March 30, 2017: The finance industry is brimming with risk and compliance regulations, and data security is a serious business. As relentless news of security breaches and data loss continue to make it to the headlines, new legal frameworks and regulations are being introduced to set about defining data security best practices and avoid the risks associated with a breach.
Laying down the law
UK financial organisations are already bound by existing regulations such as the Data Protection Act (DPA), the Financial Services Authority (FSA) regulations and PCI DSS. However, the looming General Data Protection Regulation (GDPR), which will replace the 1995 Data Protection Directive and is expected to come into force on May 25, 2018, will mean organisations must change the way they treat confidential data yet again. Prominent within recent legal developments, there has also been a focus on encryption, not only of portable equipment and storage media, but also of databases, unstructured data, the cloud and application data.
The GDPR Article 32 states that data encryption is a means to protect personal data and that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the pseudonymisation and encryption of personal data.”
Additionally, Article 34 notes that if a breached organisation “has implemented appropriate technical and organisational protection measures such as encryption”, organisations can avoid the regulation’s breach notification requirement and the resultant administrative costs.
Unfortunately, this lack of guidance can leave organisations at risk of misinterpretation, and lends itself to being more of a ‘tick box’ process. So whilst businesses may think they are complying, with no provision of specifics on how best to adequately protect sensitive data, it could result in a serious breach which would ultimately see organisations with huge financial and reputational damages.
In some instances, a particular regulation will mandate encryption in clear, unmistakable terms; those that don’t adhere to these terms will be in violation of the law. Other times, regulations remain vague about requiring encryption, leaving murky waters for businesses to navigate, such as the GDPR. For example, a regulation may require that sensitive and/or personal data be protected without explicitly stipulating that it be protected via encryption, a less than ideal situation.
For times when the law confounds, security experts can provide clarity. A general consensus among experts regarding data protection protocols results in commonly accepted best practices. The term isn’t exclusive to regulations and encryption, but it can nonetheless help guide companies that encounter nebulous regulations. If there are questions about implementing encryption that aren’t spelled out in a particular law, following industry best practices will keep a business protected.
Encryption in business and finance
As financial markets fluctuate daily, regulations and their associated encryption requirements seem to be following suit. Encryption is just another type of risk management, and those that know how to properly assess and manage risks usually succeed. Understanding the basics of encryption in finance in particular, where data “lives” and how it moves, is the difference between what a business must do and what it (really) should do, and how all of this helps financial organisations to stay on the right side of relevant regulations.
Virtually every industry that deals with personal and/or sensitive data relies on encryption to protect that data. Those that don’t encrypt put themselves at risk for stiff government penalties, fines, lawsuits, and more.
With the introduction of the GDPR, data regulation will likely be that much harder. Many financial organisations conduct business domestically and internationally, so, as client and customer bases grow across borders, maintaining compliance is an even larger beast to tame. Furthermore, small businesses must not assume that multinational corporations are the only entities that should be concerned about complying with these regulations. Breaches can happen just as easily, if not more so, to smaller operations, resulting in massive fines, expensive lawsuits, and diminishing customer base, or more likely, all three.
The Ins and Outs of encryption
Put simply, encryption is a process of transforming data to make it unreadable without authorised access. Authorised access to encrypted data arrives via a decryption key. If implemented and managed correctly, the right people will possess the key and the wrong people will not.
When it comes to regulatory compliance, no universal standard for encrypting data exists in the financial space. Therefore, the individual regulations that govern how organisations handle data dictate the encryption requirements.
Of all the encryption methods, AES (Advanced Encryption Standard) receives the lion’s share of attention. The standard is what the NSA uses to encrypt data, which should be proof enough of its security. AES can use 128-bit, 192-bit, or 256-bit keys and thus far has been extremely resistant to attempts at exploiting potential weaknesses.
Encryption can happen in a variety of ways and situations. Software can often do the job, but hardware encryption is often seen as the more secure method. Certain hardware is designed to encrypt data without the need for separate software, e.g. self-encrypting, and options exist for large hard drives as well as portable flash drives. USB devices offer a convenient way to transfer data between computers, and hardware encrypted USB devices can provide the necessary encryption capability embedded within the device, so data can be decrypted without the need for the user to install additional software. Web traffic can also be encrypted using SSL (Secure Socket Layer). Simply put, if desired, diligent users can keep their data encrypted wherever it goes.
The important regulations, and the fines associated with non-compliance, decisively lay out the need for encryption for the security of sensitive data. If a business/organisation within the finance, banking, or securities industry has questions about securing relevant data, a proper risk assessment is the first step to instituting compliance. With global identity theft losses growing, and non-compliance violations resulting in hundreds of thousands of pounds in fines and settlements, protecting sensitive data is as crucial now as it’s ever been.
Jon Fielding is Managing Director, Apricorn EMEA