RenovoData Weekly Articles

An effective data loss prevention solution can be seen by employees as a powerful tool for maintaining market leadership. It can protect irreplaceable research and development efforts, valuable intellectual property, and trade secrets. A sound data loss prevention solution can also give employees the added assurance of brand protection by potentially saving the organization from an embarrassing incident. However, if not managed correctly it can also create an environment of employee mistrust—or worse; expose the organization to fines and lawsuits for privacy violations. For example, some solutions violate United States and European Union regulations by collecting all traffic. Others don’t provide role-based access controls to determine which monitors can see what data. Without the appropriate safeguards built into their software, these solutions potentially expose an unprotected organization to violations.

An efficient data loss prevention solution needs to balance the requirement for corporate protection with the need for employee privacy. It should deliver on the following three requirements of Global Employee Privacy Protection:

• Targeted, policy-based monitoring that allows an organization to define specific attributes of confidential data

• Highly accurate detection technology that finds targeted data while simultaneously minimizing the risk of false positives

• Role-based controls that limit viewing of quarantined data to only those individuals who are approved to see it

Rising government mandates and intellectual property (IP) protection are the major driving forces of the high standards revolving around data loss prevention.  In today’s vulnerable economy, spending priority should be around enhanced data security.  Increased regulatory compliance requirements, layoffs and job insecurity have intensified concerns about employees sabotaging or running away with sensitive business information.

Most organizations fall under one or more state, federal or international regulatory mandates.  Compliance standards such as those within the Heath Insurance Portability and Accountability Act (HIPAA), Gramm-Leach Bliley Act (GLB) and Sarbanes-Oxley (SOX) are requiring corporations to take measures to safeguard private and personally-identifiable information.  There are currently thirty-five states within the U.S. which mandate companies attacked by data loss to notify individuals in the event that their personally identifiable information is breached.  

Data loss prevention is not only of significant interest to health care and financial industries, but also for nearly all companies that conduct business worldwide.  Organizations face several obstacles that make it difficult for them to maintain regulatory compliance.  Mistakes such as sending an email which contains unencrypted credit card data, or distributing a report revealing employee or patient medical information with an unauthorized person can be considered regulatory violations.

A down economy generates a more competitive business environment, making IP protection detrimental for all companies.  This is one of the most important assets belonging to any business and serves as a key motivating factor for data loss prevention efforts.  With there being so many forms of documented data that could be considered a trade secret (such as data pricing, marketing strategy plans and customer information), company insiders may not be fully aware they are handling IP.  It is therefore the company’s responsibility to take the necessary steps to protect critical IP.  This begins with an effective data protection and disaster recovery plan.

Fact:  U.S. businesses are losing approximately $250 billion annually from trade secret theft (United States Trade Representative).

Over the past decade, the world has gotten more electronically connected in a multitude of ways. Whether while traveling, in the office or at home - most people are never far away from an electronic medium that holds the capability of linking people to each other nearby or halfway around the world. The complexities of daily business have made instant access to electronic data more and more crucial, and increased the need to put effective data loss protection measures and potential disaster recovery solutions in place.

Take global alliances for instance: many companies have international offices, outsourced managed service providers and offshore development offices that each exponentially increase the chances for data loss. Communication practices as simple as sending e-mails can compromise confidential information that instantaneously travel across the world. Overall, the environment is ripe with opportunity for data loss.

Today's workers experience a far greater amount of flexibility in their work location and hours than those of previous generations. A May 2006 U.S. Chamber of Commerce report stated that 20 million Americans telecommute. This indicates that electronic communications have become the lifeline to the office, with important and perhaps sensitive company data transmitted back and forth throughout cyberspace. This is a prime target for hackers and criminals to hijack.

Throughout the years, organizations have spent an immense amount of resources on data protection for the purpose of safeguarding their mission-critical information. However, the bulk of their efforts have been centered on preventing outsiders from hacking into the organization. Ironically, studies have shown that the majority of information leaks are resultant from data loss inflicted by employees and company partners. There is some research which shows that more than half and as much as 80% of data breaches are caused by company insiders. A business does not need vastly dispersed offices or a staff which heavily telecommutes to be fertile ground for data loss. Employees can cause a data loss disaster for their company with the simple click of a mouse - whether done purposefully or accidentally.

Professionals within the medical industry are faced with new advances in technology that generate more electronic data than ever.  The obligation to meet strict patient privacy and government compliance standards surrounding data protection has intensified with the shift to electronic medical records.  This rapid advancement in digital data growth and government regulations calls for more accountability to protect patient confidentiality through administrative procedures, technology and a thorough offsite data backup and disaster recovery plan.  Consequentially, medical professionals are turning to managed service providers that offer secure offsite backup and disaster recovery consulting capabilities.  These remote backup companies provide the reliability, recovery time objectives and data security required to ensure patient privacy and business continuity.  

Remote backup companies present a broad choice of various cost options according to the amounts and types of data files that need to be stored and protected.  A dependable offsite data backup provider should back up several variations of mission-critical documents and allow an organization to carry out a point-in-time recovery in the event of a disaster.  Even though there are some documents which change on a consistent basis, there are those medical records that are never altered once initially produced.  One case in point:  a radiograph or signed certificate will go unchanged years down the line.  Therefore, it would be unnecessary to store these files through a remote backup solution which backs up at multiple restore points intermittently.

A practical and low cost alternative would be to move all unchanging and infrequently retrieved data to a lower-cost tier within a tiered storage solution.  Consider using an offsite data backup company that provides tiered storage solutions within their disaster recovery services.  This data archiving system stores and protects files that never change, such as e-mails, pictures, signed documents, videos and static medical records like x-rays.  This is a less expensive resolution than storing data on a higher tier that is not essential for rarely-accessed and invariable data.