We've all seen enough news stories to know what can happen when a business doesn't get compliance right or falls foul of data protection legislation.
No organisation wants the negative exposure that results – exposure that reduces public trust, puts brand and reputation at risk, incurs financial penalties and invites customer churn. However, it's not just the fear of negative exposure and financial loss that is putting organisations under pressure – it is the changing nature of the laws and regulations surrounding data protection.
Critical changes are in the works to certification requirements for the Payment Card Industry Data Security Standard (PCI DSS), to legal compliance with the European Data Protection Regulation and to enforcement of data protection requirements from the UK Information Commissioner's Office (ICO).
While the story of compliance is inextricably woven into the story of data security, many businesses have fortunately, come to recognise that data security does not equal compliance. In saying that, there are three important updates planned to industry compliance standards and legislation that will have a direct impact on organisation's security directions and buying decisions this year.
Firstly, the update to PCI DSS is expected in October 2013. Ahead of the announcement of the update, the PCI Security Standards Council (PCI SSC) has released a new guidelines supplement to advise organisations on how best to meet the updated compliance mandate.
Updates to the standard – designed to enhance security – are extensive, and in all areas. Again, the reality of the porous nature of today's networks and systems to advanced attacks means that organisations would be well advised to concentrate on enhancing the protections that surround their critical data.
Second of the pertinent regulations, and likely to affect any company doing business in Europe in the future, is the proposal for the European Data Protection Regulation and on-going discussion regarding its contents. While there has been clamouring support for the legislation to reflect the business world of the 21st century – the detail of the fine print is beginning to cause some discomfort.
While the exact details of the pending regulation are not yet final, the legislation is widely expected to harmonise European legislation so that the same rules apply to all businesses providing services to EU residents and to include data breach exclusions if data has been rendered unintelligible (in other words, encrypted).
Finally, the UK Information Commissioner's Office (ICO) has also been vocal on the thorny issue of cloud security and the related data protection responsibility. Despite issuing guidelines on the subject in September 2012, it appears the message is still falling on deaf ears – even if your business data resides on a shared infrastructure or has been outsourced, the cloud does not absolve you of your data protection responsibilities.
Here compliance starts with the basics; any organisation deploying resources to the cloud needs to scrutinise the security assurances given by their cloud service providers and consider whether these are sufficient for their data security needs. Traditionally, the expectation has been that the cloud provider would keep data safe but, as these salient guidelines from the ICO lay bare, the onus for effective data protection rests unequivocally with the ‘data controller' (i.e. the organisation that gathers the information in the first place for operational use).
Pertinently, points 63 and 64 of the guidelines specifically recommend encryption and key management as a means of mitigating the twofold concerns of data security and data governance in multi-tenant environments. Moreover, these points are reflective of principle seven of the present day Data Protection Act, which asserts that: 'Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data'.
With the anticipated changes to the EU data protection directive also promising to become yet more prescriptive, savvy European businesses – or those doing business that falls within European mandates – would do well to put in place security solutions that enable them to effectively maintain control and manage data in shared environments.
That's the best way to achieve both compliance and operational peace of mind in the face of the rapidly changing laws and regulations.
Paul Ayers is EMEA vice president at Vormetric