In 2017, Equifax, one of the largest credit bureaus in the United States, suffered a data breach that exposed the personally identifiable information (PII) of 147 million consumers and the credit card information of more than 200,000 more.
Following the incident, Equifax spent almost $1.6 billion to strengthen its cybersecurity defenses. The company also agreed to a global settlement of $425 million (with the U.S. Federal Trade Commission) to help breach victims.
Even five years later, the Equifax breach remains one of the largest data-related security breaches ever. It offers valuable lessons for companies that manage consumer data.
In this article we will highlight five such lessons. If your organization collects, processes, stores, or shares consumer data, these points will help you implement appropriate security practices and controls to secure your data from hackers.
Data Privacy Regulations Around the World
In recent years, regulatory agencies worldwide have implemented laws and regulations to safeguard consumers from data breaches and protect their data privacy. These consumer protection laws regulate how organizations collect consumer data and how much control consumers have over their own information.
Some well-known privacy laws and regulations are:
- The U.S. Health Insurance Portability and Accounting Act (HIPAA)
- California Consumer Privacy Act (CCPA)
- Canada: Consumer Privacy Protection Act (CPPA)
- Singapore: Personal Data Protection Act (PDPA)
- EU: General Data Protection Regulation (GDPR)
These laws apply to organizations depending on their location and industry, and consumers’ location. For example, the GDPR applies to all companies collecting the information of EU residents, even if the companies themselves do not operate within the EU. Other privacy laws are aimed at protecting certain types of data. For example, HIPAA aims to protect the personal health information (PHI) of U.S. consumers.
Other privacy regulations aren’t enforced by government, but companies must adhere to them anyway as part of doing business with other entities. For example, the PCI DSS standard was created by large credit card companies to protect personal financial information; if retailers want to process credit card transactions, they must meet PCI DSS standards.
Data breaches increase the risk of identity theft and fraud for affected individuals. They can also be financially crippling for many organizations due to lost business and reputational damage.
Regulatory agencies also impose huge fines on breached organizations, especially if it’s later proven that a company didn’t have appropriate safeguards in place to protect consumer data.
You can avoid all these consequences by properly securing consumer data. The next section will show you how.
5 Best Practices to Protect Your Consumer Data
Usually it’s companies with weak data controls that experience data breaches. You can avoid joining their ranks and safeguard sensitive consumer data by following the five strategies given below.
Regularly Scan for Vulnerabilities
In a majority of data breaches, attackers compromise or steal sensitive customer data because the organization failed to find and fix security vulnerabilities.
The Equifax breach is one example of this weakness. Criminals exploited a vulnerability in the popular Apache Struts open-source development framework. Equifax knew about the vulnerability and also knew that a patch was available, but didn’t apply the patch – which allowed the hackers to get into Equifax’ systems and compromise massive quantities of data.
Don’t make this mistake. Regularly scan all data systems for vulnerabilities. Use an automated vulnerability scanner to perform scans quickly, regularly, and with minimal human intervention.
Patch All Software
Hackers constantly look for ways to exploit security vulnerabilities in software, so it’s vital to fix these vulnerabilities as soon as they are detected. Software vendors usually release security patches fairly regularly. Make sure to implement all these patches and on all your software assets, including operating systems and enterprise applications.
Limit Access to Data
Strong data governance practices are essential for protecting sensitive customer data. One practice is to limit access to authorized personnel only. Giving general access to any “trusted” user will create openings for attackers to steal credentials, control user accounts, and cause serious damage to sensitive information.
Also implement reliable and proven authorization and authentication practices (such as multi-factor authentication, or “MFA”) for authorized users. Control access levels and permissions, especially for privileged accounts, with identity and access management (IAM) tools.
Encrypt Sensitive Data
Encrypting data protects and secures it across multiple environments and devices, both in transit and when at rest. It also minimizes the risk of malware, phishing, ransomware, and other cyberattacks targeting your data environment.
When encrypting data, use strong AES 256-bit keys and keep the keys secure so they don’t fall into the wrong hands. If possible, encrypt data in layers and use hierarchical key models and regular key rotation for ongoing data security.
Create Risk Management and Disaster Recovery Plans
Strong risk management and disaster recovery plans will help you identify the various risks to your customer information and develop mitigation strategies to avoid or address these risks.
When preparing your plans, detail the playbooks and security measures you will use to respond to breaches and protect data. For example, you may mandate MFA for all access requests or implement a Data Security Fabric (DSF) to implement enterprise-wide security controls. Whichever technologies or tools you use, include them in the plan.
Also communicate these plans to all stakeholders so everyone is on the same page at all times, and the organization is better prepared to respond quickly to a crisis.
Manage and Secure Your Consumer Data with Automation and ZenGRC
Data security automation platforms can help you overcome data protection challenges and boost data security across your organization. The ZenGRC from Reciprocity provides a single source of truth so you can see exactly where your data is at risk.
Then leverage its automated workflows, built-in content library, and expert-provided guidance to implement smart data security controls and protect consumer data. ZenGRC’s contextual insights and powerful features will also enable you to meet your compliance responsibilities and goals with ease. Get a free demo of ZenGRC today!