Is your network in compliance with international regulations for data security and protection? Given that networks generally are accessible from anywhere in the world, network managers must be aware of regulations that go far beyond the local jurisdiction where the servers are located.
Foundational Global Principles
While there are many versions of the basic principles of data collection, protection, and dissemination, Article 5(1) of the General Data Protection Regulation (GDPR) is a representative guide. (GDPR sets enforceable data standards within the European Union.)
Lawfulness, Fairness, and Transparency
Limitations on Purpose of Collection, Processing, and Storage
Accuracy of Data
Data Storage Limits
Integrity and Confidentiality
These six principles are supplemented by Article 5(2) which states “The controller shall be responsible for, and be able to demonstrate compliance with Paragraph 1 (accountability).
Versions of Data Protection Laws Worldwide
While the GDPR is an example of data collection and privacy regulations, there are many versions of these regulations in other countries around the world. Within the United States, federal regulations are not yet formalized, although many states have established their own regulations, such as the California Consumer Privacy Act. Many other states have similar bills, and comprehensive federal legislation called the Data Protection Act is making its way through the legislature.
Brazil has the General Data Protection Law (LGDP). Other countries with strong data protection laws include South Africa, Bahrain, the Philippines, Canada, and India. The UK, after Brexit, adopted its own version of GDPR. A critical compliance note follows…Don’t think these international regulations do not apply to your network. It does not matter where the data is physically stored or where the company collecting the data is based. These regulations exist to protect citizens where they live, regardless of where the data is stored... For example, if you are a business in the United States and you collect data from a citizen of Brazil, you are subject to the LGDP Regulation for the storage and protection of such data.
Penalties for non-compliance with the LGDP are not trivial. Organizations that have broken the regulation can be fined up to 2% of annual revenue or a maximum of 50 million Brazilian reais (about US$9 million). European Union GDPR fines can be up to 4% of annual revenue or 20 million euros (about 20 million US dollars).
Compliance is not Optional
Any organization operating on a global landscape is responsible for complying with numerous consumer data protection regulations. If a company is collecting data from citizens within many of these jurisdictions, they are also responsible for complying with any and all of these various regulations. The best protection from potential liability is to establish a culture of compliance and invest in the tools that will protect customer data as well as the company's bottom line.
Legally Defensible Compliance
The foundation is visibility. Companies must be able to have complete visibility into network traffic streams to prove compliance with global data privacy protections. Organizations using Switch Port Network Access (SPAN) to connect analysis and diagnosis tools are not seeing all the data. SPAN ports randomly drop data under a variety of circumstances such as short frames, physical errors, or during busy traffic times. A better alternative is to use Network TAPs, such as the SmartNA family from Network Critical. TAPs provide a legally defensible, pure data stream for analysis and reporting. Because of a TAP’s independence from the network endpoints, they mirror 100% of the data to the monitoring port.
Another layer in a robust security profile is to protect access to data resources with an invisible, unhackable device that provides 7/24/365 data security. INVIKTUS by Network Critical has no MAC or IP address and thus is invisible to the network. A tool that can not be seen on the network can not be hacked. Using a policy-based configuration ensures that access to any and all points of the network is validated before being allowed or denied. Once policies are set in the tool, access to users, applications, and devices inside or outside the network will require validation minimizing vulnerabilities to cyber threats.
Go to www.networkcritical.com/inviktus for more detail on unhackable data security.
Fortress and Prison
A fortress is designed to keep people out. A prison is designed to keep people in. For a robust and defensible data protection strategy, create a prison within a fortress. Tools such as Intrusion Prevention Systems (IPS) are designed to block access to network intruders. Data Loss Protection systems are designed to keep private information from being leaked or otherwise distributed to unauthorized parties. Both of these important tools can be connected to network links by TAPs as described above. When deployed together along with other critical #networksecurity tools, companies can protect customer data and privacy thus avoiding potential lawsuits and massive fines.
Network Critical has visibility and security access experts available to consult with organizations that are developing or updating their compliance programs. Now is a good time to reach out for a data privacy review to be sure your organization is globally compliant.
Check with our expert team at www.networkcritical.com/contact-us