Cyber Law Data Protection

[Jennifer Leos]

With24 % of cyber threats affecting the public sector, it is not just necessary to raise awareness about cybersecurity for the protection of our organisations and values, but also to unite as EU institutions to protect individuals.

Another example of how cybersecurity and data protection can reinforce each other is the role of cryptography and encryption, which are crucial to preserve the confidentiality and integrity of personal data; they are the building blocks of advanced privacy enhancing techniques.

As the amount of data being created and stored has increased at an unprecedented rate, making data protection increasingly important. In addition, business operations increasingly depend on data, and even a short period of downtime or a small amount of data loss can have major consequences on a business.

The implications of a data breach or data loss incident can bring organizations to their knees. Failure to protect data can cause financial losses, loss of reputation and customer trust, and legal liability, considering most organizations today are subject to some data privacy standard or regulation. Data protection is one of the key challenges of digital transformation in organizations of all sizes.

The basic tenet of data protection is to ensure data stays safe and remains available to its users at all times. These are the two key principles of data protection: data availability and data management.

With the advent of hyper-converged systems, vendors are introducing devices that can provide backup and recovery in one device that integrates compute, networking, and storage infrastructure. Hyper-converged systems are replacing many devices in the traditional data center, and providing cloud-like capabilities on-premises.

Ransomware is a type of malware that infects a system, encrypts its data, and demands a ransom fee to release it. Traditional backup methods are useful for protecting data from ransomware. However, new types of ransomware are able to infect backup systems as well, rendering them useless. This makes it very difficult to restore the original version of the data.

To solve this problem, new backup solutions are designed to be completely isolated from the corporate network, and use other measures, like data encryption at rest, to prevent ransomware from infecting backups.

Disaster Recovery as a Service (DRaaS) is a cloud-based solution that allows an organization to create a remote copy of local systems or even an entire data center, and use it to restore operations in case of disaster. DRaaS solutions continuously replicate data from the local data center to provide a low recovery time objective (RTO), meaning they can spring into action within minutes or seconds of a disastrous failure.

CDM solutions simplify data protection by reducing the number of copies of data stored by the organization. This reduces overhead, maintenance, and storage costs. Through automation and centralized management, CDM can accelerate development lifecycles and increase the productivity of many business processes.

Internal risks include errors in IT configuration or security policies, the lack of strong passwords, poor authentication, and user access management, and unrestricted access to storage services or devices. A growing threat is malicious insiders or compromised accounts that have been taken over by threat actors.

External risks include social engineering strategies such as phishing, malware distribution, and attacks on corporate infrastructure such as SQL injection or distributed denial of service (DDoS). These and many most security threats are commonly used by attackers to gain unauthorized access to sensitive data and exfiltrate it.

Finally, a data protection strategy must consider compliance obligations. Organizations or specific business units may be subject to a variety of regulations or industry-specific compliance standards. Below are the most significant regulations affecting data protection today.

The General Data Protection Regulation (GDPR) applies to all organizations that do business with EU citizens, regardless of whether the company is located inside or outside the EU. Failure to comply can result in fines of up to 4% of worldwide sales or 20 million euros. The GDPR protects personal data such as name, ID number, date or address of birth, web analytics data, medical information, and biometric data.

The Australian Prudential Regulatory Authority (APRA) introduced a mandatory data privacy regulation called CPS 234 in 2019. CPS 234 requires organizations to improve information security measures to protect personal data from attacks.

As global concerns about cybersecurity, data protection, and privacy expand, our lawyers remain at the forefront of technology innovation, helping clients understand and mitigate risks to ensure that their business is responsive, compliant, and protected.

The final version of NISTIR 8374 Ransomware Risk Management: A Cybersecurity Framework Profile has been released. This Ransomware Profile identifies the Cybersecurity Framework Version 1.1 security objectives that support identifying, protecting against, detecting, responding to, and recovering from ransomware events. The profile can be used as a guide to managing the risk of ransomware events.

A white paper that provides an overview of the three Data Integrity projects and how they align with the NIST Cybersecurity Framework. This paper offers a high-level explanation of the architecture and capabilities, and it explains how these projects can be brought together into one comprehensive data integrity solution. You can also view the recording of our Virtual Workshop on Preventing and Recovering from Ransomware and Other Destructive Cyber Events.

A Community of Interest (COI) is a group of professionals and advisors who share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Share your expertise and consider becoming a member of this project's COI.

The group consists of regulatory authorities, litigators, transactional lawyers, intellectual property counsel, seasoned government contracts practitioners and legislative strategists, all of whom work closely with clients to monitor the changing data and cyber landscapes. After a comprehensive analysis of potential risks, we develop, execute and maintain tailored solutions to mitigate perceived threats and take advantage of underlying opportunities.

Pillsbury has advised businesses ranging from privately held startup companies to publicly traded global conglomerates on all manner of data privacy issues, with particularly deep knowledge in connection with the energy, communications, financial services, government/defense contracts, health care and technology sectors, as well as with critical infrastructure generally. Our uncommon insight, combined with an expansive network of government and regulatory connections at the highest levels, affords clients a robust array of resources for navigating and tackling their data-related challenges.

There are three fundamental elements of data protection and security that most organizations should acknowledge in their cybersecurity efforts: Confidentiality, Integrity, and Availability. These three pillars are known as the CIA Triad, which functions as a framework to support resilient data protection systems.

Business continuity depends on information protection. To sustain continuity, businesses need ways to recover from a cybersecurity event. For example, a misconfiguration or unexpected system failure can result in data corruption. Data protection plans would then come into play after these events.

The time it takes for a business to recover from downtime impacts revenue. The longer the system suffers from downtime, the longer the business cannot sustain productivity. Without productivity, the business cannot maintain revenue. In addition, downtime can affect future revenue growth and damage the brand.

Data encryption is the first step in protecting data from attackers. Encryption should be implemented on data-at-rest and data-in-motion. When data is transferred across the internet, it should be encrypted to avoid eavesdropping and man-in-the-middle attacks. Compliance requires some encrypted data at-rest, such as sensitive information stored on mobile devices.

Cryptographically-secured encryption prevents attackers from reading any stolen data. Mobile devices with encrypted data-at-rest stop attackers from retrieving data on a physically stolen device. Compliance also regulates what data should be encrypted and how an organization protects information, so always check with regulations before creating a plan.

One issue with data portability is ensuring that it integrates with the cloud. More organizations recognize that the cloud is perfect for backups and archiving, so any disaster recovery plan should include the time to migrate data from the cloud to on-premises storage. The cloud is secure, but administrators must properly configure migrated data for data protection and availability, including the access controls necessary to defend against theft.

Backups have always been necessary for business continuity but are now integral to disaster recovery. Instead of making backups at a specific frequency, data backups are continual and more strategic to return the business to its same state before the cyber event.

Storing large amounts of data is expensive and takes enormous storage space, so organizations typically leverage the cloud to avoid on-premises expenses. A good disaster recovery plan involves deduping data and ensuring that no data is lost during the migration of a backup to the affected system.

Small and large organizations benefit from data protection, also known in this context as information protection or data-loss protection (DLP). But an enterprise has several moving parts, a large attack surface, and enormous amounts of data that must be protected. An enterprise data protection strategy typically differs from a small business due to the large attack surface.

3a8082e126