The Four Most Important Takeaways for Technical Safeguards and Compliance
StrongKey and Smith Anderson Law recently co-hosted a round table discussion on technical safeguards with approximately 20 executives from industries including government, healthcare, software, IT, and AI in attendance. This diverse group of individuals was brought together to discuss one of the hardest data problems facing companies today: data privacy regulations.
The conversation was moderated by Arshad Noor, CTO at StrongKey and Joe Dickinson, Data Use, Privacy and Security lawyer at Smith Anderson Law. Attendees had the opportunity to talk about issues they have run into in regards to compliance, then received direct feedback from industry peers as well as StrongKey/Smith Anderson experts.
Joe Dickinson provided guidance on priorities for every company to focus on such as organizational culture and a demonstrated priority on privacy. Key questions for attendees to consider included, "What is your company's incident response plan?" And, "Are you documenting when something goes wrong?"
StrongKey CTO, Arshad Noor talked more about the technical side of things, particularly the EU General Data Protection Regulation (GDPR), which is a hot topic at the moment. The GDPR Founding Principle Article 1.2 is quoted in saying, “this regulation protects fundamental rights and freedoms of natural persons and in particular, their right to the protection of personal data.”
Noor went on to give an overview of FIDO2, the FIDO Alliance, and how using appropriately deployed key management, authentication, and encryption can provide protection from the inevitable breach, even with an attacker on the network. Attacks can happen at every layer of the technology, but protection at the business application layer is what matters the most.
Both Noor and Dickinson agreed that doing everything in your power to protect the data while in your organization’s care is the most important tenet of all—not all companies will succeed in preventing a data breach, but companies that document their efforts, encourage thorough data management practices, and promote a culture of good security hygiene will suffer far less than those who simply ask for user consent. While the conversation overall was incredibly productive, the top 4 high-level takeaways were particularly poignant:
- Documentation dedication.
According to Dickinson, “It’s not what you do, it’s how you regulate what you do.” He stressed that with the multitude of laws and regulations, you have to have healthy documentation. In the event of a breach, documentation will help you prove our #2 key takeaway, “protection by design”—without it, a compliance failure is imminent.
- Protection by design.
Noor pointed out a critical GDPR tenet: “Data protection by design and by default,” which essentially calls for organizational measures to mitigate access to unnecessary data, implement data protection principals across all business needs, and employ methods to be able to demonstrate compliance.
- Encryption above all.
One of the easiest ways to protect data is a type of encryption that GDPR refers to as “pseudonymization,” which is really just a form of tokenization. Noor pointed out that data storage and processing requires encryption best practices at every turn—not just in tokenizing or pseudonymizing the data through the application, but also in the central storage area and when it’s being shared with authorized individuals or groups.
- Cybersecurity resilience.
“Achieving” compliance is often a singular event, time bound to that particular moment where an organization was, indeed, compliant. However, weeks, days, or even minutes after that moment, everything can change. The key to good security is understanding that striving for compliance is not the end goal—instead, organizations should strive to create an ongoing culture of cybersecurity resilience.
You can stay up to date with StrongKey events here.
StrongKey makes data breaches irrelevant by redefining how businesses and government agencies secure their information against the inevitability of a breach. StrongKey is trusted in mission-critical business operations by some of the largest companies in payment processing, e-commerce, healthcare, and finance.
Smith Anderson Law has grown to become the largest business and litigation law firm headquartered in the RTP region and one of the largest in North Carolina. Smith Anderson has experienced lawyers on hand who have guided companies through developing and implementing data privacy and security programs, HIPAA compliance, data breaches, and government privacy-related investigations, to name a few.
TLS: Too Little Security