Cloud Topics

What Are Standardized International Data Security Measures and How Would They Work?

By Nicole Lim / February 27, 2020

Standardized international security measures are hypothetical initiatives to create laws and/or outline best practices for data security meant to be implemented worldwide. As it stands, there is a hodgepodge of regulations in the U.S. on the federal and state level regarding data security. Most notable is the Federal Trade Commission Act, which vaguely gives the FTC the power to protect consumers against unethical practices, as well as to enforce existing data security laws. However, as it stands, it is largely up to each individual company to manage data security and report security breaches as they see fit.

This can result in the theft of sensitive consumer information, such as the infamous Equifax data breach, which resulted in the exposure of 148 million consumers’ personal data. Therefore, there is increasing interest in the idea of instituting stricter regulations for how data security is handled. In fact, many feel that it is in the best interest of consumers if said regulations applied to institutions across the globe.

Current Examples of Data Security Standardization

While there are not yet standardized global data security measures, there are some examples of large-scale data security regulations.

GDPR

The GDPR (General Data Protection Regulation) is perhaps the most notable example of large-scale data security standards. This is a law instituted in May of 2016 that protects citizens within the European Union (EU), regardless of where the company storing the data is located. For example, a U.S. company with customers from the E.U. would need to abide by reporting protocols laid out in the GDPR in the event of a data leak that impacted those customers. Major tenants of the law include the following for companies that process and/or store data:

• Any data leaks must be reported to the affected parties within 72 hours of discovery.
• Data processing protocols must be fair, lawful, and transparent.
• Entities should only process and save data that is relevant to their operations.
• Personal data should only be kept in a database for as long as it is relevant to the purpose specified by the company.
• Personal data must be accurate and up-to-date.
• Data storage methods must be approached with integrity and confidentiality.
• The onus is on the data controller to demonstrate that the parameters laid out by the GDPR have been met.

PCI

The Payment Card Industry (PCI) Data Security Standard is a global data security standard that applies to branded credit cards. This security standard is meant to reduce the prevalence of credit card fraud. Requirements for compliance with PCI standards include:

• Maintenance of a secure network;
• Regulation of user access to the network and consumer data;
• Regular security tests;
• Protection of sensitive cardholder information;
• Establishment of a policy regarding information security.
• Implementation of a vulnerability management program.

What Regulations Would Data Security Standardization Entail?

International regulation for data security standardization could be implemented in any number of ways, and it is difficult to predict exactly what it would look like. However, some elements that would almost certainly be included are:

• Minimum security measures: This may include everything from the prescription of hardware and software used to store data, to the restriction of user access to said data.
• Prompt reporting of data breaches: Individuals affected by a data leak would need to be notified of the leak within a certain time frame.
• Respect for the laws and regulations of other countries: When dealing with the data of foreign consumers, companies would need to abide by any additional regulations enacted within the consumers’ home countries.

Initiatives for Standardization

Currently proposed initiatives for data security standardization include:

• The Cyber Privacy Fortification Act: This was a law proposed by members of U.S. congress in 2015. This law would hold companies accountable for failure to notify consumers of data breaches involving sensitive personal information.
• The Data Security and Breach Notification Act: This was another law proposed by members of U.S. congress in 2015. It would require entities that are regulated by the FTC to implement security measures and to notify consumers of data breaches.
• The Global Data Security Initiative: This is a data security initiative that was proposed by the Chinese government in 2020. The goal of the initiative is not only to improve consumer data security, but also to protect national security against espionage.

Threats to Data Security

Common threats to data security include:

• Employee negligence;
• Employee theft;
• Lack of proper training;
• Lack of updates to security;
• Lack of compatibility between new and legacy systems;
• Scams (e.g. phishing).

Data Security Standardization and the Cloud

Cloud storage has many inherent security benefits, such as data encryption and remote storage through neutral parties. However, further, additional security measures are at the discretion of the individual company to maintain and enforce. Though increasing concern from users and other stakeholders may incentivize companies to implement more stringent security measures for data stored on cloud servers, this may also be an area impacted by international standardization.

SaaS

Software as a service (SaaS) is offered on a subscription basis through a cloud service provider. The use of SaaS may help companies maintain security standards by outsourcing much of the expense and labor involved with maintaining up-to-date solutions, support, and troubleshooting to service providers in the cloud marketplace.

As it stands, it is unclear whether a global data security standard would significantly improve data security, or if companies already have suitable incentive to manage data security responsibly.