Retailers, merchants, and organizations that process financial data, like credit cards, are bound by an industry standard called the Payment Card Industry Data Security Standard (PCI DSS). This standard stipulates what types of security protections organizations should employ, and it mandates stringent financial penalties for exposure of customer records. Similar standards exist for the healthcare industry, financial services industry, and governmental agencies. Also, there are regional and national regulations, such as the General Data Protection Regulation (GDPR) in Europe, the Personal Data Protection (PDP) law in India, and the California Privacy Rights Act (CPRA). Still, there are no set of rules or legal requirements that apply to everyone.
While many of these national and industry standards vary widely, they hold several core tenets in common. For example, these standards mandate the use of specific security mechanisms or procedures. They impose stringent penalties on the exposure of protected data — and sometimes even criminal liability. They apply widely, not just to customers in specific territories or regions, but worldwide.
From the organization’s perspective, they must make sure they fully understand which regulations apply to them. But more importantly, it means that organizations should strive to do whatever they can to avoid breaches in the first place before they find out the hard way what the penalties are for the violations.
Best Practices on Data Retention
A common question is, should customer information be destroyed after a certain point? This is a tricky question, and there is no one definitive answer. In theory, yes, customer data should be destroyed. But one of the benefits of the digital age is the fact that we can store data indefinitely. Many organizations exercise this practice, and many customers want to have this data available to them. With that said, I believe the best approach should not necessarily focus on the destruction of older data but rather focus on the overall protection of all data — both old and new — to make sure that this data is not exposed.
As a provider of cloud security services, Radware doesn’t hold customer data directly. Still, we maintain metadata about customer transactions that flow through our systems in the form of logs, security events, etc. Most Radware products and services allow customers to configure the retention time of logs and alerts. Keep in mind that retention policies have to do with our customer lists, websites, etc.
Retention periods can vary significantly, based on the type of information and how it is used. Radware’s retention periods are based on criteria that include legally mandated retention periods, pending or potential litigation, intellectual property or ownership rights, contract requirements, operational directives or needs, and historical archiving. When Radware no longer needs to use personal information, we remove it from our systems or depersonalize it, so we can’t identify customers.
The General Data Protection Regulation (GDPR) has had a significant impact on organizations. It affects European organizations based in the EU and any organization that processes and stores EU citizens’ data, which is almost every organization.
Today, GDPR continues to evolve. One significant change was the EU’s decision to invalidate the “US Privacy Shield Agreement,” which allowed for the processing and storage of EU PII in the United States. This decision has forced many companies to re-think their options for processing EU data outside of the EU. In the near future, other similar restrictions are expected.
Looking ahead, we are constantly assessing how local regulations impact us. For example, there are many new privacy regulations in India and Brazil, which have to do with data residency and taking customer data out of those countries. That, in part, led us to expand our services in India and Brazil in 2020. This is something we’re constantly evaluating and on the lookout for.
5 Things Every Business Should Know
1. The cloud is not “more” or “less” secure; it is different. This means you need defenses that are specifically adapted to the cloud and to the unique threats organizations face.
2. Safeguard both your application ‘surface’ and your cloud application ‘infrastructure’ (i.e., the backend). Vulnerabilities can come from either side, so it is essential to safeguard both.
3. Implement ‘positive’ security. Attacks keep getting more sophisticated, and you can no longer rely only on signatures of existing attacks. You need protection based on a positive security model that can automatically identify and block illegitimate traffic.
4. Security is a discipline. Within it, there are many sub-disciplines (such as application security, DDoS, etc.). Organizations need to rely specifically on the people who are experts in safeguarding against these attacks.
5. Detection is essential, but the correlation is critical. It’s not enough to *detect* attacks. You need to intelligently *correlate* events across multiple threat surfaces, application layers, and time spans to connect event A, to event B, to event C — even if they are months apart. This will help you determine when you are under attack and be able to block it in time.