There are 3 categories of data protection safeguards that information security professionals must consider when planning their data protection efforts. These safeguards are also part of major international data security standards and compliance requirements including the Health Information Portability and Accountability Act or HIPAA.
The 3 categories for data protection safeguards are administrative, physical, and technical which are intended to ensure the confidentiality, integrity and availability of data files and records. Let’s discuss the 3 categories of data protection safeguards to protect data including personal information and Protected Health Information or PHI under HIPAA.
Administrative data protection safeguards or procedural controls refer to approved policies, procedures, standards and guidelines for running the business. From a security standpoint, they include access requests and approvals, periodic access reviews, supervision, and training. They also address business continuity, disaster recovery, emergency response, vendor management, and risk assessment including data risks which can be managed with data flow analysis.
Administrative safeguards are operational processes and procedures which are used to control an individual’s access to systems and data. For example, when employees or contractors join the company, they have to complete a background check and vendors must undergo a risk assessment process. Once onboard, management must approve user access which is then processed and assigned by the user administration group.
The importance of adjusting access as soon as possible when employees leave the company or transfer out of the department can not be overstated if adequate data protection safeguards are to be maintained at all times. A company's data protection team should audit system access on an annual basis to ensure compliance with this requirement.
Physical data protection safeguards basically ensure the protection of devices and locations which collect, process, store, and share data files and records. For example, laptops must be secured with cable locks; offices, cabinets, and drawers must be locked whenever they’re not used, keys must be secured, and restricted areas must be limited to authorized individuals. One example of common physical safeguard violations in the workplace is piggybacking which refers to instances when someone tags along with another person to enter the building or other restricted areas. Always use your own badge to log your entry and report these types of incidents to investigate.
Technical data protection safeguards in a broader sense are the system controls and tools which are designed to protect data such as user authentication and passwords, account lockout during extended inactivity periods, and network intrusion prevention or detection controls. Another example of technical safeguard is system configuration to require strong passwords from our associates and lock the system down if too many unsuccessful attempts are made to gain entry to the system.
Data Collection, Use, and Disclosure
Data management is a major component of any data protection program. Data flow in and out of the company must be documented and assessed for risk management purposes. Below are just some basic rules to follow regarding data management:
Storage and Workstations
To ensure data protection, it’s important to encrypt data when it is in transit or stored on our systems and backup tapes or devices.
There are good reasons why companies provide dedicated workstations or laptops to their employees which are to ensure that only company authorized software is installed, device or data is encrypted, and that employees do not have to access data from any unauthorized devices. Employees must ensure that they secure their devices to prevent access by others, avoid sharing passwords, and be careful about using the computer to access data in public places. Assigned computers are the responsibility of assigned owners and company monitoring tools if deployed can detect security violations which can lead to disciplinary actions.
Finally, storing and sending confidential and sensitive data unencrypted must be avoided whether using removable devices or when sending emails. Most companies have secure means to transfer data like secure FTP servers or SFTP. Employees should be instructed to refer to their data protection officer for identifying and using secure means for data transfer.
As we mentioned, we have to collect the least amount of data, just enough to complete our business obligations, but we have to also delete them as soon as we no longer need them. Some data may have to be deleted according to contractual agreements, data retention policies, or otherwise at the end of each project. Vendors must also be notified about the data deletion requirements of each project. Often, clients ask for data destruction certification, therefore, it’s important to keep a log and ask for destruction evidence if we outsource this task. Employees should be instructed to refer to their management, legal or compliance contacts if they have questions regarding data retention and destruction policies.
Data Flow Analysis
Data flow analysis is part of broader data management practices which we discussed above. In order to assess and manage data risks and document the data flow for each project, data owners must be required to document and submit a data flow diagram or flowchart to allow the appropriate data privacy and security professionals assess the data security risks and approve the project. This diagram should normally include the type of data collected as well as data entry points into the environment, transmission methods, data storage locations, and list of individuals who will have access to the data. Once the data flow diagram is approved, it’s very important that we apply the agreed upon security rules throughout the project. If the process must change for any business reason, data owners must update and resubmit the data flow diagram for approval again. To ensure compliance with this requirement, companies must from time to time audit a project’s alignment with the latest approved data flow diagram.
Emergency Response/Business Continuity/Disaster Recovery Plans
To further comply with regulations or contractual agreements and ensure adequate data protection safeguards, companies must document and update their Emergency Response, Business Continuity and Disaster Recovery Plans.
Having an Emergency Response Plan ensures that employees remain safe and are orderly evacuated and accounted for during events such as earthquakes, fires, floods, medical situations and pandemic outbreaks.
Once the safety of employees is assured, the Business Continuity Plan which should involve extensive Business Impact Assessment or BIA for each functional area is required to help mitigate the impact of such events by identifying key associates, tasks and alternate locations to continue providing high priority services to clients while the company works on getting the business back to normal.
On the IT side, a Disaster Recovery Plan ensures that employees, contractors and customers continue to have access to key systems and data within a reasonable timeframe in accordance with service level agreements. A couple of key metrics used for BCP/DRP documents and inlcuded in the SLAs are Recovery Time Objective or RTO and Recovery Point Objective or RPO. These must be defined and agreed upon for avoiding any misunderstandings and accept the gap between a system or data loss and recovery.
The availability of systems and data during disasters and other disruptive events is maintained through a backup plan, alternate data center and systems, and annual recovery testing.
Breach Risk Assessment
As we know, sometimes data protection safeguards fail to protect data because they are weak and vulnerabilities can be misused, or safeguards may be dis-regarded by employees , or operational errors may occur. A broad definition of data breach is the unauthorized use or disclosure of (unsecured) data unless companies can demonstrate a low probability that the data has been compromised based on the risk assessment. Therefore, a timely risk assessment following a breach is important to identify the nature of impacted data and determine whether it was unsecured or not, as well as identify persons who accessed data, and discuss mitigation options and strategy.
Following a risk assessment, if we have reasonable belief that data has been disclosed to unauthorized parties because of the loss or theft of unencrypted devices or if data is sent with unencrypted emails to unintended or unauthorized recipients, then we have a duty to notify various parties depending on the nature of the breach and regulatory requirements. Notified parties may include clients, consumers, or a government agency. Notification must also be made within the period defined by contracts or regulations. For example, in the US, the Department of Health and Human Services (HHS) must be notified within 60 days following a breach discovery impacting consumer PHI. There are instances where a data breach may not be a true breach to warrant a notification such as when data is encrypted and the encryption mechanism is deemed to be strong and according to government or international standards. In these cases, we may avoid notification following a formal risk assessment.
Therefore, it’s very important that employees and others notify the appropriate parties within the company whenever there is a breach or a suspicion of an incident occurrence so that key business, legal, IT and communication stakeholders can partner and get a formal risk assessment process started to notify the appropriate parties as needed.
Let's remember that data breach incidents have a huge reputational risk for companies which rely on their brands. Therefore, adequate data protection safeguards, formalized risk assessment processes, and timely breach notification are extremely important to minimize the occurrence and impact of data breach incidents.