As enterprises both generate and store increasing amounts of data, ensuring the privacy and security of that data is more important than ever before.
That includes protecting data from cyberattacks. You may think your organization isn’t a likely target for such an attack, but the smart plan is to assume it will be and operate accordingly, says Jim Liddle, CEO of Storage Made Easy.
“In 2019, one thing is for sure,” Liddle said. “As a company, you will be cyberattacked at some point, either by ‘script kiddies’ or, if you are unlucky enough, a more unscrupulous, more organized set of participants.”
According to a survey from Accenture, cyberattacks were up across all categories in 2018, with ransomware and attacks from a malicious insider increasing the most. Companies were expected to spend 9% more on cybersecurity spending, Juniper Research found, and the cybercrime economy was worth $1.5 trillion last year.
“It’s never been more important to secure your systems and data, and organizations of all sizes are being attacked with increasing frequency and sophistication,” said cybersecurity consultant Dave Hatter.
It’s a risk for smaller enterprises in particular, with 62% of breaches in 2013 at a small business level, because they often don’t have a cybersecurity plan, said Ana Bera, co-founder of safeatlast.co. “Technology will become more sophisticated as time passes, and it’s always a smart idea to prevent yourself and your business from misuse of your personal and business data,” Bera said.
And even those smaller enterprises are often dealing with large amounts of data, thanks to that increasing tech sophistication. Customer information, financial records, data used to train internal machine learning and artificial intelligence (AI) processes—all of it is valuable, and all of it requires measures to ensure it stays private.
Lack of Federal Regulations
If you are operating under the assumption that government regulations in the United States are protecting your enterprise’s data, or even ensuring your own processes are in place to keep it private, you shouldn’t. Some of the largest threats to individual privacy come from the vast amounts of data collected by private companies, said David Reischer, an attorney and the CEO of LegalAdvice.com.
“The patchwork of state laws that regulate third-party treatment of consumer data varies from state to state, and there are limited federal data-protection laws right now, although there are some very narrow safeguards,” Reischer said.
One notable exception is California, which recently passed the California Consumer Privacy Act (CCPA). However, that does not go into effect until next year and will apply only to for-profit businesses that meet certain criteria.
But right now, the data your enterprise has to protect, and how it must protect it, comes down more to regulations about your operations than about the type of data itself. For example, the laws might vary based on where the data originates or how it was collected—something else that a comprehensive federal policy could address.
There are some laws that do have a wider breadth—for example, all 50 states have regulations in place regarding notification of data breaches, and such breaches can lead to civil and/or criminal penalties for an enterprise.
The tides are changing globally as well, thanks in part to the 2016 passage of General Data Protection Regulation (GDPR) in the EU. Many enterprises had to update their data privacy measures after GDPR went into effect in May 2018; those that haven’t yet should prepare for similar stateside requirements, Reischer said.
“It is inevitable, in my opinion, that eventually a similar federal law will come to regulate how big businesses protect personal data, and hopefully there will be a greater protection of an individual's right to privacy in the near future,” he said.
Where to Start
Managing data privacy at the enterprise level is more complicated than installing a good antivirus program and using strong passwords. It involves measures like encrypting data in transit along with data at rest, and ensuring strong policies around data organization and access.
Until federal guidelines and statutes are in place, know the rules of your own jurisdiction and any other jurisdiction in which your enterprise operates. And depending on your industry or sector, the Federal Trade Commission and the National Institute of Standards and Technology, along with any relevant industry groups, may have available information on best practices for data privacy and security.