www.canadiansecuritymag.com

Features Opinion
Important considerations for protecting customers’ data privacy


May 17, 2019
By Bassam Hemdan

Topics
Bassam Hemdan

Data privacy used to be an afterthought for many companies. Organizations collected potentially sensitive customer data, but they didn’t necessarily know how much they had, where it was stored, or whether it had been compromised. But recent events have brought data privacy to the forefront. Today, protecting customer information needs to be a priority at the CEO level and something every employee takes seriously.

Unfortunately, Canadian companies appear to be woefully unprepared when it comes to protecting customer privacy. A 2018 survey from the Canadian Internet Registration Authority found that 59 per cent of businesses responding to the survey stored sensitive customer data and 40 per cent had experienced at least one cyberattack in the previous 12 months. Yet 38 per cent of respondents said they were unfamiliar with the Personal Information Protection and Electronic Documents ACT (PIPEDA) that describes how companies should treat the personal information of Canadians.

Protecting customer privacy isn’t just important to preserving a company’s reputation. Poor data protection policies can carry financial penalties. Last year Europe passed the General Data Protection Regulation (GDPR) which carries stiff fines and penalties for companies that collect the personal data of European Union citizens without their permission or fail to protect that information. In Canada, PIPEDA was updated last year to require companies to report data breaches that expose the personal data of Canadian citizens.

However, in order to properly optimize compliance and security, you first need to understand what sensitive data you have, where it lives, who has access to it, and whether it even needs to be in the production environment. Content awareness, more efficient means of detection and remediation, and collaboration across stakeholders are key “must haves.” These things are the difference between living in an endless cycle of reactionary whack-a-mole and assuming a more proactive compliance and security posture.

Some important considerations include:

Know what kind of sensitive data your company collects.

Conduct a thorough audit to review and track all data that is collected from customers as well as employees. This key first step ensures you are able to build out all the necessary policies, security measures and backup requirements. Unstructured data – files, media and documents – typically account for 70-80 per cent of an organization’s data, and its value or corresponding risks are not always known. The problems are numerous:

  • The sheer volume of unstructured data
  • Ease of copying and moving it
  • The myriad locations in which it can be placed
  • The large number of applications that interact with it
  • Poor controls due to the historical acceptance of NOT managing it in a better way
  • Lack of a mandate for IT to better manage it

Make sure your company knows where that data is stored.

Identify all the areas where the data is kept: in your own data centre, in a cloud, on employee laptops, or in multiple locations. Once all the data has been profiled it can be secured, retained for use, or disposed of appropriately. With ever-increasing data volumes, policy is necessary, education is great, but automation is critical. Having risk-based dashboards and implementing automated policies based on content means that if you are breached in systems deemed to be low risk, the actual risk of important data being compromised is minimized. If it’s a more secure location that is affected, having sensitive data heat maps – plus a content index and search tools at hand – means you can then meet the seemingly impossible 72-hour breach notification period of GDPR.

Reduce your data silos to minimize your information risk footprint.

Gaining visibility and control over the sources discussed above often leads to organizations implementing a bunch of disparate tools. This can create several additional data silos, all of which need to be managed, monitored and secured. This actually increases your risk footprint. Using tools can allow you to consolidate the following operations:

  • Backup and recovery
  • Information risk profiling
  • Archiving and compliance retention
  • eDiscovery and investigative search across file systems and email to respond to GDPR data subject requests and other regulatory requests
  • Data spillage detection and remediation

This consolidation will not only reduce security risk; it will streamline processes, thereby saving the IT team time and budget.

Ensure you can identify data breaches and create a policy for notifying the appropriate authorities and dealing with potential breaches.

In November there were a few additions to PIPEDA legislation, including mandatory notifications of data breaches. This means that any organization that is affected by a breach deemed to have Real Risk of Significant Harm (RROSH) must provide notifications to the Office of the Privacy Commission (OPC), the individuals affected by the breach and others as soon as feasible. A proper Incident Response Plan needs to be in place to identify all the required information – and organizations could even be penalized for not having a plan or properly established security safeguards.

Being proactive and prepared to manage customer data properly is no longer something that should be done; it must be done. Starting with the above will get organizations on the right track to managing and protecting the valuable data your customers have shared.

Bassam Hemdan is Vice President, Canada for Commvault.