Legal requirements for reasonable security
Data security is not just a good idea—it’s the law. In the United States, reasonable security is a legal requirement for specific classifications of information such as financial, health, and personal information. Reasonable security is required under laws governing fair business practices. Outside the United States, the European Union General Data Protection Regulation (GDPR) and other global privacy laws specifically require reasonable security for the protection of personal data.
Protecting personal information is not the only legal consideration for data security. The European Union’s Network Information Security Directive and Cybersecurity Act require data protection measures to be in place for all data, whether or not it is personal information. New York’s Department of Financial Services regulations require a specifically structured cybersecurity plan that focuses on systems rather than data classifications.
In practice, though, organizations rarely segregate data into separate systems designed to meet security protocols applicable only to a given data classification. Instead, a single information systems security plan is put in place that is reasonable in light of all of the classifications of data it will hold.
What is reasonable security?
Despite the prevalence of the term reasonable security in privacy and data security regulation, there is no defined standard or engineering control set attached to the term. Instead, the law indicates that reasonable security is comprehensive in that it includes controls for physical, administrative, and technical safeguards. What those safeguards are depends on the type and nature of the data in question, the risks associated with the information systems, the impact on people or businesses, and industry best practices in information security. Despite this level of ambiguity, regulators and courts recognize the following areas as being integral to reasonable security.
Encryption
Encryption is recognized as a means by which the risk associated with a security incident can be mitigated. Encrypting data reduces the likelihood that any data obtained as the result of a security incident can be used to harm individuals or entities. This includes both encryption during the transmission of data and the encryption of data at rest (in a stored state). Find more information on encryption in general as well as NetApp encryption solutions.
Authentication and authorization controls
Global privacy principles recognize both purpose specification and use limitation as foundational to protecting personal information. These principles are typically met through restrictions on who can access personal information, and under what circumstances they can access it. Controlling access necessarily requires that the person authorized to access personal information is authenticated to make sure that they are who they claim to be. NetApp provides a variety of account management tools for managing access and authentication, to help customers manage access to personal information.
Breach reporting
A data breach is broadly understood to be a violation of security protocols that leads to the loss, alteration, or disclosure of data, or unauthorized access to it. When that data is personal information, this is called a personal information breach. Notification of personal information breaches is a common legal requirement, as well as common practice. NetApp is committed to meeting these legal obligations and to empowering our customers to do the same through NetApp Cloud Data Service Terms, which commit to reporting all security incidents, regardless of whether the affected data is personal information.
Data loss prevention
Data loss prevention (DLP) is a system of tools and protocols used to protect data from loss, theft, or unauthorized manipulation. A DLP program typically consists of protocols to detect and respond to unauthorized access to data, prevent modification of data, and recover lost data. NetApp offers a variety of tools to help our customers protect against data loss, including audit logging, software to comply with strict records retention requirements, and other functionality to mitigate against ransomware attacks.
Patch management
Patch management is a system of tools and protocols that are used to acquire, test, and install changes to software or ancillary data, and that are designed to update, fix, or improve the software or ancillary data (the patch). Patches are typically released to address known issues within software or data, such as a software bug or a security vulnerability. NetApp is committed to providing information about patches that address the security of personal information.