How much and what type of data security do you need? One answer is: enough to keep your data secure. But that’s too vague an answer to be useful.
One place to start is, “What will satisfy my company’s legal obligations?”
This means: What rules and regulations, whether from government(s) or your industry, must your data security comply with, and what do these regulations identify as the minimum necessary protection(s)?
These rules reflect the current state of technology — what type of tools are required or recommended, e.g., 256-bit AES encryption — and legal requirements, fines and penalties.
There are good financial reasons to secure your data as tightly as possible. It can be expensive to leverage state-of-the-art data encryption and other security measures, but it’s far less expensive than paying the price of a data breach. HIPAA fines alone can run up to millions of dollars; other costs can include having to pay for a year or more of identity theft protection for every member impacted by such a breach.
There are many compliance regulations, at the national, state, and industry levels. Ones you’re likely to have read about in the news include FERPA, FINRA, HIPAA, PCI DSS, Sarbanes-Oxley, and Gramm-Leach-Bliley.
And there’s lots of others, like C-TPAT, a worldwide supply chain security initiative established in 2004, and state regulations like Massachusetts 201 CMR 17 (aka Mass Data Protection Law).
And you can’t ignore regulations from states or countries that your business isn’t located in — if you have customers or supplies there, you may have to add these to your comply-with list.