Data Privacy, Information Management, and Security: Adjusting to a New Normal
Data privacy is taking the world by storm. Starting with the EU’s formalization of the General Data Protection Regulation (GDPR) in 2016, its enactment in 2018, and a flurry of enforcement activity that started in early 2019, the issue of consumer data privacy is ushering in a new normal for how organizations store and handle sensitive information.
While the GDPR may have been a catalyst, forcing global corporations to re-examine and fundamentally change their business practices around consumer personal data, the storm is nowhere near over. Jurisdictions around the world—including Australia, Brazil, Japan, and South Korea—are enacting or revising their data protection regulations. In the United States, while the federal government continues to lag on implementing federal data privacy legislation, states are taking action.
Meanwhile, information security proves to be increasingly challenging for a variety of reasons. A considerable skills gap in IT security teams, lagging resources to support the chief information security officer (CISO) in keeping pace with increasingly sophisticated threat actors, and growing difficulties in containing insider threats are common issues.
Additionally, corporate data volumes continue to grow exponentially. This matrix is leaving organizations strained and unsure of where to begin when trying to reconcile requirements to operationalize data privacy processes with their security and data management programs.
Existing and Emerging Regulations
Regulators are laying the groundwork to conduct aggressive enforcement of data protection laws and the new requirements under them. The GDPR compliance enforcement actions to date indicate that regulators are proactively monitoring organizations’ security and privacy posture and may take enforcement action even in the absence of a security breach or incident.
Security professionals should expect regulators to have decreasing sympathy for organizations that fail to put the right processes in place. On the flip side, however, regulators are likely to show favor to organizations that have taken proactive steps in good faith to get their data houses in order.
California is the first U.S. state to enact a formal consumer data protect law, with the California Consumer Privacy Act, which will take effect in January 2020. The law is designed to provide broad, strict, protections for personal data of California residents. With $2.75 trillion in annual gross domestic product, California’s economy is now the fifth largest in the world, meaning that corporations with any level of exposure to U.S. markets likely have a data footprint in the state. While enforcement will be limited to state borders, the regulation will surely have global reach, and any organizations that process data in California or belonging to state residents will be required to comply.
In New York, the Department of Financial Services implemented its Cybersecurity Regulation, requiring banks, insurance companies, and other financial institutions to comply with new guidelines to improve cybersecurity resiliency. Under this regulation, banks doing business in New York should retain personal data only to the extent that it is necessary to execute business needs or for specific regulatory and legal reasons.
As of 2018, data breach notification laws are also now in effect across every U.S. state, with Alabama the last jurisdiction to implement one. These require all private and governmental entities to notify individuals of breaches of their personal information.
Across existing U.S. data regulations, however, penalty parameters remain vague. And without federal legislation that supersedes individual state regulations or provides guidance on data privacy enforcement, it will be difficult for the state laws to impose significant risk. Case law on state matters will begin to emerge in the coming year or so, giving more clarity on the extent of enforcement.
Collectively, these laws establish the foundation for complicated and expansive private rights of action, in which consumers and employees can sue corporations for data privacy-related damages. In turn, corporate stakeholders and shareholders must determine how to preserve the value of their data repositories, continue business activity, and reconcile strategy and operations with regulatory obligations.
The Insider Threat
Some of the biggest data breaches in recent years were caused by either negligent or malicious behavior of company insiders.
Between 25 May and 1 October 2018, the French Data Protection Authority (CNIL) received notifications of more than 700 data breaches that impacted upwards of 33 million people. Sixty-two of the breaches were related to data sent to the wrong recipients, 47 were due to lost or stolen devices, and 41 resulted from unintentional publication of information. The report indicates that many of the breaches were attributable to employees’ or partners’ unintentional mistakes. For example, in 2018 a French telecom operator notified the CNIL it experienced a years-long security vulnerability due to a human mistake—the computer code that controlled user authentication on the company’s website was deactivated for testing, but the company failed to reactivate the code after the tests were complete. Personal data of the company’s customers were ultimately exposed and the CNIL issued a €250,000 fine.
In the 2018 Insider Threat Report from Cybersecurity Insiders, 90 percent of organizations surveyed said they feel vulnerable to insider attacks, and 53 percent confirmed their organization had fallen victim to an insider attack against their organization in the last 12 months. Further, a survey of cybersecurity professionals found that 42 percent said insider attacks or breaches are the most damaging type of threat to the organization.
While some paint the picture of the insider threat as a malicious actor seeking to intentionally destroy from within, this understanding reduces the issue. Ultimately, the insider threat is a person with access to internal systems or information who intentionally or unintentionally uses that access to cause harm.
A recent Ponemon study cited the current average cost of an insider threat at $8.7 million. The damage to customer trust, shareholder value, and business viability that can result from such an event can be equally destructive regardless of the insider’s intent. Factoring the insider threat into data privacy and protection initiatives is an important part of ensuring meaningful mitigation of data breaches.
Where to Start
Corporate stakeholders must implement proper controls that adequately protect personal data, as well as enable business operations. Doing so requires a corporation to establish information governance (IG) that encompasses clear, attainable, and robust programs and policies that protect data.
These efforts will require a cross-functional team of key stakeholders that may include leadership from records management, legal, compliance, security, IT, and operations. Such a task force is instrumental in ensuring that new programs are meeting the needs of the entire organization and addressing challenges that may arise from any given department. These stakeholders must evaluate and communicate the fundamental legal and regulatory drivers behind new processes. They also must ensure that everyone within the company understands how important the program is to the organization’s overall success and business continuity.
Securing board or executive sponsorship is also key. Teams can obtain buy-in by explaining program benefits that will specifically address executive-level pain points. For example, if the executive sponsor is the general counsel, building the financial risk case is critical. If sponsorship is solicited from the CIO or another IT leader, they may be more likely to embrace a project that addresses data minimization and reduces IT overhead.
Business leaders or board members will be more focused on the overall impact to the bottom line and cost avoidance of possible penalties for failing to comply with various regulations in any region where the company does business.
Don’t Reinvent the Wheel
Many companies have already made significant operational changes to comply with the GDPR, particularly for defensible data deletion and response to data subject access requests (DSARs). Organizations can lean on this work as the foundation to respond to new and emerging laws, and take lessons learned from activities to date to guide future process adjustments.
For organizations that are dealing with data privacy initiatives for the first time, there are several steps to take. Stakeholders should examine and update existing privacy policies and corresponding standard operating procedures, communications, and messaging procedures. Then they can begin creating a detailed map of the organization’s data universe, accounting for the entire scope of where sensitive information originates, flows, and is stored. This will inform which areas should be prioritized as new programs are rolled out, so they are applied to the most sensitive pools of data first. A team should be designated to keep track of channels of data across the organization; if there is a change to the data flow, they can audit and investigate, as needed.
Also, with the data map as a guide, the team can audit and analyze where vulnerabilities exist or where best practice protections, such as encryption and access controls, are lacking. Surprisingly, encryption is still not used as broadly as it should be within most enterprises. One 2017 study by Ponemon found that nearly 60 percent of enterprises do not have a consistent encryption strategy—a stark reminder that many gaps in meeting baseline standards for information security still exist.
Processes can be built with stakeholders to address defensible and timely disposal of data that is not essential to business operations or subject to legal and compliance retention requirements; to track if, when, and how data processing consent is given; and how DSARs and other inquiries are authenticated and responded to. Established processes will drive workflows around how data is processed, stored, used, shared, retained, and deleted. All employees who have touchpoints with the organization’s stores of personal data should be trained on these processes and how to appropriately respond to, escalate, and scale inbound data requests. Audits of programs and training activities should be conducted regularly, with their results documented and retained in case they are needed in the event of a breach or regulator inquiry.
From a tactical technology perspective, there are a range of tools organizations can lean on to support IG and data privacy programs and process. Endpoint data loss prevention (DLP) technology that automatically tracks, controls, detects, and blocks potentially harmful activity happening inside the network is one example. DLP tools can make a meaningful impact on operationalizing IG policies and keeping sensitive data inside the organization.
Mobile device management tools are similarly useful, and they allow IT security teams to manage and control company-owned and employee-owned devices. They provide the ability to block access or wipe information if an insider risk associated with a device arises.
Employee monitoring, while controversial from a privacy standpoint, is another category of technology that can be leveraged to detect and thwart suspicious insider activity. Any new technology should be vetted among key legal, IT, and security stakeholders through a data privacy and compliance lens and woven into existing programs accordingly.
Pitfalls to Avoid
Even within organizations that have begun to implement data protection programs, many still struggle to consistently deprovision access in a timely manner and quarantine sensitive information when someone leaves the company.
A report from Osterman Research found that 69 percent of organizations polled have “suffered significant data or knowledge loss resulting from employees who took information resources with them when they left the business.”
IG stakeholders should be working closely with HR to monitor and update access as roles change, are terminated, or are filled by new employees. HR and data security should have ongoing touchpoints with employees throughout their lifecycle to address adequate access management, as well as training and other controls that strengthen data security.
Similarly, contractors—who are often exempt from policies and processes that apply to employees—can fly under the radar in terms of company policy and process, making them invisible to information security teams working to implement stronger data privacy and protection. One of the most high-profile data breaches in recent years—a 2013 breach of credit card information belonging to customers of a major U.S. retailer—was the result of an approved contractor innocuously accessing the network and inadvertently allowing malware to leach into the system. Teams must be careful not to overlook this potential threat and be sure to incorporate contractor management and access control as part of their data protection processes.
Another common pitfall many well-intentioned companies face is getting stuck in analysis paralysis. Many teams have too many stakeholders involved in the final decision-making process and get caught in the minute details of a policy, ultimately unable to get it approved and implemented. It is essential that teams do not allow perfect to be the enemy of good enough. Organizations must strike the right balance between gaining extensive input from cross-functional stakeholders and ending up with too many cooks in the kitchen.
One way to address this is to kick off initiatives with a collaboration workshop. Key people from across many functions can be brought in to brainstorm and provide input on the organization’s landscape of data needs, risks, and challenges. The session can then shift to determining who among that group should have an active seat at the table, based on specific business needs. The collaboration workshop should end with consensus on the key areas of focus, and up to three people—ideally stakeholders who represent the legal department, IT, and security and business leadership—selected to lead and approve the program. Once the program has been approved, the broader team can be reengaged to help socialize it with the rest of the organization and make it operational.
The intersection of data privacy regulation with information security provides corporations with a prime opportunity to strengthen their data management and security defenses. Stakeholders can work hand in hand to protect against insider and external threats and reduce the risk of data loss while simultaneously improving data protection and streamlining processes.
Taking these steps removes some complexity and risk from a corporation’s data universe. And doing so proactively, before the organization finds itself the subject of negative news headlines or unwanted regulator attention, will pave the way for a long-term culture and reputation of trust.
T. Sean Kelly is a Senior Director at FTI Consulting and is based in Philadelphia. As a senior member of the Information Governance, Privacy & Security practice of FTI Technology, Kelly leverages more than a decade of experience to advise clients on all aspects of information lifecycle management.