Regulatory Compliance and Data Protection: A Brief Primer
Concerned about Regulatory Compliance and Data Protection? Here’s What You Need to Know
With personal data becoming more important and bountiful in a digital and virtual world, the importance of regulatory compliance and data protection, storage and management has proportionately expanded. Major regulations exist in several specific sectors, including, in the US, healthcare (HIPAA and HiTech), financial services (PCI-DSS and GLBA), biotechnology (FDA) and the energy industry and IoT (NERC and FERC). Moreover, any organization doing business with clients in Europe, regardless of where they are based, must comply with GDPR. Such regulations aim to maintain the security of clients’ personal, and often sensitive, information, and it is not only a legal requirement but a simple part of best practices that can affect your bottom line.
While compliance may increase costs in terms of money and resources, there are positive benefits that result from it. To begin with, compliance will better secure and protect your organization’s data infrastructure, which may include valuable and proprietary information. Likewise, it will better secure your clients’ data. Protecting data has become a central concern for clients, and being compliant adds value to the services you offer: it provides piece of mind for existing clients, and creates an incentive for potential clients who will know that their sensitive data is protected in accord with government established data regulations.
The consequences of not being compliant are hefty, both in terms of cost and reputation. To give just one example of the cost of failing to comply, and how accidental or coincidental such failures might be: in June 2018 the University of Texas’ MD Anderson Cancer Center was fined $4,384,000 for data breaches that violated HIPAA requirements. This was not the result of a data breach by hackers. Rather, it resulted from a laptop being stolen from the home of one doctor and, in two separate incidents, from the loss of USB memory drives – one while a researcher was travelling, the other simply being misplaced or stolen from an office. In total close to 35,000 clients’ electronic protected health information (ePHI) was breached. But the problem wasn’t that these devices were subject to the unforeseen circumstances of theft and/or loss: it was that they did not have password protection, and the data they contained had not been encrypted, which were core principles of HIPAA.
The parameters of most legal guidelines are pretty basic and align with best practices and with the textbook parameters of any well-organized key management and encryption system. They include: control of access to data; encryption of data-at-rest (via Hardware Security Modules or similar systems) or data-in-transit, often with pseudoanonymization; tracking user access logs; testing of the effectiveness of data protection systems; and timely communication of data breaches when these happen. Failure to comply with these regulations can result in a number of penalties, including fines, increased fees, and revocation of rights to interact with clients in given industries. Data breaches also have non-legal affects that drive clients to competitors and damage corporate brands. In this sense, regulatory compliance and data protection should not merely be a legal concern; it can have significant impact on a company’s bottom line.
Knowing the ins and outs of particular regulations can be difficult, especially with the proliferation of regulations as new issues around data security and management pop-up. But this is precisely why key management experts like KeyNexus are central to helping your business with compliance. KeyNexus’ Unified Key Manager (UKM) is easily integrated with PGP Encryption, IaaS Encryption, PaaS, VSphere and VSan, and many other technologies that store and process sensitive information across the enterprise. And, in allowing you to bring-your-own-key (BYOK), our UKM makes sure the encryption key is stored separately from the data, a major requirement of many data regulations.
While the separation of lock and key is a best practice that KeyNexus abides by as a core value, this is just one of the regulatory requirements that our UKM complies with. As a full-featured key management lifecycle platform, KeyNexus’ UKM can help you meet requirements across a wide variety of regulations, whether on-premise, hybrid or in the cloud, including HIPAA, PCI-DSS, GDPR and the Federal Information Processing Standard (FIPS). In addition to being compliant with these specific policies, KeyNexus can help you be compliant with general regulations across sectors, including managing keys throughout their entire lifecycle, auditing of encryption key information (including Syslog support), backup and restoration, and encryption key generation and import.
For more information on how we can help you meet compliance requirements, contact us.