No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights

The Saga Continues… From Data Creation to Data Consumption to Data Exposure

by James Schellhase
June 21, 2016
in Uncategorized
Minimizing the risk of a data breach through information governance

Despite the many potential benefits of big data analytics, the unrestrained creation and retention of data has the potential to bury organizations under a mountain of legal, regulatory and operational challenges. According to IDC, by the year 2020, about 1.7 megabytes of new information will be created every second for every human on the planet. Meanwhile, MIT Technology review estimated that only 0.5 percent of all the data we’re creating is ever analyzed. While most organizations would benefit by increasing this percentage, it’s clear that “dark data” – the information organizations collect and store, but fail to use for other purposes – is mostly debris that serves only to increase infrastructure costs and expose organizations to risk and liability, especially when this data flows beyond the firewall.

Organizations of all sizes and types now typically share information via unified communications, including instant messages, social media channels and text messages, and they rely on third-party information vendors to host and manage their data in the cloud. Unfortunately, such activities can expose organizations to the risk of significant fines and reputational damage because today’s evolving legal and regulatory environment makes organizations potentially responsible for information exposed by third parties. In fact, regulations such as SOX and BCBSS 239, along with evolving privacy laws, have now made compliance departments equally responsible with legal departments for the health of their organizations.

The symbiotic relationship is clear: Compliance investigations can quickly become legal issues and vice versa. This is especially true when it comes to data hosted, managed or controlled by third parties. For example, if an employee posts information about an employer on social media sites and that information falsely influences or encourages an action by a consumer that causes damage, the employer can be held liable. In addition, if a retailer receives data from a market research firm that did not follow EU privacy regulations in gathering that data, the retailer can be sanctioned for any use or retention of that data.

Clearly, organizations must align the needs of their legal and compliance organizations and empower them to effectively govern third-party data. Accomplishing this, however, raises a number of challenges. First, managing data for retention has historically taken place at the department level, involving different processes, funding sources and technology systems. This lack of coordination means that one business unit typically doesn’t know what the other is doing.

An important consequence of this is that when outside entities investigate noncompliance, they can receive different answers from different departments, impeaching the company’s credibility.

Further, retention requirements may vary significantly between legal and compliance and for each department across all the different jurisdictions the organization operates. Most companies today have no way to centrally monitor and coordinate these activities.

With every advancement in technology comes a new set of seemingly unsolvable problems for the enterprise. As we know from history, there are “bad guys” ready to pounce on any opportunity. If you wonder why some companies take longer to adopt new technologies, the answer should be clear. It is not a lack of incentive, knowledge or talent to do so. It is a risk assessment of the exposure and points of vulnerability. With such novel and complicated exposures, we can now understand why enterprises were slower to adopt PDAs, social media, cloud, etc.

An Information Governance Program Can Help

It is not a perfect world we live in, personally or professionally; however, ignoring your problems won’t make them disappear. Therefore, showing a propensity to “do the right thing” goes a long way. Many companies that appreciate the problem at least try to set a standard of behavior to show they are concerned and are trying to make progress with the establishment of simple and transparent policies. An information governance (IG) program is a comprehensive approach to safeguarding a company’s most strategic information by creating end-to-end, repeatable and, where possible, automated processes for how your data is created, consumed and used. Before you get overwhelmed… this is about progress, not perfection. The only rule here is that ignorance is not bliss.

The goal is to eventually get to a point where you know what data exists, where it is stored, what the data management policies should be with regard to it, who is responsible for implementing these policies, what data is most important to the organization, what data must be retained for legal and regulatory purposes and for how long and – the most important point – when you can get rid of it. The company does not have to keep all data that has ever been created or received. The destruction of data that doesn’t need to be retained for business purposes can – and in some cases should – be deleted. Appropriate data destruction is a normal part of the data management life cycle, whether behind your firewall or on smart devices, shared via instant messaging and social media sites or stored with cloud-based service providers.

IG relies on people, processes and technology to establish and mature the program over time.

A strategic foundation of a successful IG program is an executive committee that includes the CIO, CFO, CDO, General Counsel and other officers to drive alignment among all information stakeholders. An IG program also includes a Senior Advisory Group of line-of-business leaders to ensure business responsiveness to the program, a program office to drive and measure progress and a working group to facilitate and mature the relevant processes, including the identification of all relevant data stores. Implemented this way, an IG program promotes communication, including the value of identified information assets and any business, legal and regulatory requirements related to them.

If that wasn’t fun enough, now enters third-party data that will require new people, processes and technology. It is an immature market, but you must start appreciating that it is here to stay and establish some standards of behavior for your company and your employees.  

Get Going and Take Care of the Basics: Important Aspects of Any IG Program

Some companies actually keep all the data they produce and collect, citing fear of accidently deleting data that should have been retained or even claiming that all data is potentially valuable to big data initiatives. I simply pose this question: What good is the data if you don’t know you have it? In addition, all this data is subject to compliance and e-discovery requests, even if it could have been justifiably disposed of based on a clear retention policy. As a result, keeping all data forever serves only to create a greater opportunity for complainants and regulators to find a perceived smoking gun. By contrast, if a company has a five-year retention policy, it is required to produce only five years’ worth of data, reducing the risk to the company. By keeping all data forever, organizations also risk violating evolving privacy regulations that require the elimination of some information.

Consider the following actions as basics to start the discussion:

  1. Get buy-in from the C-suite to form a governance oversight group. Without C-level support, an IG program can’t be effective. This group should be the catalyst for the development of the policies and processes that will drive the program. Resources such as the Sedona Guidelines, Electronic Data Reference Model (EDRM) and Information Governance Reference Model (IGRM), Corporate Governance Oversight Counsel (CGOC) and others can serve as great reference points.
  2. Resolve in advance the Chief Data Officer’s differing objectives with the Chief Information Officer, General Counsel, Chief Compliance Officer and business unit executives regarding the collection, use and retention of data.
  3. Start small with the basics. Focus on only the most relevant and highest-risk data and processes first, and mature the program over time. For example, do you have an Acceptable Use Policy (AUP) and a Records and Retention policy? An AUP is a great starting point for setting your standards for the data behavior of your employees. It also allows you to begin to address the uncomfortable discussion of shadow IT. Don’t turn a blind eye to the systematic use of shadow IT. While companies may not be held liable for the activities of a rogue employee, they may be held liable if administrators know employees are violating IG policies but then fail to act on that knowledge. This policy might state that employees are not permitted to use new technologies or share information with third parties until specifically permitted to do so by the company.Third-party data policies must be acknowledged and addressed with a separate Unified Communications and Social Media Acceptable Use Policy to set standards for activities such as who can post on company social media channels, control social media account passwords for corporate and personal accounts (for certain restricted employees) and monitor what is posted. This AUP must also codify guidelines for instant messages, text messages and other work-related communications.
  1. Implement a program for basic data hygiene to slow down the madness. Do I know how much data I have and where it is? This program should also target data quality and ensure data is in the right place with the right level of security.

Tags: Communications Management
Previous Post

Defining “Effective” Ethics and Compliance Programs

Next Post

Goldman Trial in London – See Any FCPA Issues?

James Schellhase

James Schellhase

June 21 - James Schellhase headshotJames Schellhase is a worldwide business executive, information governance and a faculty member of the Compliance, Governance and Oversight Council. He was formerly the President, Founder, Chairman and CEO, of StoredIQ, which was acquired by IBM.

Related Posts

stack of newspapers on laptop

The Social Construction of a Scandal

by Michael Toebe
December 9, 2019

Do corporate execs and legal counsel truly understand the role news media plays in establishing the narrative about fault and...

woman holding smartphone with many "like" and "heart" reactions

Engaging Social Media is More Effective Risk Management

by Michael Toebe
October 25, 2019

Social media communication is a rarely implemented risk management tool, but it should get more play. Michael Toebe makes the...

black and white illustration of shark jumping out of water

The Shark in the Wave: Revealing the Lurking Danger of Slack Data

by James Murphy
June 17, 2019

Hanzo’s Jim Murphy explores the danger of Slack data; voluminous, informal, unstructured and context-dependent, it’s a threat hiding in plain...

hand holding whatsapp icon on pink background

The FCPA Compliance Challenges in Using WhatsApp and How Companies Can Address Them

by Matteson Ellis
May 13, 2019

Matteson Ellis describes what a compliance policy for ephemeral communications should look like – a concern for Latin American countries...

Next Post
Goldman may be on the hook for numerous FCPA violations

Goldman Trial in London – See Any FCPA Issues?

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT