Safeguarding the privacy of client data isn’t just good business – in many cases, it’s the law. De-identifying or encrypting confidential data are ways to protect privacy and support compliance with regulations like HIPAA, DDP, PIPEDA, PCI DSS and others.
However protecting sensitive data is good business practice. Leaking confidential customer, financial and employee data can lead to significant financial, legal and reputational losses. While data protection is strongly enforced in production systems, the same rigor is often not applied to non-production test and development systems.
Managing Risk and Privacy
To protect organizations against unauthorized access to sensitive data that can result in regulatory sanctions and impact corporate reputations, IT organizations need to focus on risk avoidance, awareness and mitigation. Using scrambled, encrypted or otherwise masked data on sensitive fields can avoid the risk of compromising personal data. Sensitive personal data is loosely defined as data that can identify an individual; masking names, addresses, phone and social security numbers eliminate the personal nature of the data in test and development environments. CIO’s and senior IT management need to better understand the rules and regulations governing data privacy and implement active security policies that ensure data is secure by masking data wherever possible. When masking is not an option, documentation and a complete auditing system is required to prove compliance.
In the EU, the European Data Protection Directive (Directive95/46/EC) states that Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or data concerning health or sex life. The provision also assigns liability to companies who misuse data and allows that any person who has suffered damage as a result of an unlawful data processing operation to receive compensation from the violating party. The United States is not far behind the EU with privacy legislation of its own. The Health Insurance Portability and Accountability Act (HIPPA), Children’s Online Privacy Protection Act (COPPA), and the Fair Right to Financial Privacy Act are just a few of the Federal privacy laws being enacted and many states are enacting their own state privacy regulations. Wikipedia maintains a page on privacy, for further information see here.