Protecting Sensitive Data: Your Risks and Responsibilities as a Corporate Steward

From an IT risk management perspective, sensitive data is the elephant in the room. Large amounts of sensitive data are captured and exchanged nearly every second in this country. That makes your role as a corporate data steward critical. The breach of sensitive data can have disastrous consequences for companies facing non-compliance with regulations under HIPAA and GDPR, not to mention the reputational damage from failing to protect it and the cost to restore it.

With ransomware attacks surging in 2023, how can the corporate stewards of our data keep their customers and employees safe and protect sensitive data?

What’s So Sensitive About Sensitive Data?

There’s data, and then there is sensitive data, a trending category on social media full of cautionary complaints of social security numbers breached, identities stolen, and lives disrupted. This year, attackers using ransomware have been particularly effective at capturing sensitive data:

• A ransomware attack captured student and employee data at Xavier University.
• San Francisco’s Bay Area Rapid Transit (BART) lost sensitive data to ransomware attackers.
• The U.S. Marshals Service (USMS) lost sensitive law enforcement information successfully targeted by a ransomware scheme.
• Norton Healthcare, a large provider system in Kentucky and Indiana, lost personal patient and corporate financial data and employee information.

The loss of sensitive data, perhaps the most trusted information companies are tasked with securing, is, at minimum, a public embarrassment and, at its worst, a costly mistake that costs companies millions in customer losses and compliance fines.

What is sensitive data, and why is it so important?

Sensitive data is the information managed and accessed by authorized users. This data is considered sensitive because of what could happen if the information falls into the wrong hands. For example, the first and last names of your customers may not be sensitive, but if it’s coupled with bank accounts, social security, or account numbers, the data escalate to a high-risk category.

There are generally three types of sensitive information:

• PII, or personally identifiable information linked to individuals. If stolen, these details, such as a social security number, could lead to identity theft. You’ll find PII in educational enrollment records, credit card applications, employee tax details, and medical records.
• Business information such as financial details, trade secrets, or strategic plans for a future merger. Consider this category of sensitive information anything your competitors would pay big money to have. It also includes information from your business clients, such as bank account routing numbers and tax filings.
• Classified information is a government designation for data with a specific sensitivity tier, such as confidential or top secret. We’ve recently seen this issue in the news, and as illustrated, there can be more than reputational damage stemming from mishandling sensitive government documents.

What happens to this sensitive data if we fail to protect it?

The Risks to Sensitive Data

Understanding your data, including what you capture, where it comes from, and how you use it, is a critical first step toward preventing risks to sensitive data. Sensitive data is vulnerable to external and internal risks, including:

• Unauthorized access to sensitive data through phishing scams or other social engineering measures.
• Outright data breaches, where stolen records yield sensitive details. Stolen credentials can lead to a data breach, as does hacking or even the theft of physical devices.
• Ransomware, which encrypts data and demands a ransom payment for its release.
• Data intercepted in transit from third-party vendors or from remote employees with unsecured Wi-Fi networks.
• Insider threats that reveal administrative logins. These threats can come from disgruntled employees or simple mistakes caused by deceptive emails.

Some of the most high-profile sensitive data leaks so far this year have come from big industry players. In telecom, T-Mobile lost account PINs and other details, Yum Brands (KFC, Pizza Hut, Taco Bell) had sensitive employee data hacked, and ChatGPT, that new AI tool that’s taken the world by storm, lost incomplete credit card information to external hackers.

Compliance Rules for Protecting Sensitive Data

Any discussion on protecting sensitive data should acknowledge state-specific privacy compliance rules. Reuters says, “The year 2023 will go down in history as marking the beginning of a profound shift in the philosophy underlying data privacy laws in the United States.” They’re referring to a flurry of state-specific rules disrupting the compliance landscape.

In the past, corporate data stewards focused on the standard federal compliance laws:

• Gramm-Leach-Bliley Act (GLBA) requires U.S. financial institutions to disclose how they share consumer data.
• Health Insurance Portability and Accountability Act (HIPAA), the health industry mandate for protecting sensitive patient data.
• Family Education Rights and Privacy Act (FERPA) requires U.S. educational entities to gain student consent before releasing transcripts or other data.
• General Data Protection Regulation (GDPR) is a European construct affecting all U.S. industries doing business overseas.
• Payment Card Industry Data Security Standard (PCI DSS) applies requirements for companies that transmit and store credit card data.

These laws and regulations govern how to protect sensitive data during storage and transmission. What’s different is that many states are adopting, modifying, and enforcing the European Union’s GDPR to protect sensitive data this year. The GDPR adopts a more stringent rights-based approach for sensitive data, assuming that the individual always owns their information. States have begun riffing off this baseline understanding to create a patchwork of new state-specific rules from California (CCPA) to Connecticut (CDPA).

GDPR dictates how companies hold and use sensitive data, from capture and portability to erasure. Data stewards should watch these new state-based applications of GDPR because they may affect record-keeping and transmission, as well as the penalties for failing to protect sensitive data.

How to Protect Sensitive Data

Protecting sensitive data is crucial to maintain privacy, security, and compliance with various regulations. While this is evolving, these generally accepted best practices will help your organization protect sensitive customer, employee, and corporate data:

• Establish data classification based on sensitivity level. This step prioritizes your security efforts and apply appropriate controls to different data categories.
• Tighten access controls to ensure only authorized individuals access sensitive data. Best practices include strong passwords, multi-factor authentication, and role-based access controls (RBAC).
• Encrypt sensitive data both at rest (stored) and in transit (during transmission).
• Conduct regular backups of all data, including sensitive information. Backups are a particularly effective counteroffensive against ransomware.
• Minimize data collection, capturing only what is necessary for business processes.
• Improve secure data storage for all information, including sensitive data.
• Implement data loss prevention (DLP) solutions to monitor and control the movement of sensitive data through email, removable media or network authorization protocols.
• Train your employees on best data security practices, including protecting sensitive files, recognizing phishing and ransomware attempts, and following data handling procedures.
• Run regular security updates, patch vulnerabilities, and mitigate potential security risks.
• Develop and hone an active incident response plan to isolate and contain the breach, notify affected parties, and initiate recovery.
• Conduct vendor security assessments of third-party service providers to ensure they apply the same rigor to protect sensitive data in transit and at rest.
• Conduct compliance audits, a fundamental cybersecurity process as privacy rules change.
• Conduct regular security audits and monitoring to identify vulnerabilities or unauthorized access attempts.
• Practice secure disposal of sensitive data when it is no longer needed.

Establishing a culture of cybersecurity will protect the sensitive data you capture and use. Remember that protecting sensitive data is ongoing. Regularly review and update your security practices to adapt to evolving threats and technologies. If you have questions, contact your Sikich cybersecurity expert for peace of mind.