With personal data becoming more important and bountiful in a digital and virtual world, the importance of regulatory compliance and data protection, storage, and management has also increased. Major regulations exist in several specific sectors, including, in the US, healthcare (HIPAA and HiTech), financial services (PCI-DSS and GLBA), biotechnology (FDA) and the energy industry, and IoT (NERC and FERC).
Moreover, any organization doing business with clients in Europe, regardless of where they are based, must comply with GDPR. Similar legislation is now beginning to emerge in other regions, including the United States, with California setting an example with its CCPA. Such regulations aim to maintain the security of clients’ personal, and often sensitive, information and it is not only a legal requirement but a simple part of best practices that can affect your bottom line.
While compliance may increase costs in terms of money and resources, there are positive benefits that result from it. To begin with, compliance will better secure and protect your organization’s data infrastructure, which may include valuable and proprietary information. Likewise, it will better secure your clients’ data. Protecting data has become a central concern for clients, and being compliant adds value to the services you offer. It provides peace of mind for existing clients, and creates an incentive for prospects who will know that their sensitive data is protected in accordance with government established data regulations.
The consequences of not being compliant are hefty, both in terms of cost and reputation. To give just one example of the cost of failing to comply, and how accidental such failures might be: in 2018 the University of Texas’ MD Anderson Cancer Center was fined $4,384,000 for data breaches that violated HIPAA requirements. This was not the result of a data breach by hackers. Rather, it resulted from a laptop being stolen from the home of one doctor and, in two separate incidents, from the loss of USB memory drives – one while a researcher was travelling, the other simply being misplaced or stolen from an office. In total, close to 35,000 clients’ electronic protected health information (ePHI) was breached. But the problem wasn’t that these devices were subject to the unforeseen circumstances of theft and/or loss; it was that they did not have password protection, and the data they contained had not been encrypted, which were core principles of HIPAA.
The parameters of most legal guidelines are pretty basic and align with best practices and the textbook parameters of any well-organized key management and encryption system. They include:
- Control of access to data
- Encryption of data-at-rest (via Hardware Security Modules or similar systems) or data-in-transit, often with pseudo anonymization
- Tracking user access logs
- Testing of the effectiveness of data protection systems
- Timely communication of data breaches when these happen
Failure to comply with these regulations can result in a number of penalties, including fines, increased fees, and revocation of rights to interact with clients in given industries. Data breaches also have non-legal effects that drive clients to competitors and damage corporate brands. In this sense, regulatory compliance and data protection should not merely be a legal concern; it can have a significant impact on a company’s bottom line.
Knowing the ins and outs of particular regulations can be difficult, especially with the proliferation of regulations as new issues around data security and management arise. But this is precisely why key management experts like StorMagic are central to helping your business with compliance. StorMagic’s encryption key management solution, SvKMS, is easily integrated with PGP encryption, IaaS encryption, PaaS, vSphere and vSAN, and many other technologies that store and process sensitive information across the enterprise. And, in allowing you to bring-your-own-key (BYOK), SvKMS ensures that the encryption key is stored separately from the data, a major requirement of many data regulations.
While the separation of lock and key is a best practice that StorMagic abides by as a core value, this is just one of the regulatory requirements that SvKMS complies with. As a full-featured key management lifecycle platform, StorMagic SvKMS can help you meet requirements across a wide variety of regulations, whether on-premises, hybrid, or in the cloud, including HIPAA, PCI-DSS, GDPR and the Federal Information Processing Standard (FIPS). In addition to being compliant with these specific policies, StorMagic can help you be compliant with general regulations across sectors, including managing keys throughout their entire lifecycle, auditing of encryption key information (including Syslog support), backup and restoration, and encryption key generation and import.
Read more about how SvKMS can help you meet compliance requirements here. Alternatively, contact the team at [email protected].