Navigating a Changing Regulatory Landscape in Video Surveillance Data Protection

Users of video surveillance expect so much from their system – and reasonably so. Surveillance systems grew in popularity to provide a new standard of security and protection, but now that same video data is being used to validate cars in parking lots, monitor outgoing shipments from large-scale warehouses, identify frequent shoppers, and much more. As this data is being passed from provider-to-provider for processing, management, and storage, the privacy and protection of that data comes into question. What rights do I have to my data? Who has access to my data? And most importantly, how can I protect my data? 

Compliance regulations may be just the resource in your toolbelt to help maintain the balance between safe and secure technology and a disastrous data breach with widespread consequences. While regulations help to address many data protection concerns, navigating the complex world of regulations – whether regional, industry-specific, or nationwide – can require a bit of finesse.  

Before digging too far in to determine which regulations to consider, it’s important to understand how data protection, data privacy, and ultimately cybersecurity are driving advances in both the video surveillance industry and regulatory policies. Differentiating these ideas can help protect organizations – both public and private – from cyber-threats.   

Understanding Data Protection and Data Privacy:  

Data privacy is of utmost importance for customers to feel confident when their data is in the hands of a third-party organization. Data privacy speaks to the wholistic set of principles and practices focused on protecting against the mishandling of data. In the case of surveillance, video data typically contains personal information, and the expectation is that data is managed with extra considerations of safely and security. 

Data protection focuses on securing data every step of the way while at rest (stored data), in transit (data being transmitted from one place to another), and data in use (data actively being processed). Regulations like GDPR, NDAA, SOC, HIPPA, and many others are guiding the way users, integrators, and providers handle data management of video surveillance data. The primary goal is to ensure the security, privacy, and integrity of video data regardless of the medium in which it is stored or transmitted.  

“Another trend is the increased use of encryption and other security measures to protect data and prevent unauthorized access. This is especially important given the growing amount of sensitive data that is being collected by physical security systems.” 

–Dan Berg, Senior Partner Integration Manager, Salient Systems  

This article highlights some of the more prominent regulations in video surveillance to consider today, but first, it’s important to highlight one of the biggest considerations in video surveillance most affecting the privacy and protection of video surveillance data – cybersecurity. 

Cybersecurity as a Part of Data Protection 

Cybersecurity plays a key part in video surveillance focused on maintaining the integrity, confidentiality, and availability of video data. It starts with creating a safe network, but there is a lot more that goes into securing the full tech stack.  

In the world of video surveillance, cybersecurity includes deploying devices like surveillance cameras and servers hardened against cyberattacks, developing and maintaining firmware updates, and simply updating passwords regularly. Yet, a successful cybersecurity practice also relies on the security of elements outside of the video surveillance solution – or even the larger physical security solution. A stronger practice depends on the security of other connected devices, proper physical access management, network connection points, and everything in between. This is where it’s important to view cybersecurity from a holistic approach. We all remember that time a cybercriminal breached a major retailer’s network through a connected thermostat putting millions of individuals’ personal data at risk, right?  

A surveillance solution, along with the entire tech stack behind that surveillance system, is only as strong as its weakest point. Responsibility to maintain data protection then falls to more than just the data owner. Suppliers can source products in compliance with country-of-origin laws; manufacturers can develop technology that meets specific regulations before hitting the market. Resellers and integrators can take precautions by providing systems built for cybersecurity with secure integrations with adjacent technology. Maintaining cybersecurity best practices can be a challenging, ongoing, and even endless effort, but working with organizations that put cybersecurity at the forefront of innovation is a major step towards data privacy. 

Which Regulations Matter 

 When choosing video surveillance providers, compliance regulations are the key to deciphering which solutions provide the right alignment with existing legal and ethical regulations supported by high cybersecurity standards. Specifics vary depending heavily on country, region, industry, and nature of business, but understanding the more influential compliance regulations can be the difference between data protection and data breach.  

Federal Educational Rights and Privacy Act (FERPA) is a US federal law providing protective rights for students of all ages against the mismanagement of personal records and personally identifiable information. Video surveillance offers educational facilities improved operations, better security, and safer campuses across K-12 and higher education providers alike. One facility can easily deploy hundreds or thousands of cameras across every area of the campus, collecting countless pieces of personal data. FERPA ensures organizations protect this video data along with all data collected, stored, and managed by other technologies in educational settings. Choosing the right provider that aligns with FERPA requirements simplifies compliance concerns from day one.  

The Health Insurance Portability and Accountability Act (HIPAA) imposes strict requirements on how personal health information (PHI) is stored and protected in healthcare settings ensuring patient confidentiality and safeguarding IT systems and infrastructures against cyber risks. For most technology, this personal health information is related to personal data such as name, birthdate, or medical history. However, coverage under HIPPA also includes video footage of patients, recordings of sensitive medical data, and other personal details collected and stored by video surveillance. A strategic approach including the right investments in technology that aligns with HIPAA safety protocols supports the safeguarding of sensitive healthcare information and ensures compliance.   

The General Data Protection Regulation (GDPR) creates clear requirements organizations in the European Union must align with when collecting, storing, and managing personal data. With video surveillance collecting any amount of personal data, organizations must take required steps to ensure the systems, hardware, software, and other solutions are built to safeguard privacy.    

The Criminal Justice Information Services (CJIS) established minimum security requirements to protect criminal justice information such as electronic criminal records, digital evidence, biometric data, and other personal information. Secure video surveillance solutions and networks can help organizations remain CJIS-compliant, but not all surveillance providers are created equal. CJIS outlines 13 policies crucial for maintaining compliance and the selection of solutions addressing physical security, cybersecurity, and operational efficiency measures included in those 13 policies can significantly impact an organization’s successful compliance. 

The National Defense Authorization Act (NDAA) is a US policy regulating the budget and annual spend of the Department of Defense. NDAA prohibits federal funding from purchasing and deploying certain telecom and video surveillance equipment and services. When deploying surveillance solutions, government entities and providers both must take an active role in maintaining compliance with this policy or risk cybersecurity, data privacy, or legal repercussions. Adjacent to NDAA policies, the Trade Agreement Act (TAA) further limits surveillance systems with specific countries of origin for products sold through GSA Schedule Contracts, or government-wide contracts.  

The list of regulations impacting video surveillance data protection can be extensive depending on region- or industry-specific factors, but that doesn’t stop technology from evolving every day; with the explosion of artificial intelligence (AI) in recent years, for example, video surveillance has become a key source of information for organizations. But how can governing bodies keep up with the unique data privacy concerns that AI brings? Regulations can’t keep up with the rapid innovation within the industry driving the need for ethical – not just legal – ramifications for investments. Deploying secure solutions from trusted providers that keep innovation and compliance at the forefront of the conversation allows users to drive towards safe and compliant solutions.  

What’s at Stake  

The consequences of failing to uphold industry compliance standards can be swift and severe. Surveillance compliance could lead to your business being forcibly shut down. In the case of a cannabis manufacturer or retailer, failure to comply at any level can come with hefty fines, inventory confiscation, or temporary or permanent loss of licensure. An educational facility risks exposure of not only personal information of students, staff, and visitors, but the physical safety of those individuals as well. In healthcare, mismanaged compliance puts sensitive PHI at risk of exposure. A retailer could put customer financial data at a criminal’s fingertips with just one wrong investment in technology.  

Regardless of the industry or location, it’s important to keep specific compliance mandates in mind when deploying and managing surveillance. Every country has its own set of rules that govern it. Every industry has an additional set of rules. When deploying video surveillance systems, data protection is the duty of not just the data owner, but of all parties that bring solutions to life. Starting with compliant solutions can save time, money, and other resources from the start. 

What’s Next? 

Want to learn more about how compliance and regulations play into video surveillance? Join the live discussion on February 8 at 2PM EST with a panel of industry veterans to dig deeper into video surveillance compliance of the past, present, and future. Register today!