Over the past few years, several new regulations regarding the privacy of data have been enacted. Many of these, such as the GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) cover private data based on citizenship. The GDPR, for example, protects the data of European citizens regardless of where the holder of the data is doing business. These regulations come with steep fines when violated, so it is critical for organisations to comply.
HIPAA (Health Insurance Portability and Accountability Act) protects the health information of patients in the US. This law was enacted in 1996, and most people are somewhat familiar with it due to the forms they sign when receiving care. For the insurance industry that falls outside HIPAA, the National Association of Insurance Commissioners (NAIC) adopted a model law that they recommend be implemented by all US states. At the time of this writing, eleven states have enacted a version of the law. Because the insurance industry collects so much information from its customers, these organizations are often victims of data breaches and this is one of the reasons for the model law.
If this law affects, or potentially affects, your organization, what do you need to think about? This article from The National Law Review states:
‘Under the Model Law, licensees must maintain a comprehensive, written “Information Security Program.” The Program should be commensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities, including its use of third-party service providers, and the sensitivity of the nonpublic information collected, processed, and maintained by the licensee. The Program also must be based on a risk assessment and contain administrative, technical, and physical safeguards. In short, the Program cannot be an “off-the-shelf” set of policies and procedures.’
This means that you must have written policies in place governing how sensitive data is stored and processed throughout the organization. One of the first steps is knowing just what information you hold that is impacted by the law. Classifying data can be an arduous task, so having a tool in place that can automate some of the work for you is essential.
It’s not just critical to protect live production data. You must protect data wherever it lands. For example, backup files can be as much of a risk as the live data if not protected with encryption and file security.
What about copies of production for development, quality assurance, testing, and all the downstream activities? Of course, test data could be generated for these non-production databases, but that doesn’t always help when you need data that matches production in volume and granularity. Data that is classified as sensitive must be sanitized before it reaches these non-production environments. It’s easy to forget that there is as much or more of a chance that data will be compromised outside of production than in it.
Redgate have solutions that can assist with classifying and masking data that can help you comply with this and other regulations. Redgate Data Catalog takes care of up to 70% of the work of classifying SQL Server database columns by making suggestions based on column names and bulk actions. It allows you to control the taxonomy to fit your organisation and the regulations that apply to it. Data Catalog can also be fully automated with a REST API and PowerShell cmdlets.
Redgate’s Data Masker masks sensitive data with realistic substitute data. It’s fully integrated with Data Catalog so that once the work of classifying data is done, it’s easy to mask that data for downstream environments. You can automate masking with PowerShell or take advantage of the easy to use interface.
Based on the current trends, your organization is likely to be affected by one or more regulations requiring that you protect your customers sensitive information. Redgate have the tools to help!