Lesson 16: Data Protection and Compliance Concepts

Data Classification

Definition:

Categorizing data based on sensitivity and required protections

Key Types:

Regulated Data:

Legally protected information

• PII (Personally Identifiable Information): Data identifying an individual (name, SSN, email, address, DOB)
• PHI (Protected Health Information): Health-related PII regulated under HIPAA (diagnoses, treatment history, lab results)
• Financial Records: Banking info, credit cards, tax returns, income statements

Other Types:

• Trade Secrets: Proprietary business information (Coca-Cola recipe)
• Intellectual Property: Copyrights, patents, trademarks
• Legal/Financial Data: Contracts, tax records, audit reports

Classification Levels:

• Public: Least sensitive, freely shareable (marketing content, website text)
• Confidential: Internal-use only, moderate sensitivity (internal policies, employee schedules)
• Private: Highly sensitive, tightly restricted (trade secrets, encryption keys, intellectual property)
• Privacy: Protects individual identity and rights (PII, PHI, bank records)

Example: Microsoft Azure uses labels like Confidential to auto-apply watermarks and restrict access

Data Sovereignty and Geographical Considerations

Data Sovereignty:

Laws requiring data to be stored and processed within country's borders

• Example: GDPR mandates EU data stays in EU
• Different countries have different privacy laws, government access rules, security regulations

Why It Matters:

If storing data in another country (cloud server in US while operating in Germany):

• Data could be accessed by foreign governments
• May not comply with your country's data protection laws

Geographical Considerations:

Access Controls: Verify user locations (geo-blocking) Example: Canadian bank must store customer data on servers within Canada

Key Regulations:

• GDPR (EU): Protects EU residents' data globally
• CCPA (California): Grants Californians rights over their data

Privacy Data

Definition:

Information tied to individual's identity (Social Security numbers, medical records)

Key Concepts:

• Right to Be Forgotten: GDPR allows individuals to request data deletion
• Data Inventories: Track where personal data is stored (CRM systems)
• Data Retention: Keep data only as long as necessary (delete old customer records after 7 years)

Roles:

• Data Controller: Decides how data is used (company collecting emails)
• Data Processor: Handles data on controller's behalf (cloud providers like AWS)

Privacy Breaches and Data Breaches

Breach Types:

• Privacy Breach: Unauthorized access to personal data (leaked patient records)
• Data Breach: Any unauthorized access to data (stolen credit card numbers)

Consequences:

• Fines: GDPR fines up to €20 million or 4% of global revenue
• Notifications: GDPR requires breaches reported within 72 hours

Compliance

Definition:

Adhering to laws, regulations, and contractual obligations

Key Issues:

• Legal Noncompliance: Violating GDPR, HIPAA, or PCI DSS
• Software Licensing: Using unlicensed software (pirated Microsoft Office)
• Contractual Noncompliance: Failing to meet SLA terms (uptime guarantees)

Monitoring:

• Internal Audits: Regular checks by organization
• External Audits: Third-party reviews for certifications (ISO 27001)

Data Protection Methods

Data States:

At Rest:

Stored data (encrypted databases)

• Methods: FDE (Full Disk Encryption), File-level Encryption, Database Encryption, BitLocker, LUKS

In Transit/Motion:

Data being transmitted (HTTPS for web traffic)

• Methods: TLS/SSL, VPN, SSH, IPSec, HTTPS, Secure FTP (SFTP), Encrypted Messaging

In Use:

Data being processed (RAM encryption)

• Methods: TEE (Trusted Execution Environment), Homomorphic Encryption, SMPC (Secure Multiparty Computation), RAM encryption, Intel SGX, AMD SEV
• Homomorphic Encryption: Allows data to be encrypted and manipulated without decrypting first

Data Loss Prevention (DLP):

Tools blocking unauthorized data transfers

• Example: Preventing emailing of credit card numbers
• Office 365 DLP policies flag sensitive files shared externally

Personnel Policies

Conduct Policies:

• AUP (Acceptable Use Policy): Rules for using company resources (no torrenting)
• Clean Desk Policy: Employees secure sensitive documents before leaving
• Social Media Use: Guidelines for posting company information online

Training:

Role-Based Training:

• End Users: Spot phishing emails
• IT Staff: Secure network configurations

Techniques:

• Phishing Simulations: Test employee vigilance
• Gamification: Reward employees for completing training modules

Security Awareness Lifecycle:

1. Assessment: Identify training needs
2. Planning: Design tailored programs
3. Delivery: Conduct workshops/CBT
4. Evaluation: Measure effectiveness via quizzes