Published on February 9, 2023 by Jennifer Leider
What is data privacy:
There are daily headlines flashing with “data breach” stories. Companies lose money, information, and face every time someone has access to data they shouldn’t. And yet, it keeps happening. Leadership gives access without thinking. Employees share passwords. Little yellow flags turn into waving red ones in the news. And suddenly, your company isn’t saving time and money by skipping steps. Best practices are grasped at in hindsight.
Data is a company’s most valuable asset. Data privacy entails how secure and unreachable your company’s data is. From personal employee information to company security – it's all crucial to keep safe.
Best practices for data privacy:
A DBA’S major function is maintaining company data security and privacy. There are tons of best practices for those in the weeds, as well as fractional CIO and other leadership positions.
- Be aware of your company’s standards for data protection, as well as your city or larger area’s
- As data evolves, so does the need for updated privacy methods – stay on top of software updates and upgrades, new technology, etc
- Complete regular security audits
- Complete an assessment or pay for a test probing or penetration test (tests the difficulty level of breaking into your secure data)
- Make sure that only people who need to see certain data, can see it (and only people who need to edit, can edit) – no one should have access to data by default
- As employees get promoted, they might ask for more access than they need – sacrifice ego for security. Ask, “does my job and my promotion require me to have access? Or do I have people under me who can take care of this?” Access and the level of access should always be approved by a supervisor
- Have DBAs, outsourced and internal, keep minimal “keys on the keyring.” Ie, employees should only have access to what is necessary to complete a job
- When bringing on external help, some businesses send over general access – it's easier and faster, but we recommend sorting out appropriate security levels for every employee brought on
- Stay in foresight, or "growth mode" so that security is always an initial consideration. It shouldn’t only be important after something bad happens
- If you don’t have access to something, don’t ask a coworker on the same level – instead, ask a supervisor. They might have a reason why you don’t need or shouldn’t be allowed into a set of data. A coworker might have less insight and just let you in
- Be aware of your company’s best practices for data retention periods. Holding data that’s over 10 years old might not be safe or valuable
- Lock your screens – one of our lead DBA’s, John Whitehead, likes to say, “control-alt-delete before you leave your seat.” Make sure there’s no visual access to your work, whether you’re leaving your desk for a lunch break or even working opposite a window
- Make sure people have data security practices training coming into the business, and make sure people leave without any possible access to data – physically or digitally. Consider including the DBA team in the offboarding process.
- Build several layers of protection in at the root/network level of your data – privacy overlays, security templates, etc
- Sanitize systems from credit card numbers, social security, PHI, etc
For more best practices, here’s an article written by 6 tech experts for Data Privacy Day 2023.
Where people go wrong with their data privacy:
The following are the antitheses of best practices. Where are you and your company potentially falling short?
- Forgetting Non-People Identities exist, especially in the Cloud
- Not having a disaster recovery plan or ways to recuperate from a breach
- Bringing in insecure devices without explicit safeguards – BYOD
- Being resigned that data security is an unsolvable problem, or that the Internet already has everyone’s information
- Statistically, the vast majority of security breaches are internal – check your own internal practices and employee rules
- Weak archival data – you should have encryption and worm capabilities to have data last only as long as you need
- Cloning usernames and coworker information – this may grant access that is not required
- Prioritizing convenience over privacy and security
- Using data outside the ways you legally promise to use it
Why data privacy continues to cause issues:
If we see all these headlines about data breaches, and we know how to prevent them, why are they still happening? Usually it boils down to the following reasons:
- Missing the top-down approach
- Leadership should be regularly giving best practices for privacy, security, and compliance.
- There should be mandatory privacy and security training
- Ransomware and ransomware as a service - RaaS - is gaining popularity
- Data privacy for the wrong motivations/reasons - following protocol to avoid fines and be within parameters of data compliance rules
What your company should do when there’s a data breach:
Step one – already have a plan in place. Your data is too important to be picking up the pieces after an attack, internal or external. Here are some additional steps to add to your plan:
- Review your already-in-place security protocols
- Ask, “where did the breach come from?” and try to find the source. If you can’t locate it, the next question to ask is, “is my company so wide-open that anybody can see our data and secure information?”
- If the breach is external, look at deals with third parties. Is your company outsourcing work? Are they involved with offshoring, or with a third party who has the potential to sell data?
- If the breach is internal, find out who has access to which data
- Once new privacy rules are set for the company, try penetration testing to see how safe your data is from external threat
- Make sure old employees have zero access to your company’s data through their ids, logins, connections, or even physical keys
Data privacy on a physical server vs in the Cloud:
98% of all companies experienced a Cloud data breach within the past 18 months. Does that mean Cloud isn’t a safe place to store data? Of course not.
Physical servers are controlled by a data center with cages, server rooms, etc. Physically protecting the hardware is simpler. There’s keys and fobs and locks (oh my). You know who is going in and out of the data center, and if there is a breach, you can write down names of everyone who has (or has had) access to the space.
Cloud platforms aren’t better or worse for data privacy, but they are more complex. You’re renting space on someone else’s hardware. You have finite control over who accesses your data. Yes, despite most software’s boasted ability to keep your data safe, secure, and encrypted, this might be tricky to actually control. Cloud platforms need security updates – the ones you need to keep your data safe in the first place. But you don’t know or control who is giving these updates. Software maintenance and administrative work; you are not able to choose who provides these services. And of course if you’re trading logins and usernames, you’re setting yourselves up for internal breaches on any platform.
Difference between data privacy, data safety, and data security:
Data privacy...
- Revolves around compliancy issues
- Comes from regulations and policies that govern data usage
- Settles how to lawfully use and store data
Data safety...
- Comes from applying and maintaining best practices
- Involves employing tools, strategy, and keeping up with privacy regulations
Data security...
- Limits access to secure files – adding encryptions, password protecting, etc
- Masks data
- Functions inside of data platforms to enforce safety and privacy
Data privacy law:
As breaches and selling information grew in infamy in the late 2000s, so did government voice. Data privacy laws are still gaining traction, kicked off by well-known GDPR in 2018. Other countries have since followed the EU’s political choices by putting into action their own data privacy legislation.
By 2024, it’s predicted that 75% of the world’s population will be protected under modern data privacy legislations. The U.S. has the ADPPA, and 5 states (California, Virginia, Colorado, Connecticut and Utah) have already enacted or plan to enact data privacy legislation this year.
Data privacy laws are not innately good or bad – just a potential countermeasure to protect companies and create a legal hammer against hackers and breaches. They act like any other legal privacy screen; HIPPAA, for example. If you break the law, there’s consequences. Security is enforced on a legal scale, whether state-wide or national.
There has not been substantial data determining whether government involvement has eased the number of data breaches. But these new laws are not going away anytime soon, and are expected to grow in number and in penalty intensity.
What can Solvaria do:
Our database health assessments are a great start to figuring out next steps. We look at your company’s practices, and the health of your data’s protection, and make recommendations from there. Whether you need policy changes or updated security layers, our DBAs are able to flesh out exactly what the best next steps are. And we will always be able to find a better, stronger way for your business’s data to live. It’s in our own best interest that our clients succeed.