By Michael Greco and Matt Oldham of Omnistruct
The sensitive information your company handles comes with a responsibility that you must not take lightly. Consider how you approach protecting your personal information, such as your bank account number, PIN, or social security number, and apply that same attitude towards your employee and customer data. When a personal account is hacked, it is expensive. When the breach is against company-housed data, it can be catastrophic.
Being a steward of sensitive employee and customer information requires a proactive approach. Security measures need to be put in place to protect the different types of data your business handles. However, when creating your plan, don’t implement it in a knee-jerk fashion. This may lead to vulnerability in protecting data. A good plan will keep the time and expense down. Think about how many trips to home depot your last home project took.
The good news is that time-tested cybersecurity frameworks have already been developed that regulate what security measures should be taken to protect different types of data. While each of these frameworks may or may not apply to your company, you do need to be mindful, intentional, and proactive about how you protect sensitive information.
Utilizing an applicable framework will help your company more consistently identify potential gaps and areas of improvement, leading to faster remediation and overall improvement in your company’s security posture.
There are a few key things to consider when evaluating which compliance standards apply to your company and which framework to utilize. The first consideration is the security requirements from your vendors, current customers, and future customers. Next are the types of sensitive information your company houses and has access to, which we cover in this blog. Finally, it is crucial to have a sound understanding of the types of fees or other financial consequences you may face if your data is breached. We will cover this last consideration next month.
The Common Denominator of Sensitive Information
Every company houses sensitive data in some form—specifically, Personally Identifiable Information (PII) for employees and possibly customers. So what counts as PII? PII at a base level is a person’s name and address. Other forms of PII include Social Security numbers, tax information, Driver’s License numbers, phone numbers, credit card information, medical information, and more.
Every company is required to maintain sensitive information about its employees. It is the business’s responsibility to proactively and properly protect this data. Adopting a framework will help you identify security gaps and address them, enabling you to be a better steward of that data.
California Privacy Rights Act
If your employees are residents of California, you will need to determine if the California Privacy Rights Act (CPRA) applies to your company. The CPRA goes into effect on January 1, 2023. The act expands the definition of what construes sensitive personal information. Once enacted, sensitive data will also include ethnicity, religious beliefs, geolocation, email contents, genetic data, and other criteria.
The CPRA expands the rights of employees around their collected data. Employees will have the right to access and correct their data and delete and restrict its use. Certain exceptions will be in place regarding restrictions that allow for the needed use of employee data. Employees will also have the right to opt out if their data is sold to 3rd parties.
The CPRA will apply to for-profit companies that meet one of the following criteria:
- Annual gross revenues over $25m in the preceding calendar year
- Buys, sells, or shares the personal information of at least 100,000 California consumers or households
- Derives at least fifty percent of its annual revenue from selling or sharing consumers’ personal information
How do Applicable Businesses Need to Prepare?
Everything addressed above regarding the requirements of the CPRA applies to customer-sensitive data as well. Whether CPRA will or will not impact your business, it is still crucial to clearly understand what Customer PII you collect, store, and transmit and to have that data categorized and its location tracked.
As with Employee PII, an excellent first step is to perform a data mapping exercise. Please note that neither FUSE3 nor Omnistruct employs attorneys. Therefore we recommend that you have an impact assessment performed around these privacy laws by either your in-house counsel or a privacy attorney to confirm their impact on your business.
California is not the only state with new privacy laws. Other states are following California’s lead and passing new, similar laws that impact the residents’ personal information of those states. Be sure to educate yourself on the privacy laws of any states where your customers or employees reside.
Other Types/Categories of Sensitive Data that Trigger Compliance Requirements
Credit Card Data
The PCI Security Standards Council has its own security requirements that you need to follow when handling credit card data, known as PCI-DSS or Data Security Standard. There are varying requirements based on two key factors:
- Number of Annual Transactions – PCI has four compliance levels based on the number of transactions conducted annually.
- To keep it simple, the key threshold is 1m transactions
- Under 1m transactions: you can self-attest using an SAQ (Self Assessment Questionnaire)
- Over 1m transactions: requires regular 3rd party assessments performed by a Qualified Security Assessor (QSA)
- To keep it simple, the key threshold is 1m transactions
- How Transactions are Processed
- Are all transactions outsourced to a 3rd party processor?
- Do you manage the website where credit card transactions occur, or is that outsourced as well?
- Do you take any transactions over the phone?
- Answers to these questions (and more) determine which SAQ is right for your organization
- The more that is outsourced, the easier the compliance lift is for your business
Personal Health Information (PHI)
If you handle electronic PHI (also known as ePHI) because you treat patients or support a covered entity, you are most likely aware that you must comply with HIPPA. If not, you need to determine if you are considered a Business Associate and know what HIPAA compliance requirements apply to your organization.
According to HIPPA, a Business Associate is an organization that provides services to a covered entity that involves the disclosure of PHI. Covered entities include health plans, healthcare providers, and healthcare clearinghouses.
If you are contracted with the federal government, you may handle or access Controlled Unclassified Information (CUI). CUI covers a wide variety of types of sensitive government information (personal information, legal documents, health information, blueprints, intellectual property, etc.).
Most importantly, CUI is a classification of data used by the U.S. Government and its agencies. There are preset security requirements that are determined based on your organization’s level of access to CUI. These are summarized in the Cybersecurity Maturity Model Certification (CMMC).
It should be the goal of any business to be integrated into the business processes of their customers. In today’s connected world many businesses are requiring their supply chain to adhere to security standards before a contract can be signed. This usually becomes an issue at the last moment and we have seen large contracts lost without a mature cybersecurity program in place.
There are other categories of data that have compliance implications. However, Credit Card Data, PHI, and Government Data are the most common.
Don’t Take This Responsibility Lightly
We are all stewards of sensitive information, and that’s a responsibility we need to take seriously. Gain a clear understanding of the types of data you access and store in your organization. Identify which compliance standards and privacy laws apply to your organization. Be proactive and holistic in your approach to protecting and securing that sensitive data. Following these steps will put you on the right path as a responsible guardian of the data entrusted to your business.
Let Us Eliminate Your Struggles
Slogging through all of the requirements inherent in cybersecurity compliance is enough to make your head spin! Chances are, if you are reading this blog, this is not your area of expertise. That’s where we come in. FUSE3 and Omnistruct have unique expertise in planning and implementing a cybersecurity framework that meets all of the regulations required of your business. Don’t carry this burden alone; let us eliminate your struggles.
About Matt Oldham
Matt is the Senior Sales Engineer at Omnistruct. With over six years of experience in the cybersecurity and compliance industry, he is the touchpoint between the sales and operations teams, ensuring that the proposed services are the right fit for the client. Matt is also a musician and enjoys cooking as a hobby. He spent over ten years living in the Pacific Northwest before returning to his native stomping grounds in the Sacramento area. Learn more about Omnistruct’s Services.