When it comes to protecting sensitive data, companies of all sizes in all industries need a strong, data-centric security policy. The expansion of mobile and cloud technologies has changed the way we work while also expanding the threat landscape of corporate data.
Without a comprehensive data protection strategy, businesses can expose sensitive information to the risks of loss, compromise, or corruption.
The larger your business, the more likely it is that you manage and store numerous types of data across multiple repositories. For enterprise organizations, growing data volumes require a strategic approach in how and where sensitive data is protected.
In this article, we’ll look at the most sensitive types of enterprise data, regulations around certain types of data (and the consequences of not adhering to such rules), and how solutions such as WinZip® Enterprise can provide protection for enterprise-level data.
What is sensitive data?
“Sensitive data” is an umbrella term for a variety of information that must be protected from unauthorized disclosure. There are three primary classifications of sensitive data:
Internal-only data includes information intended for internal use only. This data, if comprised or lost, would cause minimal harm to affected organizations and individuals. Internal-only data is accessible only to company personnel and may be subject to contractual agreements or regulatory compliance.
Examples include: Employee handbooks, business plans, third-party contracts, and internal documents that do not contain confidential information.
Confidential data requires specific clearance or authorization to access. This highly sensitive information could cause significant harm in the event of a data breach, exposing individuals and organizations to criminal or civil liability.
Confidential information is often protected by laws such as the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), and the Payment Card Industry Data Security Standard (PCI DSS).
Examples include: Cardholder data, protected health data, controlled unclassified information, social security numbers, and IT security information.
Restricted data has the strictest legal and regulatory requirements and is often protected with a non-disclosure agreement (NDA). Unauthorized access or compromise of restricted data could lead to criminal charges, hefty legal fines, and a catastrophic impact on a company’s reputation.
Examples include: Trade secrets, proprietary information, intellectual property, financial records, authentication data, and any data protected under state and federal regulations.
What are the challenges of protecting sensitive data?
An enterprise organization stores large volumes of data across multiple repositories, including databases, collaboration systems, and cloud storage services.
Another key component of sensitive information is in unstructured data. Typically, text-based, unstructured data is generated and collected from a range of sources such as emails, spreadsheets, PDFs, call transcripts, and survey responses.
Estimates suggest that 80 to 90% of company data is unstructured, making this a crucial area that requires protection. While databases can be secured with access controls and central management from IT teams, the accessibility of unstructured data often comes down to internal users.
In fact, a 2020 data breach survey found that 78% of IT leaders believe employees have accidentally caused data breaches, and 60% of surveyed employees believe they have accidentally shared sensitive information.
Every time employees send emails, share links, or put files in public folders, they expose sensitive data to loss and theft.
In addition to the challenges associated with protecting unstructured data, enterprise organizations also have to contend with how the increase in remote work has impacted data security.
As remote work has relocated employees, their devices, and corporate data outside the confines of the company’s physical environment, a reported 76% of IT leaders now see data breaches as an inevitability.
Prior to the pandemic, organizations could simply require that employees access sensitive information while in the office and on a dedicated company device.
However, with many enterprises planning to embrace a hybrid workforce moving forward, restricting data access in this way is no longer a viable option. Businesses must instead adapt to protect data wherever employees are, on whatever device they use.
What are the costs of non-compliance with data regulations?
There are numerous regulations in place to protect the sensitive information of organizations and individuals. These laws and regulations vary across counties, states, and countries, and non-compliance can lead to penalties and fines.
For global enterprise organizations, experts advise developing a data protection strategy that meets the most stringent set of regulations the company faces (e.g., GDPR), backed by a security framework that covers a broad set of requirements.
General Data Protection Regulation (GDPR)
Since 2018, all organizations that collect, store, or process the personal data of European Union (EU) residents must meet the GDPR provisions governing data protection. This includes not only companies within the EU, but also any organization based outside the EU that offers goods or services to EU residents or processes their personal data.
Non-compliance can lead to steep fines, which could be as high as 4% of a company’s global revenue. The GDPR places liability on both the organization that owns the data and outside data processors that help manage the data. If an organization’s third-party processor is out of compliance, the organization itself is also non-compliant.
California Consumer Privacy Act (CCPA)
Like the GDPR, companies don’t have to be located in the state of California (or the US) to be subject to its privacy laws. The CCPA deals with the ways large organizations collect and use data of California residents and provides consumers with numerous protections, such as the ability to request that companies delete their personal data.
Fines for CCPA violations can range from $2,500 per unintended violation to $7,500 per intentional violation. In addition, California consumers can demand to see all the information a company has collected on them, to review a full list of third parties that data is shared with, and can sue companies if privacy guidelines are violated, regardless of if a breach occurred.
Gramm–Leach–Bliley Act (GLBA)
While many people may assume the GLBA applies only to financial institutions, its regulations also pertain to companies that receive nonpublic personal information (NPI) from such financial institutions.
Any organization that offers financial products or services such as loans, insurance, or financial or investment advice must apply specific protections to ensure their customers’ data privacy. This also includes a requirement to disclose to customers how they share sensitive data with third parties.
Non-compliance can result in steep penalties for individuals and organizations. Financial institutions that violate GLBA rules can face fines of $100,000 per violation. Responsible individuals can also be charged up to $10,000 for each violation and may face up to five years in prison.
Securing and ensuring the confidentiality of customers’ private and financial information is key to maintaining GLBA compliance.
Health Information Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act
The HITECH Act regulates the use of health information technology and ensures that HIPPA-covered entities comply with its privacy and security rules. The HITECH Act also expands the application of HIPAA provisions to business associates, which are the individuals, organizations, and agencies that help covered entities carry out their healthcare activities and functions.
This includes functions and activities related to claims processing and administration, quality assurance, billing, practice management, data analysis, and many others. There are civil monetary penalties imposed for HIPAA and HITECH violations, and penalty tiers are determined by the level of culpability.
Examples of HIPPA and HITECH violations include unauthorized access of healthcare records, failure to perform organization-wide risk analysis, denying patients access to health records, insufficient electronic protected health information (ePHI) access controls, and failure to use encryption to safeguard ePHI on portable devices.
Payment Card Industry Data Security Standard (PCI DSS)
Merchants, vendors, financial institutions, and any other entity that processes payment card information must protect this sensitive data and comply with the PCI DSS.
There are 12 requirements for PCI DSS compliance, many of which relate to data protection. For example, maintaining a secure data environment includes provisions such as firewalls, password protections, encryption, access restrictions, and anti-virus software.
Not meeting PCI DSS security standards can have numerous repercussions. First, customers may lose confidence in your organization, which can lead to revenue loss if customers take their business elsewhere. There are also significant fines and penalties, which can run from $5,000 to $100,000 a month.
How WinZip Enterprise protects sensitive enterprise data
WinZip Enterprise is a powerful, customizable solution that gives organizations industry-leading file encryption, data management, and compression capabilities.
Its file-level Advanced Encryption Standard (AES) encryption protects data in transit and at rest, ensuring compliance with major standards such as the Federal Information Processing Standard (FIPS) 140-2 and Defense Federal Acquisition Regulation Supplement (DFARS) regulations.
In addition to bank- and military-grade encryption, WinZip Enterprise gives IT administrators full control over their data environments. The solution is fully customizable, ensuring that it meets your unique organizational needs.
WinZip Enterprise enables IT administrators to do things such as:
- Enable the features they want and hide the rest from end users.
- Control password policies, encryption methods, and the use of FIPS 140-2 compliant services.
- Prevent data loss with Windows Information Protection (WIP) support.
- Set protocols to control the movement of data and files.
Enterprise-level organizations handle a large volume of diverse data sources and formats, and the right security practices can help reduce the likelihood of—and damage caused by—fraudulent actions or data breaches.