Data privacy and protection: balancing your approach to cybersecurity risk

January 27, 2023

Share on LinkedIn Share on Facebook Share on X

By Eric Schmitt – chief global information security officer and Brenda G. Corey – SVP compliance & regulatory

In a world increasingly concerned with privacy and protection, companies must balance their awareness of risk with compliance amid rapidly changing regulations.

From a data protection standpoint, over the past 24 months, there has been an increased emphasis on ensuring data is retained only for the period it is needed, or as required by law. With transparency and data rights laws now active in two U.S. states (California CPRAVirginia) and taking effect in three additional U.S. states during 2023 (ColoradoConnecticutUtah), now is the time for companies to assess their infrastructure, isolate areas of potential exploit by bad actors, and educate employees on best practices for protecting sensitive data.

Records retention

A big area of focus is full compliance with a record retention schedule. The record retention schedule is vital to ensure that we’re retaining data only for the period needed, reducing risk by decreasing the data stored, and to comply with emerging legislation. Companies around the world are on this journey today and are revalidating their existing policies to ensure compliance. It’s important to ensure records retention obligations are met for multiple stakeholders – statutory, client, and insurance carrier – and in specific jurisdictions as well as on a global level.

Cyber resilience

On the tech side of the business, it’s important for cybersecurity, backup, and disaster recovery teams to come together and provide a more unified program under the banner of “cyber resilience.” This level of partnership helps to ensure that continuity plans, including business and technology, take into account how to implement protections in the event of a cyberthreat, allowing an organization to quickly respond to emerging threats. Companies should be making certain that their continuity program includes cyber-related issues.

Threat hunting

Armed with the mission of “breaking yourself before somebody else does,” cybersecurity teams look to attack an organization’s own cyber environments in the same way a bad actor might – a process called threat hunting. This gives visibility to not only spot the pain points where attacks may occur, but to build a quicker response so backup data can be protected to ensure not all is lost in the event of a threat. Threat hunting should supplement a robust vulnerability and penetration testing program, not replace. There are two large benefits to threat hunting – your defenders learn to identify attacks as they work with the threat hunters, and the company can help identify areas that may need additional controls to be applied.

Setting up a line of defense

You have to know what you have before you can protect it. By data-mapping all lines of business and the types of data flowing across them – including what vendors share that info – you can get a clear picture of how and where data is secured. Using the MITRE “crown jewel exercises” enables highlighting vulnerabilities around data to protect, so defenses can be layered accordingly.

Colleague education is another tier of optimal data privacy and protection efforts. When it comes to cybersecurity risk, your people are your first and last line of defense. The question of how employees can be better educated to positively identify inbound threats, such as phishing emails, and other malicious activities – and how to reinforce this behavior positively – should always be top of mind. Phishing email training exercises should be done on a regular basis for the entire organization. Colleagues on teams that constantly handle sensitive data may need more frequent assessments for data breach prevention.

In the claims industry, privacy officers work to ensure data rights requests are addressed quickly and efficiently for individual claimants. In harmony with privacy laws, artificial intelligence may be leveraged to provide better services to individuals, such as in the case of automated claim reviews.

Privacy by design

Data privacy and security can be a differentiator for a company and its clients when it’s “baked” into investment and operations strategy. As a company builds out its new process and programs, including the flow of information within the system, it’s essential that teams on the front-end know how to tackle privacy by design. Regulatory agencies are making a heavier push toward reducing the footprint of data; businesses must pay due diligence by asking deep questions about their data security programs and weighing their investment in threat intelligence.