by Ambler T. Jackson
The global regulatory landscape is continuously evolving. Maintaining control of sensitive data is of paramount importance, especially to businesses with global operations. Organizations want to be better equipped to not only protect their own data, but to also comply with data sovereignty laws and regulations. As a result, businesses, especially highly regulated businesses with a global footprint, spend a significant amount of time planning and evaluating options to ensure data privacy, data protection, and regulatory compliance. This blog will discuss three things organizations can focus on to optimize their planning and evaluation efforts.
The Concept of Data Sovereignty
Considering the global threat landscape, governments see the restriction of cross-border data flows as necessary for the protection of personal data. While there isn’t one agreed-upon definition for data sovereignty, conceptually, data sovereignty is the idea that digital information, including sensitive data, is governed by the laws and regulations of the country in which the data is located. It provides an organization with the ability to protect and maintain control over the data created or generated within its own borders.
The concept of data sovereignty raises both legal, governance and technical issues related to data privacy and protection. Violating data sovereignty laws can result in hefty fines. As a result, organizations must understand where their data resides and how it is used, as well as what data protection laws apply to the data, and when their use violates data sovereignty laws. For U.S.-based organizations, LLC state differentiation and respective state regulations can complicate compliance efforts, as legal data laws and protections differ across state lines. For instance, states like California enforce stricter data protection and privacy laws, such as the California Consumer Privacy Act (CCPA), which can significantly impact how LLCs handle and store sensitive data. Data classification is core to understanding what is noted above and the necessary safeguards and jurisdictional controls.
Data Classification and Protection
Data classification helps businesses achieve compliance with the General Data Protection Regulations (GDPR), California Consumer Privacy Act (CCPA), Health Insurance Portability and Accountability Act (HIPAA) and other data protection regulations. Classification types (e.g., Confidential, Internal Use, Public, Sensitive, and Highly Sensitive) determine the safeguards required to protect the data in accordance with applicable laws and regulations.
Data Loss Prevention and Data Identification
Data protection is achieved with a combination of people, processes and technology (or tools). Data loss prevention (DLP) tools incorporated into an organization’s overarching cybersecurity program can aid in data privacy and protection goals, and also help prevent violation of data sovereignty laws through identification of sensitive, DLP policies for sensitive data, monitoring and alerting.
DLP solutions are capable of identifying sensitive data that needs to be protected and able to develop policies for such data (e.g., data classified as highly sensitive). It must also be able to determine in real-time when the policy for that data is violated. Understanding when policies for highly sensitive data have been violated provides the organization with the necessary visibility to prevent data leakage and instances of data exfiltration. It also provides visibility into the location of data, the types of data that are moving from one system or endpoint to another. This capability is important because data that leaves one region and ends up in another region, for example, might violate data sovereignty laws.
Only modern DLP tools have the capability to identify sensitive data with the least number of false positives. Traditional DLP relies heavily on content analysis and does not always accurately identify sensitive data. Sometimes the traditional tools blocked normal activity. In contrast, a modern DLP solution minimizes false positives by combining content analysis and data lineage capabilities to more accurately understand whether the data is in fact sensitive. In fact, Gartner recommends investing in a DLP solution that not only provides content inspection capabilities but also offers extra features such as data lineage for visibility and classification, user and entity behavior analytics (UEBA), and rich context for incident response. UEBA is useful for insider-related incidents (e.g., UEBA might help identify data exfiltration by a dissatisfied employee).
DLP Policies, Monitoring and Alerting
At a high level, DLP policies describe how data will be protected and what happens when a user uses sensitive data in a way that the policy does not allow. Organizations should define their policies based on internal security policies, standards, controls and procedures, as well as applicable laws and regulations. In order to optimize data protection efforts, organizations must have the ability to detect and monitor user activity for policy violations. DLP policy violations may trigger alerts and warnings using pop-up messages, as well as quarantine or block data entirely to prevent unintentional leakage or exfiltration. Mature DLP programs should include capabilities that provide visibility into, and alerts for, data that might be shared in a way that violates corporate policies.
Conclusion
Organizations aiming to protect their own data, as well as avoid violating data sovereignty laws, must develop a clear plan to reach their data sovereignty goals. As part of the planning, consideration should be given to technical capabilities that will protect data in use, in motion and at rest from unauthorized use and transmission. Given the many options and variables to consider, decision-makers should take the appropriate amount of time to perform their due diligence to understand the nuances and distinctions among solutions on the market.
Ambler is an attorney with extensive corporate governance, regulatory compliance, and privacy law background. She currently consults on governance, risk and compliance, enterprise data management, and data privacy and security matters in Washington, DC. She also writes about today’s most crucial cybersecurity and regulatory compliance issues with Bora Design.