- July 27, 2022
- Bill Tolson|
- Data Privacy|
- Records Management|
- Information Management|
- Information Security|
- Zero Trust
Followers of Archive360’s past blogs, podcasts, and webinars know that I have questioned the non-prescriptive data security provisions in current data privacy laws, including the GDPR. They all use derivations of the same data security provisions. For example, specifying that data controllers must maintain reasonable administrative, technical, and physical data security practices to protect personal data's confidentiality, integrity, and accessibility.
My question to the state senators who authored the laws, as well as privacy subject matter experts, has been: why aren't the data security provisions more prescriptive? Why aren’t they demanding specific data security requirements such as:
These are basic common-sense examples of non-proprietary security controls that could dramatically lower the risk of PII theft.
Last year (2021), the Sedona Conference, a nonpartisan, nonprofit 501(c)(3) research and educational institute dedicated to the advanced study of law, published a paper on reasonable security titled: The Sedona Conference Commentary on a Reasonable Security Test. This paper addresses the "legal test" a court or other legal body should apply in a situation where a party (data collector or data processor) has a legal obligation to provide "reasonable security" for personal information and whether the party did enough to protect the sensitive data.
There is no question that courts recognize that data security is not foolproof and that even the best security protocols and technology can be defeated. Given that, the question courts will be asking is: did the data collector/processor at least attempt to meet industry data security best practices to ensure secure sensitive data?
The challenge for data collectors is determining what your industry's data security best practices actually are. President Biden's Executive Order 14028 attempts to address this challenge by including a provision that creates a working group comprised of representatives from both the federal government and private industry focused on information dissemination on cyber-related issues and news.
In the meantime, the question persists "what is reasonable data security?"
My interest in the Wawa settlement centers on the specific data security requirements it sets out. While we wait for additional clarification from lawmakers regarding what defines “reasonable”, organizations considered with protecting customer data should review them and assess the impact of implementing them.
Under the settlement, Wawa agreed to a series of provisions designed to strengthen its data security (reasonable security) practices. They include:
Circling back to my main question of defining reasonable security for data privacy laws, it would seem that the six states agreement has made an attempt at defining minimum data security requirements and could be used as a precedent in future data breaches and act as a roadmap for organizations to follow when setting up policies, procedures, and technology to protect sensitive data, including personally identifiable information.
Archive360 is the leader in secure cloud-based information management and archiving.
Unlike SaaS platforms, Archive360 offers a customizable, extremely secure platform to archive and manage your most sensitive data in the cloud. Based on a Zero Trust PaaS-based intelligent information management and archiving platform, our platform is installed in the customer's own cloud tenancy. Customers can implement additional levels of security, including fully private, isolated enclaves, and create and store their own encryption keys. As a PaaS solution, our customers retain complete control and direct ownership of their encryption keys and their data.
Unlike the SaaS shared cloud model, the Archive360 cloud Platform can support and be a part of Zero Trust security architecture, i.e., a private/secure enclave, to ensure there are no shared resources, shared encryption keys, or common security certificates.
Archive360 offers the industry's only Cloud Security Gateway, which provides encryption of all data before movement to the cloud, on-premises encryption key storage, access controls, and homomorphic and field-level encryption for total data security in transit, at rest, and WHILE IN USE.
These security capabilities ensure data collectors and processors can meet and exceed the new privacy compliance standards.
For more information on the emerging data privacy laws and new data security requirements, please contact the experts at Archive360 by emailing us at email@example.com or calling us at +1 (212) 731-2438.