Limited retention and backup: they do work together!

Latest privacy legislation enacted in the US and Canada as well as newly introduced privacy bills signal to the world that the principles of limiting data collection, use and retention as well as data minimization are top of mind for regulatory authorities.

So much more now when we hear of cyber attacks in countries like Sweden and serious data breaches signaled by ethical hackers like the government bond website in Belgium.?

The final SEC rules are out and point to high expectations of regulators regarding risk governance and management for organizations falling under these rules and their ecosystem.?

In the final rule, customers, clients or employees can bring direct claims if impacted by a cybersecurity incident or certain risk management or governance systems disclosed that were allegedly false or misleading.

Financial institutions in Canada have also raised their alert level and requirements for due-diligence over their third-party vendors. The new due diligence includes producing evidence of a substantial cybersecurity program but also privacy practices that will provide assurances to the financial institution that their data or the services connected to their brand and name are appropriately protected.

What’s in a word: data protection?

Data protection is a capability which includes cybersecurity policies, processes, monitoring, alerts, risk governance and management, backup and disaster recovery disciplines.

It also includes privacy. It includes governance over personal information in such a way that PI is collected and used according to the applicable privacy laws and it is safeguarded including in the form of backups.?

At a first glance, backups constitute a departure from the data minimization principle. Only at first glance. Backups and recovery are absolutely necessary in order to respect the security safeguards principle which includes not just Confidentiality and Integrity but also Availability.

Backups are required to maintain the confidentiality and integrity of the data stored and must be accessed by a very select and limited number of parties and only for the purpose of ensuring availability of the data.

The recovery process has to meet the business requirements for availability and sometimes that of another party which relies on the data and its retrievability at a moment in time.?

New technologies out-there have taken these resiliency requirements up a notch and they provide a layer of protection around the data while it is in the process of backing up such that a ransomware attempt cannot succeed. Also the speed with which the data gets restored has been drastically improved which not only supports cyber resilience effectiveness but aligns with the requirements of privacy and data protection laws.

Newer technologies out-there have been created with the understanding that resilience, backups and principles of limiting retention and copies of personal information should coexist. Some technologies mirror copies of the organization's files and folders in a protected and hidden layer. In the event of a breach, data can't be directly accessed, modified, or encrypted by ransomware attempts, thereby reducing the exposure and impact on sensitive files. Other technologies are capable of reverting altered data back to its original state with a single click, ensuring minimal downtime. If you want to find out more about how limited retention and backup coexist you can ask the guys over at? Cybrilliance for more information: [email protected].

At DesigningPrivacy we start with a combined Enterprise Privacy and Security Risk Assessment. We take this approach to? assess the strength of your cyber resilience posture as well as providing your organization with an understanding of the vulnerabilities you may have with respect to protecting PI, and areas of improvement. This is a no-risk, no-obligation, no commitment on your part approach. If you need more information to start or complete your journey towards data resilience please contact me: [email protected]