A SECURITY-AWARE CULTURE IN A BORDERLESS SOCIETY
The Protegrity Data Security Platform is focused entirely on helping your business achieve compliance with the PII protection elements of US Federal and State legislation (as of November 2010, 46 states have local data breach legislation in place in addition to federal statutes). US Federal regulatory requirements include the Payment Card Industry Data Security Standards (PCI-DSS), HIPAA-HITECH, FedRamp,GLBA, Sarbanes Oxley and others; equivalent legislation in Canada, the European Union, and other markets also apply to any business operating in or with customers in those markets.
It is important to remember that, while regulatory standards represent the minimum level of security required to protect sensitive data, defining and implementing a broad-based security policy within your organization will also support the protection of your brand reputation and stockholder/customer confidence. Protegrity will be pleased to assist you in identifying best practices for your market sector.
Since December 2004, all the major credit card companies came together to agree on a comprehensive set of data security requirements – the Payment Card Industry (PCI) Data Security Standards. These standards replaced the credit card companies’ individual programs and brought to the industry a consistent set of standards for data security.
The purpose of the PCI Data Security Standards is to ensure that all financial institutions, merchants, e-commerce companies, and their agents and service providers implement basic security standards to protect and secure all credit cardholder data. More specifically, organizations are responsible for having the necessary security policy, systems and auditing infrastructure in place to protect and secure the strict privacy of credit card and customer data throughout the entire transaction process.
General Data Protection Regulation (GDPR) is the new legal framework for privacy and data protection of citizen data, directly applicable to all industries and worldwide organizations that process the personal data of EU citizens. Effective in May 2018, there is less than a two-year window of opportunity for businesses as well as regulators to adapt their data protection practices accordingly for compliance.
Any company or service provider that holds and processes personal data on behalf of its customers, typically acts as a Data Processor on behalf of their customers. GDPR raises the bar for Data Processors, requiring records of data processing activities, appointment of Data Protection Officers (DPOs), privacy impact assessments, enhanced transparency in terms of privacy notices and consent forms and the rights to be forgotten and portability. In addition, GDPR introduces a breach notification requirement. Applicable to Data Processors and Controllers in all industries and areas, incidents must be reported within 72 hours. Notification of breach is not required if the data was kept securely.
HIPAA & HITECH Compliance
HIPAA, the Health Insurance Portability and Accountability Act, was originally designed to make health insurance coverage simpler and more transparent for policyholders. Making health data both more portable and more accessible introduced major privacy concerns that affect not only health services providers and insurers but also insurance agencies and HR departments – any organization with access to confidential health records is required to abide by the information privacy aspects of HIPAA. The HIPAA Security Rule specifies the administrative, physical, and technical safeguards that must be used to assure the confidentiality, integrity, and availability of electronic Protected Health Information (PHI).
The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act of 2009 to promote the adoption and meaningful use of health information technology. The data security sections of the HITECH Act were developed to require organizations that handle PHI to meet baseline criteria for protecting that data in motion, in use, at rest and at disposal. The HITECH Act reinforces HIPAA to encourage use of electronic patient records and to deliver stricter data protection regulations for more secure patient privacy.
Federal Risk and Authorization Management Program (FedRamp)
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
FedRAMP has been designed to support the adoption of secure cloud solutions for government entities. This includes providing guidance for authorization, consistent application of proper security controls and a baseline for security assessments and monitoring. It’s focus is on Cloud Service Providers (CSP’s) and assessment of specific cloud implementations.
Protegrity’s Data Centric approach to data protection allows Federal entities to add additional data protection and enforce ‘least privilege’ within FedRAMP certified CSP’s. This includes Role Based security policies that enforce fine grained access to the field level (exposing only the field data the user needs to see), or within the field (by showing partially redacted data to users that do not need to see the full value). Protegrity’s solution covers the full enterprise, so the same level of Data Centric controls can be applied to data on-premise and in CSP environments. Additionally, all data access and attempted data access is audited and can be analyzed in real time.
Privacy data, or Personally Identifiable Information (PII) represents the most valuable currency on the black market today. Including Social Security numbers, names, addresses, customer and employee records, geo-location data, and much more, unprotected PII opens the door to identity theft, bank and insurance fraud, and economic and political espionage. Clearly, it is key to the security of individuals, businesses, and governments alike to protect it at all times, whether it is at rest or in transit, hence the evolution of increasingly complex data protection legislation.
Protegrity provides a comprehensive path towards meeting the duties of due care required by these regulations, keeping customer and employee data secure and auditors happy. In addition, Vaultless Tokenization can enable responsible data management, analytics, and monetization of PII while keeping the data secure.