|
The digital curtain that was tailored with a belief that personal data was the proprietary secret of organizations has been pulled back, allowing data subjects gain more control over their personal information. Countries across the globe have developed regulations that are based on the principle that personal data is an asset owned by people and held in trust by businesses, rather than as a resource that can be freely collected.
As a consequence of the foregoing, management of risks relating to personal and sensitive information has become an imperative in every business setting and the days of managing data without classifying the same on their sensitivity levels may well soon be over.
We see specific main considerations that are driving this change, all of which are not only inextricably intertwined, but inevitably are also setting the tone for effective cyber risk assessments and consequent privacy programs. The main considerations in this context are to maintain privacy, prevent identity theft, comply with regulations, preserve trust and ensure the smooth functioning of a business.
| |
|
Classification of data on the basis of sensitivity levels is an essential measure while developing safeguards to secure sensitive data. This is considered to be an effective organizing principle for the data economy and as the first step, one can look at the following 3 broad buckets for the same:
Restricted | This is the most sensitive data with the highest severity in the event of a compromise. Access to the same should be on a need-to-know basis only.
Confidential or private | This is moderately sensitive data with a relatively lower level of severity, if compromised. Access to such information should be internal to the organization or department that owns the data.
Public | This is non-sensitive data that would cause little or no risk to the organization, if accessed. Access to the same is generally loosely, or not controlled.
| |
|
The difference between personal data and personally identifiable information ('PII') is tricky to outline, especially after considering various regulations, authorities and procedures (such as the following) that address the same:
- General Data Protection Regulation ('GDPR');
-
Health Insurance and Portability Act, 1996 ('HIPAA');
- The Graham-Leach-Bailey Act (GLBA);
- Securities Exchange Act of 1934 ('SEC Act');
- Children’s Online Privacy Protection Act;
- Federal Trade Commission;
-
US Department of Labor; &
- National Institute of Standards and Technology ('NIST').
Let's examine some of these in the ensuing section.
| |
|
GDPR
The definition of personal data set out in GDPR is relatively wider than most privacy regulations across the globe. PII is a term that is primarily used in the United States of America, while the European Union equivalent of the same is in Article 4 of GDPR, which defines personal data as "any information relating to an identified or identifiable natural person."
GDPR has specified that personal information could include the following types of sensitive personal data and built additional safeguards for the same:
- Racial or ethnic origin.
- Political opinions.
- Religion.
- Trade union membership.
- Health.
- Criminal activity.
| |  |
|
SEC Act
The SEC Act aims to monitor and prevent illegal types of insider trading by preventing those who hold material nonpublic information ('MNPI') from using it to their advantage in the trading of stock or other securities - or sharing it with others who may use it to their advantage.
Information about an organization that has not been made public but may have an impact on the share price is referred to as MNPI.
It is illegal for those who possess material nonpublic knowledge to use it for stock trading.
Sharing this information with anyone who utilizes the same for financial gains from the stock market, particularly if those decisions can impact the financial well-being of an organization, is considered illegal and is a civil and criminal offense that is punishable with prison time and fines.
| |
|
GLBA
GLBA contains rules regarding the privacy of non-public personal information ('NPI') that is collected by financial institutions and defines the same as “personally identifiable financial information, provided by a consumer to a financial institution, resulting from any transaction with the consumer or any service performed for the consumer, or otherwise obtained by the financial institution”.
GLBA deals with safeguarding and privacy of NPI. The "Safeguards Rule" requires financial institutions to store & protect sensitive customer information and ensure its secure transmission, as well as maintain programs and implement audit procedures that prevent unauthorized access and improper disclosure.
Like GDPR and the California Consumer Privacy Act, GLBA also protects the privacy of consumer NPI by giving consumers the ability to prevent disclosure of their personal data to third parties via the “opt-out” right.
| | |
|
HIPAA
HIPAA is the primary law that oversees the use of access to and disclosure of protected health information ('PHI') in the United States. HIPAA defines PHI as "data that relates to the past, present or future health of an individual." HIPAA also regulates the provision of healthcare to an individual, or the payment for the provision of healthcare to an individual. It further regulates how this data is created, collected, transmitted, maintained and stored by any HIPAA-covered organization.
Any organization or individual that handles PHI regularly is categorized under HIPAA as a covered entity and must follow the regulation's security and privacy rules. Healthcare providers and insurers are considered covered entities. Moreover, a third party that handles PHI on behalf of a covered entity is considered a business associate under HIPAA and is subject to HIPAA's rules. The main regulation that governs the secure handling of PHI is the HIPAA Privacy Rule. This governs how hospitals, ambulatory care centers, long-term care facilities & other healthcare providers use and share protected health information.
| |
Some best practices for securing your sensitive data/information are provided below. | |
Use a complete security platform that can also protect your privacy | A security software should include a firewall that prevents unwanted/malicious traffic from entering the network. Most popular anti-virus solutions include a default firewall setup in their suite. These can be used to secure users who get regular updates on their system. | | |
Use a virtual private network ('VPN') that enables protection | The VPN should encrypt internet connection to keep online activity private on any network, including public networks. Besides encrypting the data traffic, an effective VPN can ensure that an IP address is kept hidden. Specific VPN solution suites offer an additional protection against ad-trackers and phishing attacks. | |
Protect your files | Many antivirus solutions include "File Lock", which is a file encryption feature that lets the user lock important files in secure digital vaults on their device. Firewalls also help in diagnosing and checking if there is any dangerous program or code attached to the packet. | | |
Lookout for phishing attacks | Using browser protections alert users in the event they come across suspicious links and downloads that can steal PII or otherwise expose their organizations to attacks. These can provide protection against various threats such as malware, trojans, phishing, identity threats and other cyber-attacks. | |
While the measures stated above are essential, there is no substitute for a systematic cybersecurity risk assessment to enable organizations identify, control and mitigate cyber risks. In this context, NIST has developed guidance for establishing a cybersecurity framework and the same can also provide a base for the development of an effective cyber risk management & privacy program. | |
|
We trust that you found this thought leadership useful and would welcome your feedback.
Should you wish to discuss your cyber security and data protection strategy or require assistance in its implementation, please do not hesitate to reach out to us at contactus@mgcglobal.co.in.
Best regards
Markets Team
MGC Global Risk Advisory
| |
|
About MGC Global Risk Advisory
Recognized as one of the '10 most promising risk advisory services firms' in 2017, as the 'Company of the Year' in 2018 &, 2019' (both in the category of risk advisory services), one of the 'Top Exceptional Companies to Work For’ in 2020, amongst the ‘Top 25 Customer Centric Companies’ in 2020 and 'The Consultant of the year' in 2021 (in the category of risk advisory services); MGC Global is an independent member firm of the ~US$ 5 billion, Atlanta headquartered - Allinial Global.
MGC Global provides services in the areas of internal audits, enterprise-wide risk management, control assessments (SOC, IFCR & SOX), process re-engineering, governance frameworks, IT risk advisory, GDPR, VAPT, ISO readiness, cyber security, vCISO, CxO transformation, forensic, ESG & CSR services. Our firm has the capabilities to service its clients through its offices in Bengaluru, Mumbai, NCR; and has service arrangements in all major cities in India.
| |
|
About Allinial Global
Allinial Global (formerly PKF North America) is currently the world's second-largest member-based association (with collective revenues of approximately USD 5 billion) that has dedicated itself to the success of independent accounting and consulting firms since its founding in 1969. It currently has member firms in over 100 countries, who have over 28,000 professional staff and over 6,000 partners operating from nearly 700 offices across the globe.
Allinial Global provides its member firms with a broad array of resources and support that benefit both its member firms and their clients in the key impact areas of learning and development, human resources, international outreach, technical support, knowledge-sharing platforms through its specialized communities of practice, marketing resources, information technology and best practices in practice management.
| | | | |
