TrueDLP

Forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands now have laws in place that require notification when an individual’s confidential information has been compromised.  Mishandled medical records, social security numbers, credit card numbers and the like trigger mandatory notification.  The National Conference of State Legislatures (NCSL) has a listing of all the State Security Breach Notification Laws on their Web site.

To safeguard personal or sensitive data, whose transmission could activate the security breach notification laws, companies should deploy security systems that will adequately identify personal information in any electronic transmission and, if necessary, block or encrypt the transmission.  In evaluating and deploying such security systems, consideration should be given to systems that can perform the following actions:

• Registration and discovery – Companies should be able to devise and implement a set of rules that identify whether or not data is sensitive or personal. This is done with network-based appliances and/or software that allows companies to define policies identifying the data (using techniques such as database fingerprinting, file fingerprinting, exact file matching, pattern matching, regular expressions, and lexicons/dictionaries), and then safely import that data in a way that provides high-speed data inspection and confirmation of a “match” when sensitive data transmissions are detected.

• Data inspection – The system should be able to inspect data in storage, on servers, as it travels over the network, and as it is used on desktop systems. This requires the system to be able to identify data even when it is enclosed within a compressed archive, part of a PDF file, part of a document such as a spreadsheet, presentation, word processor document, or transmitted via e-mail, webmail, and even a “Web 2.0” application.

• Data blocking – The system should be able to block the transmission of sensitive data whenever necessary. This is especially important for web-based e-mail systems and “Web 2.0” applications, which are often encrypted and a rapidly growing conduit for data loss.

• Data encryption – The system should be able to encrypt sensitive data before it is transmitted to outside recipients via approved corporate email solutions.  The method used to encrypt the email message should be easy for the recipient to comprehend, and the process for securely decrypting the message should be straightforward.

• User notification – Users should be notified when they are attempting to send sensitive or personal data and the violation is deemed to be minor. Most sensitive data transmissions are inadvertent, so notification helps users understand why their transmission was blocked and modify their behavior going forward to comply with corporate policy.  For more severe violations, the solution should be able to block the transmission and alert administrators immediately.

• Logging and reporting – IT administrators should be able to generate detailed logs and reports on encryption and transmission blocking-related activities in order to prove compliance with the statute.

These data loss prevention (DLP) requirements can be met today with Code Green Network TrueDLP.  Companies considering DLP and email encryption solutions should look for holistic systems that not only offer a comprehensive feature set, but which can be deployed relatively easily and quickly at a reasonable cost.