Galaxkey always employs

Best practices for security

Multiple regulations and compliancy policies have been created to protects sensitive, private, and confidential information stored and handled by organisations. While some of these rules are general and apply to all, others are industry-specific and have been tailored to specific sectors. The regulations cover a wide range of concerns from data loss to disclosure of information.

The main concern of these regulations is the protection of data including when it is stored, at rest or in transit across networks both internally and externally. While some regulations suggest specific technology that should be used to ensure businesses are compliant, providing proper encryption is utilised, most data protection requirements will be satisfied.

Once data has been located and classified both in storage and transit, the appropriate encryption can be applied so your company has strong protection with all security-related compliance requirements covered.

Galaxkey is an ideal solution to meet these needs, offering a comprehensive data protection platform that addresses all data protection requirements, whether information is in storage or being transmitted.

Global compliance criteria and regulations for protecting data

Although compliance criteria and regulations for protecting data are global, they are also region specific and dictated by the laws applying to that sector.

Most data can be categorised in one of the following:

  • Financial or banking data
    • Dating containing personal financial details
    • Credit card information
    • Bank account numbers
    • Financial data of public companies
    • Insurance details
    • Credit ratings
    • Invoices
  • Private individual data
    • Social security numbers
    • Individual addresses
    • Personally identifiable data that could potentially be used for identity theft
    • KYC data
  • Military and government data
    • All data specific to government programs, particularly those related to policies
    • All military data pertaining to national security
  • Business-sensitive data
    • Trade secrets
    • Research
    • Business intelligence data
    • Management Reports
    • Corporate business information for IT configurations
  • Personal health data
    • Confidential patient information
    • Patient address details
    • Patient reports and records

In almost all countries, the above categories have strict regulatory compliances. If these are not adhered to, severe penalties for failure may be incurred. The regulations target the following data states:

  • Data at rest – This includes archived data, network storage, file storage and covers desktop machines, mobile phones, and other devices capable of retaining information.
  • Data in transit – This refers to any data being sent via the internet or any method where electronic transmission is involved.

Galaxkey provides data protection to help industries to comply with these regulations.

Prominent regulations governing the requirement to protect and encrypt data include:

General Data Protection Regulation (Regulation (EU) 2016/679)

Focus: Handling of Personal Information
Scope: Global for data of EU citizens
Repercussions: Severe and penalties of up to 4% of worldwide turnover

The new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover.

Data Protection Act (DPA) of 1984 (Amended 1998)

Focus: Handling of Personal Information
Scope: United Kingdom – Applicable to all businesses & government
Repercussions: Data forfeit and criminal and civil penalties

UK Parliament mandate dealing with information about proper disclosure, rights of access to information, transmission and processing, and proper protective measures.

Accountability Act (HIPAA)

Focus: Protection of electronic patient healthcare data and information.
Scope: Global. Applicable to all health industry, pharmaceuticals and support industry.
Repercussions: Criminal and Civil for exposure of data or fraudulent behaviour.

HIPPA addresses the implementation of administrative, physical, and technical safeguards for electronic protected heath information (ePHI).

Bundes-Datenschultz-Gesetz (BDSG)

Focus: Protection of private information
Scope: Germany – Applicable to all businesses & government
Repercussions:Various penalties for misuse.

Germany’s Federal Data Protection Act has been revised several times over the last four decades and exists to protect the collection and dissemination of personal data by public and private organizations. The regulation deals with a broad range of use cases and penalties for misuse.

95/46/EC European Union (EU) Directive

Focus: Protection of private information
Scope: European Union – Applicable to all businesses & government
Repercussions: Not specifically stated.

Personal data can only be processed when three basic conditions are met: 1. The person is informed of the processing (transparency) 2. The processing is for a legitimate purpose 3. The data processed is in proportion to the actual purpose. Brief mention is made directing responsible parties (processors) to take care in securing the data and ensuring confidentiality. Article 17: Security of Processing Member states shall provide that the controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Payment Card Industry Data Security Standard (DSS)

Focus: Protection of payment card data (Credit/Debit Cards) with processing, transmission & storage
Scope: Global. Originally specified by Mastercard and Visa and accepted by other card companies as well.
Repercussions: Significant fines for non-compliance and potential loss of payment card capabilities.

PCI DSS requirements are only applicable if a Primary Account Number (PAN) or specific track data is stored, processed, or transmitted.

Gramm-Leach-Bliley Act (GLBA)

Focus: Protection of private data in the financial services industry.
Scope: USA for banking and financial services.
Repercussions: Significant fines and potential criminal charges.

Sections 505 in Subtitle A and 521 under Subtitle B describe specific agencies and types of organisations mandated with protecting the security and confidentiality of consumer nonpublic personal information (NPI). Organisations include US national and Federal branches of foreign banks, member banks of the Federal Reserve System, credit unions, and any association insured by the Federal Deposit Insurance Corporation (FDIC).

Sarbanes-Oxley Act (SOX)

Focus: Protection of sensitive data related to financial reporting in public companies Provide guidance for public companies in designing and reporting on the controls in place for protecting financial information.
Scope: Global for all businesses.
Repercussions: Civil and criminal for exposure of data or fraudulent behaviour.

DS5.7 Protection of Security Technology: Make security-related technology resistant to tampering, and do not disclose security documentation unnecessarily.
DS5.8 Cryptographic Key Management: Determine that policies and procedures are in place to organise the generation, change, revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic keys to ensure the protection of keys against modification and unauthorised disclosure.
DS5.11 Exchange of Sensitive Data: Exchange sensitive transaction data only over a trusted path or medium with controls to provide authenticity of content, proof of submission, proof of receipt, and non-repudiation of origin.
DS11.6 Security Requirements for Data Management: Define and implement policies and procedures to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, organisational security policy, and regulatory requirements.

Basel II Accord

Focus: International standard for operational and financial risk management for banking institutions.
Scope: Global for all banking.
Repercussions: Requirements to reserve greater levels of operating capital, less favourable pricing in financial markets.

There are three pillars of risk management under Basel II. The first pillar is concerned with financial and liquidity risk, describing how banks and financial institutions can prepare for credit, operational, and market-driven risks. The second and third pillars discuss regulator interaction with financial institutions, numerous other types of risk, and responsible disclosure.

Financial Instruments & Exchange Law of 2006

Focus: Protection of sensitive data related to financial reporting in public Enhancement of internal controls over financial reporting data.
Scope: Japan. Banking and Financial services.
Repercussions: Heavy penalties.

Definition of the maximum criminal penalties against various market frauds and expanding the scope of penalties against criminal and fraudulent behaviour is also included in the law.

ISO 27001 Specification

Focus: Demonstrates that your business has systems in place to protect corporate information and data, whether this is online or offline.
Scope: Global

It is a specification for an information security management system (ISMS) and was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.”

The Markets in Financial Instruments Directive (MiFID) & MiFID II (Extended The MiFID Requirements)

Focus: EU legislation that regulates firms who provide services to clients linked to ‘financial instruments’ (shares, bonds, units in collective investment schemes and derivatives), and the venues where those instruments are traded.
Scope: Framework of the European Union, United Kingdom

As an EU regulation, MiFIR is binding in its entirety and directly applicable, its content becomes law in the UK without the need for domestic legislative intervention. MiFID II is made up of MiFID (2014/65/EU) and the Markets in Financial Instruments Regulation (MiFIR – 600/2014/EU).