronic and physical records
- Use secure communication channels for transmitting PHI, such as encrypted email or secure portals
- Regularly update and patch all systems and software that handle or store PHI
- Implement physical safeguards, such as locked file cabinets and restricted access to areas containing PHI
- Conduct regular internal audits to ensure ongoing compliance with HIPAA requirements