Data Discovery tools enable you to automate the detection and removal of sensitive data
Beyond compliance penalties, leaks of sensitive data tarnish a company’s reputation, and put your clients at risk of fraud. Whether your company needs to adhere to PCI, HIPPA, or GDPR, detecting and removing sensitive data from company devices will be crucial.
Given the amount of data most companies host, manually sifting through devices for sensitive data is not a viable option.
Data Discovery tools enable you to automate the detection and removal of sensitive data. For teams that have fallen behind on managing sensitive data, the massive amounts of data that need to be detected, removed, or secured can feel overwhelming. The good news is that a robust tool can help you play catch up for an upcoming audit. It can also help you put proactive policies in place that prevent sensitive data on your devices from snowballing into a large liability in the future.
At the first layer of detection, automated alerts fire off any time sensitive data is downloaded on an endpoint. Periodic scans form a second layer of defense in case any sensitive data slips through the cracks. Depending on your specific compliance frameworks, recommendations will vary for how often your organization should run scans. At a minimum, Omega recommends running at least one scan per month.
Periodic scans also form a second line of defense in case any sensitive data slips through the cracks of the first level of detection and alerting. Recommendations vary for how often organizations should run scans. At a minimum, Omega recommends running scans once per month.
Advanced reporting is integral to a robust data discovery tool. Sometimes, it is difficult for stakeholders to understand the importance of staying proactive with policy. Your data discovery tool should be able to generate reports to calculate the potential liability of the sensitive data across your entire organization’s IT infrastructure. Depending on the size of your organization and the amount of sensitive data, failure to implement proactive policy could result in liability that is well-above six figures. Quantifying this number can help stakeholders buy into implementing company-wide policy so that your company is not hit with a crippling fine.
Standards for compliance have common themes but different terminology. The same technology that can detect one form of sensitive data should have the ability to detect other forms. Thus, a data discovery tool that your company uses should be able to detect any of the following types of data present on your devices, regardless of your industry:
Credit card fraud is a huge problem for retail merchants and customers. PCI DSS outlines the standards for handling sensitive card data. Unencrypted credit card data can only be present in your organization’s card data environment (CDE). Any unmasked card data that is stored in network segments outside of the card data environment is a potential liability. Merchants that fail to adhere to PCI can be cut off from processing credit cards. Typical financial penalties from payment processors range from $5000-$10,000 per month but have no maximum. As for the credit card data itself, an additional $50-$90 fine for every card that was compromised is added on top. Many merchants roll the dice month to month to save a little but in doing so risk a catastrophic loss. If you are a merchant, you should view adhering to PCI as holding fire and flood insurance for your home. It is a small price to pay to protect everything you’ve worked so hard to build. In addition to removing unsecured card data, monthly scans for card data are a requirement for PCI. Thus, using the right data discovery tool will bring you one step closer to PCI compliance.
If you are concerned that there is excessive card data in your environment, Omega Discover will help you remove it and make you compliant. Omega Discover can help you quickly detect and remove card data from your environment. Click here to learn more.
Patients put trust in healthcare providers to keep sensitive medical data safe from malignant actors. In the realm of data discovery, The Health Insurance Portability and Accountability Act (HIPPA) outlines standards for how healthcare providers handle Personal Health Information (PHI). Failure to adhere to HIPAA’s standards for protecting PHI result in penalties that range from $100 to $50,000 per individual violation. The maximum penalty per calendar year in aggregate is limited to $1.5 million.
Health information becomes PHI when it includes any of the following or multiple identifiers:
General Information
Name, Email addresses, Telephone/fax numbers, geographic information on the patient, dates
Government Identification
Social Security Numbers (SSN), Driver’s License/Driver’s License Numbers, License plate numbers (and/or any vehicle identifiers or serial numbers)
Digital Footprint
Website addresses, electronic device identifiers/serials numbers, IP addresses, photos of the patient (and/or comparable images) and biometric identification (e.g., fingerprints, retinal scans, or facial scans)
Insurance and Billing
Medical record numbers, Account number, Insurance plan or health plan numbers
More broadly, PHI includes “Any unique identifying number or code”. Given the broad scope of PHI, it is important to make sure that the data discovery you deploy in a HIPAA environment can detect all of these different identifiers.
Through the General Data Protection Regulation (GDPR), the EU put in place standards to protect their citizens’ sensitive data. This form of sensitive data is referred to as Personally Identifiable Information (PII) and has a broad scope. Any form of data that could be used to identify a specific individual is considered PII. Right now, GDPR applies to any company that holds data of citizens of the EU or EEA. If your business transacts with citizens of the EU or EEA, you likely fall under GDPR. Given the loose definition of PII, casting the widest net possible to detect and remove sensitive data is your best bet.
Failing to adhere to GDPR is a huge liability. Article 83 of GDPR imposes penalties that are based on the size of an organization and the amount of unsecured sensitive data that organization holds. Penalties can be up to 2% in global revenue or up to ($10-50MM Euros) in aggregate.
However, even organizations that do not transact with EU citizens should consider using a data discovery tool that can find PII. Legislation that mimics GDPR is already in place in California via the California Consumer Privacy Act (CCPA), and other states are following suit. It is conceivable that privacy legislation will be introduced in the US at the federal level coming years that mimics the CCPA and GDPR. The message is clear: government officials and regulators are taking data privacy seriously. If your organization is considering doing business in the EU or wants to stay a step ahead of coming privacy regulations, it should implement proactive policies today.
