Data Retention Moves to the Forefront of Security with NYCRR Part 500 and GDPR
Security regulations seemingly continue to grow without regard to the existence of technology that can address the essence of the requirement – or even if that requirement is in conflict with other current regulations or laws.
Two recent regulations, NYDFS NYCRR Part 500 and the EU’s General Data Protection Regulation (GDPR), provide an interesting viewpoint of what law makers are trying to accomplish and the criteria they are using. NYDFS NYCRR Part 500 focuses on the financial vertical and provides basic and clear security controls, while GDPR focuses on data rights of individuals, which includes the ability for audit records to be modified or deleted.
NYCRR clarifies Sarbanes-Oxley Act (SOX) for financial institutions doing business in New York. Security professionals have been referring to SOX, especially for data retention, but there are no SOX security controls defined around data retention of security logs. SOX focuses on the tracking of corporate financial records, but these access records do not include intrusion detection, firewall and network logs. Finally, NYCRR lists some actual controls and objectives. For instance, it has a definitive data retention requirement to store security related data for three (3) years. While addressing financial institutions in New York, NYCRR part 500 is clearly helping define the requirements for businesses nationwide.
GDPR is the other major legislation that has created buzz, most notably for its financial penalties. Unlike NYCRR, it is focused on an individual’s right to control their personal data. Some of the requirements are written in a completely undefinable manner, such as setting criteria for the ability of hindering artificial intelligence to delineate identity, but the overall requirements focus on the ability to delete a person’s relationship to the data. Part of this relationship is that individuals must give explicit consent (opt-in) before audit can occur. This includes any form of digital recording to include a company’s video surveillance, creating the impossible task of gaining explicit approvals from everyone recorded.
What is interesting about both regulations is their heavy focus on retained data. NYCRR focuses on retaining audit data, while GDPR focuses on when collection is not allowed and the ability for the removal of audit data when requested. That creates a Doctor Dolittle “pushmi-pullyu” (Push-Me-Pull-You) occurring. On one hand, more control is being given to non-government entities to be responsible for maintaining records for legal purposes. The ability to audit and review data is critical to the ability to detect and respond. On the other hand, we are making the ability to identify who is performing the action of a crime without having permission first. A “no trespassing” or “you are being monitored” sign is no longer enough. And at any moment, an individual can ask for their data to be removed.
With data breaches being discovered on an average of 210 days after the initial breach, it is clear that data retention of security logs is critical for companies and law enforcement to extend into multiple years. With the complexity of attacks, the scope of this recording needs to be as large as possible. A focus on data retention requirements is long overdue. What will be difficult is to determine what exactly to record.
It is an illusion to think that only certain data is security data. All data is security data. When a crime is committed, law enforcement may rely on commercial cameras and telephony data to collect evidence. An organization needs to look no further than the FedEx footage of the San Antonio serial bomber and the use of IP addresses to find him. Under GDPR this data would be poison fruit, unlawfully collected as the individual did not sign consent to be monitored by a commercial entity. But there is a counter argument that these companies need this data to protect their company and employees from harm. Where is the line? It’s undefined.
What is the Result?
These regulations highlight the importance of audit. The ability to identify a person, relate their actions and derive understanding from this data, is a security, financial and marketing need. The ability to collect huge amounts of this data provides trends and outliers for marketing. The ability to remember each record allows organizations to track right down to a particular person. However, there is always an opposing force, and clear lines certainly aren’t drawn yet. While we strive for accountability in security and finance, as a society we strive for anonymity for protection – protection not just from marketing, but from identity theft and stalking.
While the NYDSF NYCRR Part 500 requirement is well scoped, the GDPR is not. But the existence of these laws shows that governments are trying to determine what can be collected, how long it needs to be collected, and when it is to be deleted. In the end, to the security professional, it means that there is another policy to write (audit policy) and more contradiction between government entities to appease.
Chris Jordan is CEO of College Park, Maryland-based Fluency (www.fluencysecurity.com), a pioneer in security audit and automation technology for security operations centers.