Minimizing the risk of a data breach through information governance

Despite the many potential benefits of big data analytics, the unrestrained creation and retention of data has the potential to bury organizations under a mountain of legal, regulatory and operational challenges. According to IDC, by the year 2020, about 1.7 megabytes of new information will be created every second for every human on the planet. Meanwhile, MIT Technology review estimated that only 0.5 percent of all the data we’re creating is ever analyzed. While most organizations would benefit by increasing this percentage, it’s clear that “dark data” – the information organizations collect and store, but fail to use for other purposes – is mostly debris that serves only to increase infrastructure costs and expose organizations to risk and liability, especially when this data flows beyond the firewall.

Organizations of all sizes and types now typically share information via unified communications, including instant messages, social media channels and text messages, and they rely on third-party information vendors to host and manage their data in the cloud. Unfortunately, such activities can expose organizations to the risk of significant fines and reputational damage because today’s evolving legal and regulatory environment makes organizations potentially responsible for information exposed by third parties. In fact, regulations such as SOX and BCBSS 239, along with evolving privacy laws, have now made compliance departments equally responsible with legal departments for the health of their organizations.

The symbiotic relationship is clear: Compliance investigations can quickly become legal issues and vice versa. This is especially true when it comes to data hosted, managed or controlled by third parties. For example, if an employee posts information about an employer on social media sites and that information falsely influences or encourages an action by a consumer that causes damage, the employer can be held liable. In addition, if a retailer receives data from a market research firm that did not follow EU privacy regulations in gathering that data, the retailer can be sanctioned for any use or retention of that data.

Clearly, organizations must align the needs of their legal and compliance organizations and empower them to effectively govern third-party data. Accomplishing this, however, raises a number of challenges. First, managing data for retention has historically taken place at the department level, involving different processes, funding sources and technology systems. This lack of coordination means that one business unit typically doesn’t know what the other is doing.

An important consequence of this is that when outside entities investigate noncompliance, they can receive different answers from different departments, impeaching the company’s credibility.

Further, retention requirements may vary significantly between legal and compliance and for each department across all the different jurisdictions the organization operates. Most companies today have no way to centrally monitor and coordinate these activities.

With every advancement in technology comes a new set of seemingly unsolvable problems for the enterprise. As we know from history, there are “bad guys” ready to pounce on any opportunity. If you wonder why some companies take longer to adopt new technologies, the answer should be clear. It is not a lack of incentive, knowledge or talent to do so. It is a risk assessment of the exposure and points of vulnerability. With such novel and complicated exposures, we can now understand why enterprises were slower to adopt PDAs, social media, cloud, etc.

An Information Governance Program Can Help

It is not a perfect world we live in, personally or professionally; however, ignoring your problems won’t make them disappear. Therefore, showing a propensity to “do the right thing” goes a long way. Many companies that appreciate the problem at least try to set a standard of behavior to show they are concerned and are trying to make progress with the establishment of simple and transparent policies. An information governance (IG) program is a comprehensive approach to safeguarding a company’s most strategic information by creating end-to-end, repeatable and, where possible, automated processes for how your data is created, consumed and used. Before you get overwhelmed… this is about progress, not perfection. The only rule here is that ignorance is not bliss.

The goal is to eventually get to a point where you know what data exists, where it is stored, what the data management policies should be with regard to it, who is responsible for implementing these policies, what data is most important to the organization, what data must be retained for legal and regulatory purposes and for how long and – the most important point – when you can get rid of it. The company does not have to keep all data that has ever been created or received. The destruction of data that doesn’t need to be retained for business purposes can – and in some cases should – be deleted. Appropriate data destruction is a normal part of the data management life cycle, whether behind your firewall or on smart devices, shared via instant messaging and social media sites or stored with cloud-based service providers.

IG relies on people, processes and technology to establish and mature the program over time.

A strategic foundation of a successful IG program is an executive committee that includes the CIO, CFO, CDO, General Counsel and other officers to drive alignment among all information stakeholders. An IG program also includes a Senior Advisory Group of line-of-business leaders to ensure business responsiveness to the program, a program office to drive and measure progress and a working group to facilitate and mature the relevant processes, including the identification of all relevant data stores. Implemented this way, an IG program promotes communication, including the value of identified information assets and any business, legal and regulatory requirements related to them.

If that wasn’t fun enough, now enters third-party data that will require new people, processes and technology. It is an immature market, but you must start appreciating that it is here to stay and establish some standards of behavior for your company and your employees.  

Get Going and Take Care of the Basics: Important Aspects of Any IG Program

Some companies actually keep all the data they produce and collect, citing fear of accidently deleting data that should have been retained or even claiming that all data is potentially valuable to big data initiatives. I simply pose this question: What good is the data if you don’t know you have it? In addition, all this data is subject to compliance and e-discovery requests, even if it could have been justifiably disposed of based on a clear retention policy. As a result, keeping all data forever serves only to create a greater opportunity for complainants and regulators to find a perceived smoking gun. By contrast, if a company has a five-year retention policy, it is required to produce only five years’ worth of data, reducing the risk to the company. By keeping all data forever, organizations also risk violating evolving privacy regulations that require the elimination of some information.

Consider the following actions as basics to start the discussion:

  1. Get buy-in from the C-suite to form a governance oversight group. Without C-level support, an IG program can’t be effective. This group should be the catalyst for the development of the policies and processes that will drive the program. Resources such as the Sedona Guidelines, Electronic Data Reference Model (EDRM) and Information Governance Reference Model (IGRM), Corporate Governance Oversight Counsel (CGOC) and others can serve as great reference points.
  2. Resolve in advance the Chief Data Officer’s differing objectives with the Chief Information Officer, General Counsel, Chief Compliance Officer and business unit executives regarding the collection, use and retention of data.
  3. Start small with the basics. Focus on only the most relevant and highest-risk data and processes first, and mature the program over time. For example, do you have an Acceptable Use Policy (AUP) and a Records and Retention policy? An AUP is a great starting point for setting your standards for the data behavior of your employees. It also allows you to begin to address the uncomfortable discussion of shadow IT. Don’t turn a blind eye to the systematic use of shadow IT. While companies may not be held liable for the activities of a rogue employee, they may be held liable if administrators know employees are violating IG policies but then fail to act on that knowledge. This policy might state that employees are not permitted to use new technologies or share information with third parties until specifically permitted to do so by the company.Third-party data policies must be acknowledged and addressed with a separate Unified Communications and Social Media Acceptable Use Policy to set standards for activities such as who can post on company social media channels, control social media account passwords for corporate and personal accounts (for certain restricted employees) and monitor what is posted. This AUP must also codify guidelines for instant messages, text messages and other work-related communications.
  1. Implement a program for basic data hygiene to slow down the madness. Do I know how much data I have and where it is? This program should also target data quality and ensure data is in the right place with the right level of security.
Create your Terms and Conditions agreement

James Schellhase

June 21 - James Schellhase headshotJames Schellhase is a worldwide business executive, information governance and a faculty member of the Compliance, Governance and Oversight Council. He was formerly the President, Founder, Chairman and CEO, of StoredIQ, which was acquired by IBM.

Related Post

How Secure is Your HR Data?

Posted by - November 23, 2015 0
HR is the keeper of confidential information on applicants, employees and clients and the birthplace of policy and a range…