Technology Sectors

Market Sectors

U.S. organizations need to re-evaluate data protection policies in anticipation of pending EU data protection legislation

Wed, 2012-01-11 05:39 PM
By: David Gibson

David Gibson

With the European Commission poised to announce sweeping data protection legislation, it's imperative that U.S.-based organizations take a closer look at putting reliable, robust systems in place for protecting data. It would be wise for U.S. organizations to commit resources now to protecting data in anticipation of the new EU laws that will soon be unveiled, even if they are not doing business abroad.

We’re already seeing the UK regulator, the ICO, imposing its first major fines on public sector bodies, so it’s clear that regulators are recognizing the increasing value of digital assets, and the need to protect them. And with penalties of five percent of global turnover, the advice has to be to shape up, or face the consequences.

These changes to EU data protection legislation are designed to prevent harm to those whose information is housed by organizations and out of their direct control. It is likely we'll see the U.S. following suit in the near future.

With more than 23 million records containing personally identifiable information (PII) leaked in 2011 alone, it is more important than ever for organizations to have pro-active and repeatable processes in place for identifying and protecting critical data. There are already PII laws in the U.S., including California, Nevada and Massachusetts.

Even experienced security professionals may be surprised to learn that the U.S. Sarbanes-Oxley Act draws closely on the original 1985 UK Companies Act. European laws are traditionally broader and deeper, and influence U.S. legislation. In this way, even U.S. organizations not doing business abroad are affected by international laws so it is imperative that we pay attention now.

It is increasingly clear that the biggest risk surrounding data does not come from hackers directly compromising customer and employee files, but from employees and contractors with overly permissive access, lack of access auditing, lack of context and lack of automation for the volumes of unstructured data that slosh around company archives.

Research from IDC and other analyst firms show that more than three quarters of data in large enterprises is unstructured, is overly accessible, lacks access auditing and lacks automated analysis of authorizations and use.

Auditing this data can be difficult for IT security staff concerned, but that doesn’t mean it is impossible. It just means that organizations have to invest in the necessary data protection and analytical technologies capable of auditing -- down to the last file -- who does what, when and where with the data.

David Gibson is director of strategy for Varonis. He can be reached at:

dgibson@varonis.com

Tags:
 
  • Share/Save
  • Email this page
  • Printer-friendly version
 

Recent Webinars

Powerful Cyber Intelligence: Deep Analytics and Big IT Data
Thu, 04/26/2012 - 2:00pm - 3:00pm

Extracting real-time intelligence from Big Data with deep analytics is valuable but dif

Upcoming Events

Event Details Dates of Event
SANS Security West 2012 May 10 - 18
SANS Toronto 2012 May 14 - 19
SANS Secure Indonesia 2012 May 14 - 19
SANS at iTWeb Security Summit 2012 May 17 - 18
New Fire & Emergency Communications Codes Educational Seminar May 18 - 18
Managing Your Physical Security Program: Collaborate and Manage Smarter May 21 - 24
SANS Brisbane 2012 May 21 - 26
CEIC 2012 (Computer and Enterprise Investigations Conference) May 21 - 24
NERC CIP Compliance Training May 24 - 24
Symantec NetBackup User Group May 24 - 24
NESCO Town Hall: Security Risk Management Practices for Electric Utilities May 30 - 31
Advanced Hands-On CAMEO Training Jun 4 - 6
Security Program Design: A Critical Infrastructure Protection Model Jun 4 - 5
Facility Security Design Jun 4 - 6
SANS Rocky Mountain 2012 Jun 4 - 9
F5 Government Technology Symposium Jun 6 - 6
SEL Modern Solutions Power Systems Conference Jun 6 - 8
Second Annual Citizen Engagement Seminar Jun 12 - 12
ASIS Assets Protection Course: Functional Management (APC III) Jun 18 - 21
SANS Malaysia 2012 Jun 18 - 23
Data Center Brainstorm 2012 Jun 19 - 19
SANS Forensics and Incident Response Summit 2012 Jun 21 - 27
Vanguard Security & Compliance 2012 Jun 25 - 28
SANS Canberra 2012 Jul 2 - 10
SANSFIRE 2012 Jul 7 - 15
Executive Protection Jul 9 - 10
Military Vehicles Exhibition & Conference Jul 10 - 13
NERC CIP Compliance Training Jul 12 - 12
Security Force Management Jul 16 - 17
Physical and Logical Security: Advanced Applications and Economics Jul 16 - 19
Investigative Interviewing Methods Jul 18 - 19
SANS Thailand 2012 Jul 23 - Aug 4
SANS San Francisco 2012 Jul 30 - Aug 6
College & University Police & Investigators Conference Jul 31 - Aug 3
SANS Boston 2012 Aug 6 - 13
Radiological Emergency Planning: Terrorism, Security, and Communication Aug 20 - 24

Full 2012 Calendar