It’s Data Privacy Day! Do you have the policies in place to safeguard your company’s most strategic information? Here are nine best practices to follow.
Today, big data initiatives using customer data are driving new personalized services, innovative insights, optimized operations and new business models. That all sounds terrific, but there’s a dark side to big data, and if you don’t get a handle on it, your company’s new analytics projects may cause far more problems than they solve.
We see it nearly every day. Data gets hacked and stolen, and private customer and employee information is continually being accessed by the wrong people. The Edward Snowden leaks demonstrate that even top-secret government documents are vulnerable. The Ponemon Institute has estimated that criminal data breaches now cost companies an average of $174 per record, and to gauge the significance of this, consider that Target’s breaches in December 2014 and January 2015 involved as many as 110 million customers.
Evolving regulations in the U.S., and even more so in the EU, make it clear that companies that get breached or that inadvertently expose private information are subject to a variety of regulatory and legal penalties. The increasing reliance on the cloud only increases security concerns, especially with regard to the adequacy of cloud vendor protections and certifications and the transfer of data across borders. Public cloud services such as Dropbox, AWS, iCloud, and Google Drive should also give security and privacy-conscious companies pause because of the ease with which private information can be shared with just about anyone. In addition to fines, failure to comply with privacy regulations can actually result in significant damage to a company’s reputation.
Despite these risks – and in the face of headline after headline loudly proclaiming how vulnerable organizations are – far too many companies insist on making the situation worse. They stick their collective executive and board heads in the sand and, in the name of big data, permanently parking every bit of information they collect in storage systems and archives “just in case” they should ever need it.
But the math here is simple: the more data you have, the more complex your infrastructure must become to support it, so the more vulnerable it is to breaches and privacy violations.
Many companies will claim they are doing everything they can to protect data by investing in the latest intrusion prevention and detection solutions. But there are two problems with this. First, these solutions, while getting better all the time, are constantly doing battle with evermore sophisticated attackers, and the attackers keep winning. Second, these solutions are focused on keeping outsiders out, but they do little to prevent breaches from within.
According to an industry watch report and survey conducted by AIIM, 51 percent of respondents had data-related incidents in the past 12 months, including 16 percent suffering a data breach – half from external hacking and half from staff. Staff negligence or bad practice is the most likely cause of data loss (20 percent).
Contrary to the belief of most IT executives, minimizing the risk of both outside and inside threats to data does not start with a technology solution. Instead, it starts with developing policies and practices that enable you to:
- Clearly understand the full scope of the data under your control, including data put in cloud storage and shared with third parties.
- Assess the value of that data to the various stakeholders throughout your organization and the risks associated with it, including whether or not it should be identified as private or sensitive and whether or not it really has any potential big data value.
- Identify all information that has no business, regulatory or legal value so it can be defensibly disposed. According to a combined Compliance, Governance and Oversight Counsel (CGOC) and EDRM survey in 2014, approximately 70 percent of data that companies now keep falls into this category, and eliminating it would result in a dramatically simpler infrastructure and reduced risk.
Developing such policies and practices is the function of an information governance (IG) program. IG programs provide a comprehensive approach to safeguarding a company’s most strategic information. They create end-to-end, repeatable, and — where possible — automated processes that help determine what data is most important to the organization and how best to use it securely in day-to-day operations. Key elements of an IG program include:
- Establish who owns the oversight of data privacy and compliance.
- Identify where private and sensitive information exists in business processes and IT systems.
- Understand how much is shared outside the organization.
- Assess and balance the risks and value of this data, especially with regard to big data projects.
- Establish policies to meet privacy and security requirements.
- Limit the locations where private and sensitive information can be stored and who can access it, making it easier to protect.
- Dispose of unnecessary information to avoid liability and simplify the infrastructure.
- Use encryption where possible.
- Provide full audit, logging, monitoring, and alerting capabilities.
When it comes to priorities in the age of big data, information governance usually isn’t near the top of the list, but once company leaders recognize the potential dark side of all that data – both financial and ethical – information security teams can take the lead in pushing for a comprehensive IG program.
Heidi Maher is an attorney and a legal technology specialist who has advised hundreds of organizations on information governance around data security, compliance and eDiscovery. From assessing maturity levels and drafting readiness plans to helping implement internal … View Full Bio