Problem solve Get help with specific problems with your technologies, process and projects.

How to protect personal data

Regulations like HIPAA, GLBA and California SB 1386 have made protecting personal data much more of a priority for the security industry. Learn tools and tactics to protect your personal data in this security management Ask the Expert Q&A.

We're considering implementing stronger policies/standards to protect personal data. I'd like some benchmark information...

about what other companies are doing and whether it's working.

Due to HIPAA, GLBA, banking regulations, federal and state privacy laws, privacy laws in other countries that organizations operate in, and the litany of civil suits, protecting personal data is much more of a priority for the security industry.

Most organizations find that determining what "sensitive data," is and where it resides in the enterprise is the most difficult part of this process. An organization's definition of sensitive data will typically depend on the regulations and laws that the company must comply with. The following are examples of the type of data that is called out for protection in the various regulations and laws:

Policy Classes Regulations Types of Information
Personally Identifiable Information California SB 1386
Other State Regulations (>20)
PIPEDA (Canadian)
Social Security Number
Date of Birth
Person Name
Canadian Social Insurance Number
Canadian Drivers License Numbers
Email Address
US Postal Address
Phone Numbers
Driver License Numbers for all 50 States
Personal Credit Information GLBA
Payment Card Industry (PCI)
Credit Card Number
Bank Account Numbers
Other Financial Account Numbers
Personal Health Information HIPAA Sexually Transmitted Disease Terms
Cancer Terms
Medical Checkup Terms
Mental Illness Terms
Cardiovascular Disease Terms
Drug Abuse Terms
Medical Procedure Terms
Sex and Pregnancy Terms
Medical Form Terms
CDT (Common Dental Terms)
CPT (Common Procedure Terms)
HCPCS (Healthcare Common Procedure Code Set)
National Provider ID
ICD-9 (International Classification of Diseases) Diseases
ICD-9 External Injuries
ICD-9 Procedures
ICD-10 Diseases
ICD-9 Neoplasms
ICD-9 Drugs and Compounds
NDC (National Drug Codes)
HR Violations Internal Company Regulations Sexual Harassment
Homosexual Slurs
Obscenities and Profanities
Racism SAP HR Codes
Password Information   Passwords
Company Financial Information Sarbanes Oxley
Various SEC Regulations
Internal Financials
Web Postings to Financial Sites
Company Intellectual Property   Transmissions to Competitors
Customer Specified IP
Web Postings to Corporate Rumor Sites
Transmissions with Attachments to Private Email Accounts
National Security Information ITAR
Patriot Act
Transmissions to Disallowed Countries
Weapons and Other Materials
FBI Most Wanted Names
FBI Most Wanted Terrorist Names
FBI Hijack Suspects
DTC Debarred Parties

**Data in spreadsheet was provided by Tablus Inc.

Of course, this is just one piece of the sensitive data equation. A company also has to identify and protect their other "sensitive data," i.e. intellectual property, trade secrets, pricing, blueprints, etc.

In an attempt to identify sensitive data at rest and in transit, many companies are turning to secure content managers like Tablus, Port Authority and Vontu. These tools search workstation and server hard drives to identify sensitive data. They can be helpful when conducting an initial search to determine what is where. Conducting an initial search allows you to properly classify the identified data and implement the correct level of access controls and encryption.

These tools also have the capability to continually search hard drives, identify new sensitive data and alert you via a central console if something violates the policy you configure. You can choose to delete, quarantine or move the data to a more appropriate place. This feature is important because new data is constantly created and old data moves around an environment, so it is important to keep track of it.

These tools also detect sensitive data in transit. It is important to know what protocols you need to monitor (SMTP, HTTP, FTP, etc.) and if you have homegrown applications that do not use common protocols, but create their own sockets and communicate directly to each other. Note, some of these products do not work with raw packets and cannot monitor this type of communication.

These tools can also send emails containing "sensitive data" to an email encryption product, as in PGP's Universal Server. Many companies use these products rather than relying on users to properly encrypt data before sending a message.

Since data travels over many different protocols, there isn't one perfect product that properly protects the data across all transmission modes. Most environments have to implement SFTP, SSL, IPsec, and either SMIME or PGP email encryption where necessary. The real work is to first identify where the data is and how it travels and then implement the right technology to protect it.

There are also data classification best practices. However, because the disciplinary levels needed after rolling out this initiative usually drops, these policies, standards and guidelines are difficult to implement and follow. This is because data owners need to be identified and educated on data classification processes and usually the necessary discipline drops off after the initial roll out of this initiative. This is why it's important to educate users and security personnel on data classification processes and procedures, and automate the protection of the data if possible. Whole disk and virtual disk products can be used on servers and workstations, and database encryption can be integrated into SQL, Oracle and other database types.

Remember, this is just one way to protect data. It is also important to implement access control, identity management, and user provisioning correctly.

As you can see, proper policies and standards are certainly important to personal data protection, but understanding and implementing the right technology at the right points of an environment is critical.

More on this topic

This was last published in June 2006

Dig Deeper on Data privacy issues and compliance