'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Every day organizations are monitoring data loss and personal data breaches from either internal or external threats. Almost a decade ago, the loss or breach of a few million people’s data was considered catastrophic, and these days organizations have reported billions of records being lost or stolen due to negligence, external attack, or insider threats. Data loss or a personal data breach is a security incident leading to the unlawful and accidental destruction, loss, alteration, or unauthorised disclosure of or access to personal data transmitted, stored, or otherwise processed by an organization. It compromises the security and confidentiality of a data subject’s personal data, thereby sometimes resulting in significant harm, including material or physical damage as well as emotional distress to the data subject.
According to IDC, by 2023, 102.6 zettabytes of new data will be created every year. These 102.6 zettabytes will most certainly be scattered with the personal information of individuals. All this data gives a larger surface area for attackers to perform malicious activities.
The next step for organizations is to implement an efficient data loss prevention system in order to protect all this data and while staying in compliance with privacy regulations. This article speaks about DLP, its importance, and the best industry practices.
Data loss prevention refers to measures that an organization takes to prevent data losses and personal data breaches. Such measures include a variety of security controls that are both preventative (security measures to limit personal data breaches) and remedial (mitigation measures to limit the impact of a personal data breach that has happened) in nature.
There are three types of data that need to be protected within an organization. These types are as follows:
Data in Transit
This is any data that is being transferred from one location to another. This transmission of data can be both internal and external. This data needs to be encrypted to avoid any data sprawl. This encryption can take place through SSL and VPN.
Data in Rest
This is any data that is either archived or stored within organizations. DLP tools encrypt data in the database which can apply to fields, tables, and databases.
Data in Use
This is any data that is currently being processed by the organization. Certain DLP tools can help organizations monitor unauthorized activities that users may intentionally or unintentionally perform in their interactions with data and flag them.
According to a study by Ponemon’s Institute, 85% of companies globally have experienced some form of data loss in the last 24 months. Most of this data loss is attributed to missing devices as well as negligent employees and other avoidable issues.
Countries all over the world are increasingly drafting privacy regulations to ensure that data losses are minimized and organizations become responsible custodians of their customers' personal data.
Most global privacy regulations require organizations to implement appropriate security controls to prevent data losses or data breaches as well as to notify the appropriate regulatory authorities and data subjects if a personal data breach takes place.
|Personal Data Breach Notification Obligations|
|Notification Obligation||Where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, the organization must notify the regulatory authority without undue delay and not later than 72 hours after having become aware of it. Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the organization must notify the data subject without undue delay.|
|Notification Timeline||72 hours to notify the regulatory authority and without undue delay for notifying the data subject.|
|CCPA (read with Cal Civ. Code 1798.80)|
|Notification Obligation||Notification for personal data disclosed during a data breach incident has to be made to affected data subjects if the personal data was not encrypted. Notification to the Attorney General of the State of California has to be made only if the organization is required to notify more than 500 Californian residents as a result of a single breach of the security system.|
|Notification Timeline||In the most expedient time possible and without unreasonable delay.|
|Notification Obligation||Security incidents that may result in any relevant risk or damage to data subjects need to be notified to impacted data subjects and the Autoridade Nacional de Proteção de Dados (ANPD).|
|Notification Timeline||Within a reasonable time, as defined by the regulatory authority.|
|Personal Data Breach Notification Obligations|
|GDPR||CCPA (read with Cal Civ. Code 1798.80)||LGPD|
|Notification Obligation||Where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, the organization must notify the regulatory authority without undue delay and not later than 72 hours after having become aware of it. Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the organization must notify the data subject without undue delay.||Notification for personal data disclosed during a data breach incident has to be made to affected data subjects if the personal data was not encrypted. Notification to the Attorney General of the State of California has to be made only if the organization is required to notify more than 500 Californian residents as a result of a single breach of the security system.||Security incidents that may result in any relevant risk or damage to data subjects need to be notified to impacted data subjects and the Autoridade Nacional de Proteção de Dados (ANPD).|
|Notification Timeline||72 hours to notify the regulatory authority and without undue delay for notifying the data subject.||In the most expedient time possible and without unreasonable delay.||Within a reasonable time, as defined by the regulatory authority.|
To fulfill the afore-mentioned breach notification requirements, organizations must have a system and process in place. The Data Loss Prevention allows organizations to not only adopt suitable security controls to avoid any security incidents, data losses, or personal data breaches but also to notify regulatory authorities and impacted data subjects on time, as per the requirements of applicable privacy regulations.
Threats of data leaks
There are two possible types of threats that an organization can come across which may lead to data loss or breach. These threats are broadly classified into internal and external threats.
1. External Threats
These are threats that stem from outside the organization, involving getting unauthorized access to data within the organization. These are seen as the most frightening attacks but not the most effective as we will read further. These attacks come from sophisticated and highly skilled external hackers. These hackers can find network vulnerabilities within your system or socially manipulate employees to get past preset network defenses. Since an organization’s software applications run on open connections to IT databases, hackers aim to breach these applications and get inside, often by seeking application passwords set to their defaults.
2. Internal Threats
Internal attacks are often argued by organizations to be more dangerous than outside attacks. Willful attackers within the organization commit a large portion of database breaches. These can stem from disgruntled employees who abuse their privileged access to damage their organization. Others can be infiltrators who work for external intelligence or hope to sell the organization's information for profit to their competitors. Malicious insiders that have full access to organization servers are difficult to stop. Organizations can implement policies such as thumb drive policies, which aim to prevent leaks such as the high-profile one involving Edward Snowden, but these policies are hard to maintain.
Use cases for Data Loss Prevention
There are 3 main issues that a data loss prevention solution can solve. These three objectives are normally the same for every organization, which are; how to protect personal information, how to protect intellectual property and how to offer complete data visibility. We will look into how each of these use cases are fulfilled with DLP.
Personal Information Protection
Most, if not all organizations store personal information. This could range from Personally Identifiable Information, to PHI or even PCI. The main objective for any organization storing this type of data is to protect it, while staying in compliance with regulations such as GDPR or HIPAA. A DLP solution can help organizations identify this data, classify them based on their type, tag sensitive data and monitor the activities that have been undergone on the data. This deals with the protection of the information and the added ability to create reports also leads to compliance with privacy regulations.
The context-based classification functionality within a DLP solution can classify your intellectual property within structured and unstructured forms. The policies and controls that are set in place can help you protect company secrets and important intellectual property from unwanted exfiltration.
A DLP tool can help you track data at your endpoints, networks and on the cloud. This tracking can offer you 360 visibility on how users are interacting with stored data within your organization.
Data is becoming the most important asset for any organization and protecting it is now not only necessary but also obligatory. In order to have your data protected as well as stay compliant with privacy regulations such as the CCPA and GDPR, organizations need to have a strong Data Loss Prevention tool implemented on their systems if they are looking to keep their data protected and their organization compliant.