New Regulations Set to Snare Data-Handlers into Compliance

Steve Jurczak

Now that the General Data Protection Regulation (GDPR) has become more firmly entrenched in the EU, several states in the U.S. are introducing similar data governance measures that will impose extra obligations on businesses that handle consumer data in those jurisdictions. California, Colorado, Connecticut, Utah, and Virginia all have new or amended data consumer privacy laws that have already gone into effect or are expected to by year's end.

Control vs. controllers

While most data privacy laws focus on giving consumers greater insight and control over their personal data, they also require data controllers and processors to protect the security and integrity of the data they handle for consumers. All five new state privacy laws require data controllers and processors to protect the information they process with reasonable data security measures. What constitutes reasonable remains up for debate, but recent trends point toward an information security program that goes beyond current requirements for safeguards and advocates for a more strategic approach based on risk assessment.

Sectors like financial services and healthcare have long been accustomed to mandatory data security measures since both industries are subject to regulatory regimes — the Gramm-Leach-Bliley Act (GLBA), Financial Industry Regulatory Authority (FINRA), and the Payment Card Industry (PCI) for financial institutions, and the Health Insurance Portability and Accountability Act (HIPAA) for healthcare organizations. But gradually, the expansion of existing regulations and the introduction of new privacy laws at the state level are snaring more businesses that seek to do business in those jurisdictions. First, in 2013, the Omnibus Rule expanded the definition of a “business associate” to include all entities that create, receive, maintain, or transmit patient data on behalf of a covered entity as defined by HIPAA. So, businesses that were not previously subject to HIPAA requirements became bound by its requirements for safeguarding protected health information (PHI) if they had any in their systems or if they committed any transactions involving PHI. The Omnibus Rule was an early indicator that regulatory bodies would be casting a wider net to include not just traditional industry organizations but also data handlers that sat squarely in the middle of the data supply chain. Now, with more state consumer data privacy laws rolling out, more businesses will be required to implement reasonable security safeguards to protect any sensitive data anywhere in their systems.

What's reasonable security?

The National Institute of Standards and Technology (NIST) Cybersecurity Framework helps organizations better understand, manage, and mitigate cybersecurity risks. It encourages adaptability in the face of an evolving threat landscape, and the importance of data resilience measures to ensure the protection of critical assets and information. It's widely adopted across several industries for strengthening cybersecurity practices. The Center for Internet Security (CIS) also publishes examples of security controls that some state attorneys general specify as meeting a minimum level of information security that data handlers should meet.

One of the universal threads running through most cybersecurity frameworks like those from NIST and CIS is the importance of data resilience. Data resilience is crucial because it ensures that important personal data like patient health records and bank customers' financial records remain available and intact, even in the face of unexpected events, such as hardware failures, cyberattacks, or natural disasters. It safeguards business continuity, preserves information integrity, and maintains trust by reducing the risk of data loss or downtime.

Aside from the reputational harm that comes from being the victim of a cybersecurity event like a ransomware attack or data breach, there's an increasing risk that affected businesses will be subject to regulatory enforcement in the form of fines for running afoul of new restrictions.

Security features and controls in MongoDB

At MongoDB, we are intimately familiar with technical safeguards related to sensitive data and regulatory requirements as they relate to data security. MongoDB Atlas is designed for the needs of businesses in regulated industries. Atlas is a global, multi-cloud application data platform built around a resilient, performant, and scalable distributed database designed to ensure important data remains intact and available. Atlas is architected to provide automated database resilience and mitigate the downtime risks associated with hardware failures, unintended actions, and targeted attacks. Atlas clusters offer continuous cloud backups and multi-region clusters for database redundancy as well as multi-cloud clusters for cross-cloud database resilience.

Atlas automatically distributes data across clouds based on how you've configured it, making managing multi-cloud clusters extremely easy. Multi-cloud cluster deployments are particularly relevant for organizations that must comply with data sovereignty regulations but have limited deployment options due to sparse regional coverage from their primary cloud provider.

With MongoDB Atlas, administrators can encrypt MongoDB data in transit over the network and at rest in permanent storage and backups. For data in transit, support for TLS allows clients to connect to MongoDB over an encrypted channel. Data is automatically encrypted while at rest through transparent disk encryption at all three major cloud providers, AWS, Google Cloud, and Microsoft Azure. Additionally, MongoDB’s in-use encryption technologies like client-side Field-Level Encryption (FLE) and Queryable Encryption enable administrators to selectively encrypt sensitive fields, with each optionally secured with its own key. All encrypted fields on the server – stored in-memory, in system logs, at-rest, and in backups – are rendered as ciphertext, making them unreadable to any party and are only decrypted on the client side using the encryption keys.

MongoDB also offers a complete set of administrative features that enable organizations to create, deploy, and manage policies for data access according to their own internal requirements, including database authentication, multi-factor authorization (MFA), and role-based access controls (RBAC).

Of course, no business wants to lose data, and every business would prefer to avoid the reputational harm that comes from data breaches having data held for ransom. With the potential for hefty fines for running afoul of new privacy legislation, businesses have even more reasons to implement protective measures to ensure the resilience of their systems. As regulatory creep continues to expand across the data landscape, businesses must take it upon themselves to ensure data integrity and resilience are high priorities across the organization.

For more information on data resilience features in MongoDB Atlas, download our Data Resilience Strategy with MongoDB Atlas whitepaper.