Data protection is both the security and privacy of an individual’s personal information, including identifying details and personal property. Personal details include name, birthdate, home and Internet addresses, and any government identification (just to name a few); personal property includes emails, files, and accounts owned or managed by the individual. Because individuals must share so much of their personal information with businesses, businesses carry the bulk of responsibility for data protection from a legal standpoint. Data protection also means data management and storage practices that protect data from loss. theft, disaster, or ransomware.
Legal requirements for data protection
Different governing bodies have set requirements for data protection; the few listed below are some of the farthest-reaching. They protect the personal information of individuals by setting stringent guidelines for businesses that process, analyze, and sell data.
Perhaps the data protection regulation that affects the most companies, the General Data Protection Regulation requires businesses to have at least one documented reason (they can pick from a list of six) why they collect personal data and tell their customers how they use that personal data. The GDPR was initiated by the European Union, but it protects all EU residents, which means that any business with EU customers, employees, and possibly even Internet traffic must also comply with the GDPR’s rather stringent requirements.
The GDPR requires businesses to appoint a Data Protection Officer (DPO) if they handle large amounts of sensitive data (such as a large medical facility or financial institution) or collect copious amounts of data regularly, including frequent monitoring or surveillance (such as security companies). This also applies to any organizations in other countries that collect data from European Union residents.
The California Consumer Privacy Act (CCPA), introduced in 2018 and enacted in 2020, protects personal information of all California residents. Like the GDPR, this set of regulations binds every business with California customers, whether or not they are in the same state or even continent. Rights for California residents under the CCPA include:
The right to know: businesses must provide clear details regarding the way they use residents’ personal data particularly upon request, but they must also have a notice on their website explaining what they do with personal information.
The right to delete: California residents can request that a business delete their personal information from its database. They can also request that it be corrected if inaccurate.
The right to opt out: every business must have a clearly defined button on their website that reads “Do Not Sell My Personal Information,” which, when selected by a California resident, exempts that person from the sale of personal data to a third party.
A notice at collection: residents have a right to know when a business collects their personal information. The business must submit a notice that includes a “Do Not Sell” link so that the individual can select that, preventing the business from selling their personal data to a third party.
The Payment Card Industry Data Security Standard (PCI-DSS) requires any business that accepts card payments to follow a set of regulations, which include setting a network firewall, encrypting card transactions over public networks, and requiring each employee to have their own login information. These regulations are intended to protect sensitive payment card information.
Data protection in computer networks
Protecting data across networks is extremely important and encompasses many categories of security. Almost all personal data frequently crosses network connections. As computers have developed, so have attackers: it can be easy for an intruder to access someone’s login credentials, sensitive personal information, or documents by manipulating a computer network connection. For organizations, data protection has the added benefit of keeping intellectual property and other critical data out of the hands of hackers and ensuring business continuity. A few of the most important methods of and reasons for network data protection are listed below.
IP address and web page encryption
HTTPS (Hypertext Transfer Protocol Secure) requires an authentication process between user and web page. Though not all websites have adopted HTTPS (the secure version of HTTP, the former standard web protocol), it is becoming more popular. HTTPS makes eavesdropping more difficult for hackers. It’s important to note, however, that it doesn’t prevent all types of hacking or packet sniffing. Even Internet service providers can still track some of a user’s Internet usage if the web pages they visit use HTTPS.
Cryptography encodes a piece of data, allowing it to be unreadable to an eavesdropper. Encryption is used for many different data storage and transfer purposes. Full disk encryption, for example, encrypts data on an entire computer disk or drive; this can be helpful in securing data at rest. File level encryption, on the other hand, encrypts individual files or folders for transfer (such as maintaining security while sending an email).
Wi-Fi network security
The Wi-Fi Alliance introduced two protocols in 2018 that help protect wireless network connections for users. Public Wi-Fi networks are incredibly susceptible to hacks because any unsecured web traffic is exposed for any nearby eavesdropper. Wi-Fi Enhanced Open encrypts a connection between an Internet user and a Wi-Fi network. The two parties agree on an encryption key and perform a four-way handshake to decrease the chances that an attacker can interrupt the connection. WPA3 (Wi-Fi Protected Access Version 3) offers Wi-Fi Easy Connect, which includes asymmetric cryptography and also encrypts device connections to Wi-Fi networks.
Virtual private networks
VPNs provide an individual network between a device and a server, bypassing the standard computer network entirely. They can be an effective way to avoid prying eyes and block Internet service providers (ISPs) from viewing web traffic. However, not all VPNs will do this: make sure you find a good provider that does not have a history of DNS leaks. This will mean you will have to pay: free VPNs aren’t worth the risk.
Data protection for cloud storage
Cloud and data storage providers have their work cut out for them: storing data across multiple environments makes it much harder to secure. Agility comes with added management, and managing various environments and data requests means that security sometimes struggles to keep up. Often, cloud computing providers will deploy security solutions to protect the perimeter of the network and will also use endpoint detection and response and threat intelligence platforms to detect and prevent data breaches. They must comply with legal security requirements because they are providing storage services for paying customers with large amounts of sensitive data.
Threats to data protection
There are a multitude of threats to data security and privacy, and most of them have already been suggested or mentioned above, but another note on Internet service providers: most of them have the capacity to gather a great deal of information about users’ Internet traffic. They can see domain names that Internet users visit, and this information can be very revealing. ISPs may throttle users’ Internet connection (slow it significantly) based on a lack of remaining paid data, but they may also throttle an Internet connection based on what is being searched. Large corporations often benefit from using customer data, and ISPs are no different. A good VPN can help users keep their Internet traffic private.
For corporations, preventing data breaches means implementing comprehensive and quality security solutions. Attacks that target companies’ privileged access accounts put sensitive data at risk. Social engineering scams can cost organizations millions of dollars if employees are not prepared for suspicious emails or messages or malicious links.