What is data protection?
Data protection embodies all of the people, tools, and practices used to keep data safe from both accidental and deliberate misuse. Companies that store and process data are keen to protect their data since misuse can have serious business consequences, including total business failure. Generally, companies face ongoing legal action, regulatory fines, and loss of customer trust whenever they fail to protect their data.
Best practices to protect your customer data
1. Have a team dedicated to cybersecurity and risk management
A dedicated cybersecurity and risk management team will design data management systems that are purpose-fit for the types of data that you store and process. Understanding risk is the first step to defining which tools and processes your company needs to bring online. Once risk is well understood, adopting relevant cybersecurity frameworks and executing their policies happens next. Should you adhere to SOC2 or ISO 27001 (security) and 27701 (privacy) or other controls? Your risk assessment will guide you. Risk assessments need to happen periodically to ensure that your risk mitigation strategies and cybersecurity posture won’t go stale as your business evolves.
Learn more about best risk management and cybersecurity practices.
2. Classify your data according to the business risk of misuse
Assign risk categories to your data that map to the expected business impact if the data were leaked or otherwise misused. For example: customer data stored in production systems is far more detrimental to your business if it is misused vs. internal data like your employee handbook.
A data classification rubric could look something like this:
Highly Confidential: we could go out of business
Example: customer data
Confidential: bad but we'll survive
Examples: company financial data, product source code
Internal Use: embarrassing or uncomfortable
Examples: vendor lists, customer lists
Public: no risk
Examples: content that would otherwise by published on your website or blog
3. Adopt the principle of least privilege for data access
Your employees should only be able to access the data required to perform their job functions, and only for as long as they are required to do their work. By limiting access rights for users to the bare minimum, the potential for damage from accidents or breaches is reduced.
Least privileged access also applies to access between systems. For example: backend servers may be able to access some databases, but not others. Limiting access between parts of a system can help maintain system stability by preventing services from altering data that they should otherwise have no reason to access.
4. Have clear policies on data retention and deletion (and automate them)
How long is your data stored? And what are the expectations for how quickly you can access your data over time?
You should define storage timeframes for all of your data, and in some cases you should include storage categories that determine the availability of your data. You should automate deletion of your data after a defined timeframe as well as transitioning your data through storage categories as it ages, if necessary.
Your data retention policy should mandate that all data is encrypted at rest and in transit.
5. Train staff on data protection expectations
Periodic mandatory training sessions for all company employees will reinforce good data management hygiene and help keep data protection at the top of everyone’s mind. A security awareness program should be established and maintained by your dedicated cybersecurity and risk management team.
Everyone at your company should know:
How to properly access data
How to spot potentially malicious emails or social media messages and what to do when they receive them
The latest trends in cybersecurity and security vulnerabilities
6. Use Single Sign-On (SSO) with Multi-Factor Authentication (MFA) with any application that stores or processes data
SSO enables a single point of management for all logins to the tools used by your company to access its data. SSO providers include MFA tools that provide a secondary form of authentication (like a one-time use code) to further limit the opportunity for unauthorized access. One of the functions of your cybersecurity and risk management team will be to audit your tools and ensure that they are all under the SSO+MFA umbrella.
How is data protection different from data privacy?
Data protection is owned by IT security teams. Their goal is to safely store and control access to all manner of data, including highly sensitive data. They are responsible for mapping data classification protocols to cloud and on-premise infrastructure (servers, networks, databases, etc.) and enforcing data governance processes.
Data privacy is owned by business and legal teams. Legal teams want to ensure that data is captured in accordance with local laws and regulations. Business teams want to eliminate the reputational risk associated with the misuse of sensitive customer data. These teams define governance, controls, and guidance that determine what data is transmit-able and store-able in internal or external systems and how this data may be processed.
The importance of data privacy
A good data privacy posture is necessary to ensure goodwill between a business and the customers whose data they manage. Being good stewards of customer data helps you maintain trust that you are handling data securely, limiting risk to your customers while allowing them to maximize the value of their data.
Fullstory’s data protection and privacy practices are published in a single location, available for all of our customers and partners to review: https://trust.fullstory.com/.
Data privacy regulations & standards to know
The General Data Protection Regulation (GDPR)
Introduced by the European Union in 2018, GDPR is designed to give EU citizens control over their personal data and to unify the regulatory environment around data for international businesses. It applies to all companies processing the personal data of subjects residing in the EU, regardless of the company's location. Due to this stipulation, many international businesses (Fullstory included) have adopted data management systems and policies to ensure they meet GDPR's requirements for data protection and privacy.
GDPR enumerates the set of rights granted to individuals (“data subjects” in GDPR parlance) regarding their personal data. These rights include the right to be informed of how their personal data is used, the right to restrict the usage of their personal data, and the right to have their personal data erased from a company’s systems (aka “the right to be forgotten”).
GDPR also defines the relationships between business entities that manage personal data and the legal guidelines that govern their behavior. There are two types of entities that manage personal data: Data Controllers and Data Processors.
Data Controllers determine why and how personal data should be processed and are primarily responsible for ensuring the processing complies with GDPR. They are also responsible for managing data subject rights.
Data Processors process personal data on behalf of the controller. Data processors could be IT firms, payroll companies, or any other service provider that handles personal data. They have a legal obligation to protect personal data from misuse.
Some businesses, like Fullstory, may act as both a Data Controller and a Data Processor within the realm of GDPR compliance. For more details about Fullstory’s GDPR compliance can be found here.
California Consumer Privacy Act of 2018 (CCPA)
Both GDPR and CCPA aim to protect personal data. Whereas GDPR applies to all businesses that interact with EU residents regardless of where that business is located, CCPA applies only to businesses that operate in California. CCPA also provides other stipulations required for enforcement, such as businesses having annual gross revenues exceeding $25 million, buying or selling the personal information of 100,000 or more California residents or households, or earning more than half of their annual revenue from selling California residents’ personal information.
CCPA has a slightly different data focus than GDPR: whereas GDPR is focused on data about identified individuals, CCPA focuses on personal information which is data that could reasonably be linked with an individual or their household. Personal information includes names, social security numbers, email addresses, records of products purchased, internet browsing histories, geolocation data, fingerprints, and inferences from other personal information that could create a profile about an individual's preferences and characteristics.
Both GDPR and CCPA enumerate a set of rights granted to individuals about the processing of their data. There is some overlap (like “the right to be forgotten”) but generally speaking the scope of rights in GDPR is larger than CCPA, while CCPA contains a specific provision granting California residents the right to opt-out of having their data sold or shared between businesses.
Fullstory has published a privacy notice for Californians identifying the personal information we collect from our customers, in accordance with the CCPA: https://www.fullstory.com/legal/ccpa/
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a US federal law enacted in 1996 that establishes privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. Title II of the law specifically addresses the security and privacy of health data and creates regulations to protect Personal Health Information (PHI). The goal of HIPAA Title II is to define standards for securely exchanging digital healthcare information throughout the US healthcare system.
Any one of 18 PHI identifiers applied to healthcare or medical history data will render that data as PHI and thus it will fall under the purview of HIPAA compliance. These PHI identifiers include names, email addresses, and telephone numbers - all of which are data that is generally considered Personally Identifiable Information (PII).
HIPAA declares that a company that is hired to handle PHI is a Business Associate (BA). Under HIPAA, covered entities like healthcare providers and insurers must have contracts in place with their Business Associates, ensuring that they use and disclose PHI properly and safeguard it appropriately. This type of agreement is called a Business Associate Agreement (BAA) and it outlines how PHI will be safeguarded between two HIPAA-beholden organizations. Fullstory provides a BAA to support our Customers’ HIPAA obligations when using our services. More information about Fullstory’s BAA can be found here: https://help.fullstory.com/hc/en-us/articles/17635706856599-Business-Associate-Agreement-BAA.
ISO 27701
ISO 27701 is a Privacy Information Management System (PIMS) standard that establishes guidelines intended to satisfy the regulations established through data privacy laws like GDPR and CCPA. These and other international data privacy laws define what is expected of organizations within their jurisdiction. ISO 27701 defines how organizations can meet the requirements of these laws. It defines a standard for data privacy controls that are necessary to protect PII in accordance with international law.
ISO 27701 is an extension of ISO 27001, an industry standard for information security management and data protection. An organization cannot be ISO 27701 certified without first being ISO 27001 certified. Any organization that is certified as compliant with both standards is demonstrating that they have the right people, processes, and tools in place to maximize data protection and data privacy for their customers.
Read more about Fullstory’s ISO 27701 certification.
Fullstory has also been certified as ISO 27018 compliant. This is a cloud-specific extension of ISO 27001 designed for public cloud service providers that handle PII.
Read more about Fullstory’s ISO 27018 certification.
Threats or challenges to data protection & privacy
Phishing, malware, and ransomware
These attacks use social engineering to attempt to trick your employees into either disclosing sensitive information like their company account login credentials or installing malicious software into your company IT systems.
Did you just get an email from Facebook to your work email address, asking you to change your password? Don’t click! This is likely a phishing attempt to get sensitive information from you.
Did you just get an email from Bank of America congratulating you on receiving an offer for a checking account with a $300 pre-seeded balance? Don’t click! You could accidentally install ransomware that shuts you out of your computer and spreads to other machines in your corporate network.
And don’t ever open attachments without verifying the sender first!
Phishing, malware, and ransomware can lead to unauthorized access to your data or to data loss.
Software vulnerabilities
Software vulnerabilities can be introduced in several ways, including:
Unpatched Operating Systems
Out of date dependencies on 3rd-party code libraries
Insecure coding practices like not sanitizing user input (which can lead to code injection attacks)
Misconfigured infrastructure
The resources that host code and store data are another area that can expose vulnerabilities if not managed well. Signs of misconfigured infrastructure include:
Storing data at rest in an unencrypted format
Leaving network ingress ports open to the public internet
Storing privileged access control keys outside of dedicated key stores
Popular checklists like the OWASP Top 10 for web security highlight the most common security risks that you need to be aware of.
You can find additional guidance for what a strong data protection operation looks like thanks to this guide written by Mark Stanislav, Fullstory’s VP of Security Engineering.
Leveraging advanced technologies for data privacy
Data privacy controls for behavioral data
Behavioral data analytics tools like Fullstory capture a variety of user experience data including clicks, mouse movements, display content, and form data. There may be some areas of a site or app that contain PII data. This data is not useful for the purposes of analytics and thus can be left out.
Fullstory has several ways to ensure that only data intended for behavioral analysis makes its way into our customers’ accounts:
Default data exclusion rules: Any password field, credit-card field or hidden input will be excluded from data capture, which means it will not leave users’ devices and will not be sent to Fullstory servers.
Configurable data masking and exclusion rules: Customers can selectively determine which elements in the user interface are either excluded or masked. Neither excluded data nor masked data will be sent to Fullstory; the difference is in how the element renders during session replay and in heatmaps in the Fullstory application.
Form privacy: No form data will be sent to Fullstory servers and all form inputs will either be masked or excluded.
Private by Default: All text content in the UI is masked, with the ability for customers to selectively unmask elements. Additional data masking and exclusion rules can be applied as needed.
Network data redaction: Field values are blocked in network request and response bodies by default and selected field values can be blocked from URL query strings. This ensures that any PII that might travel from a UI to a backend service is not captured by Fullstory.
Data capture with consent: Fullstory provides a consent API for web browsers and mobile apps that our customers may use to proceed with data capture only upon user consent.
More details about Fullstory’s data privacy capabilities can be found here.
Using AI to enhance data privacy and protection controls
New techniques that use Artificial Intelligence and Machine Learning are being developed to further safeguard user data from misuse and to help organizations manage data privacy more effectively.
Threat detection
AI can continuously monitor the data flowing through data management systems and instantly detect potential cybersecurity attacks. Data used in these attacks can then be automatically shut down or sequestered for further investigation. For example, AI algorithms can detect SQL injection and cross-site scripting (XSS) attacks by examining text inputs and URL parameters. Once detected, AI-Powered automation can determine the best course of action to shut down the attack.
In an effort to help our customers uncover suspicious activity, Fullstory provides a filter to search for suspicious activity in your data. XSS and SQL injection attacks can be analyzed in your behavioral data streams.
More information about Fullstory’s suspicious activity detection can be found here.
Data Loss Prevention (DLP)
DLP generally refers to reducing or eliminating the risk that data can leak out to places where it shouldn’t go. AI can detect data that looks unusual for a given context. For example: an algorithm may detect a credit card number in a data stream that is expected to only include first names. An AI-powered DLP tool continuously inspects data streams and then will automatically detect data that looks inappropriate and quarantine it for further inspection. People may then inspect this quarantined data to determine if it is safe to process or if it should forever be eliminated from processing.
All varieties of data can be found in a user’s browsing session on a web site or mobile app, but only a subset of that data is needed to analyze user experiences with behavioral data. Any captured data that is outside the scope of behavioral data is a candidate for DLP. Fullstory provides an AI-powered capability to automatically identify and categorize PII data originating from your web site or mobile app. Once detected, this data can then be triaged and further remediated.
Read more about Fullstory’s Detections capability.
Fraud detection
Any application that trades in goods & services or financial transactions is a target for fraud. Malicious actors, often using non-human agents (aka “bots”), will try to find ways to exploit these applications for financial gain.
Examples include:
Quickly wiring money out of compromised bank accounts.
Swarming a discount promotion to receive large quantities of goods at discounted prices, to be resold at a profit on secondary markets.
Behavioral data is rich with potential signals that can be used to determine if any given website or app user is a customer trying to accomplish a valid use-case, or a bot trying to game the system. Unsupervised machine learning models can be derived from this behavioral data, detecting anything unexpected about a particular user’s interaction time or user journey that might indicate their account has been compromised by a bot.
As more AI-Powered virtual assistants come online, behavioral data fidelity and model sophistication will become ever more important to distinguish between “bad” bots and “good” bots that represent digital surrogates of actual users executing valid use-cases. Fullstory’s Data Direct provides the detailed behavioral data that our customers rely on to build fraud detection models and distinguish good user traffic from bad user traffic. This data can enhance data protection strategies by providing deep insights into user interactions, allowing our customers to identify and mitigate risks before they escalate.
For more details, visit the Fullstory Help Center.