2015 provided a lot of food for thought when it came to data protection, with data breaches making the news almost every week. This included the United States Office of Personnel Management announcement that more than 21 million people were affected in their data breach.
At the same time, the Ponemon Institute’s 10th annual survey on “The Cost of a Data Breach” found that the average consolidated total cost of a data breach is now $3.5 million — a 15 percent increase from last year. The study also reported that the cost incurred for each lost or stolen record containing sensitive and confidential information increased six percent from a consolidated average of $145 to $154.
With breaches happening more frequently and the cost of these breaches rising, companies can no longer take a “wait and see” approach for their privacy and data protection.
So where should you start with data privacy? I am hard pressed to think of just one thing. So as I've done every year for the past few years, I'll share some advice on how organizations can improve their privacy and data protection programs in the year ahead. My advice for 2016 is a mix common sense and some very specific operational steps that you should consider putting in place sooner rather than later.
10. Understand the New European General Protection Regulation
Even if you are not specifically doing business in the European Union (EU), the broad terms of the regulation mean that websites and cloud services developed by US-based companies may be subject to the regulation merely because they are available to EU-based individuals. This is a significant change to the current law, which most courts generally agree only maintains jurisdiction over companies with an established business in a particular state.
The law will likely impose significantly greater fines for data breaches (up to two percent of annual global revenue) as well as require privacy impact assessments, inventories and data mapping of personal information across business systems, mandatory appointments of Data Protection Officers, and evidence that you are doing all of these things.
9. Perform Privacy Impact Assessments
Privacy impact assessments (PIAs) provide a good foundation to assess the potential and ongoing risk of systems and data flows within them. PIAs will soon be mandated as part of the European General Data Protection Regulation.
8. Think Privacy and Security by Design
Anyone who has been a part of designing a home or building understands that it is always better to get your plans right from the start. By implementing a standardized and repeatable data protection process with your colleagues in IT and the business as a project begins, you will be able to provide advice, guidance and review at every step of the process.
Consider using automation so colleagues can request a privacy impact assessment of the systems they are planning to build and deploy. Your involvement early on will save them from having to make last-minute design changes or decisions with the clock ticking.
7. Know Your Business
Take the time to understand what kinds of data your business handles and uses, as well as how your coworkers are using internal systems in their daily tasks. This will help you understand why and how they need to handle this protected data in the course of their daily work.
The time you invest in understanding their requirements will pay off in spades — helping you craft solutions that meet their needs and your requirements.
6. Know Your Data
Many companies worry about “dark data” or data that exists across enterprise systems (file shares, SharePoint, social systems, and other enterprise collaboration systems and networks) that is not properly understood. Understanding what and where this data is and properly classifying it will allow you to set the appropriate levels of protection in place.
5. Set Enforceable Policies
Your General Counsel’s office and compliance team are tasked with understanding your statutory and regulatory obligations, as well as helping your business to comply with these requirements. But make sure that any policies you set internally can be measured, monitored and enforced. Making broad statements such as, “We do not allow personally identifiable information (PII) in SharePoint,” without the ability to enforce it or measure its effectiveness is not a sound data protection strategy.
4. Help End Users Do the Right Thing
Fifty-one percent of respondents to a recent AIIM survey reported having a data-related incident in the past 12 months. Staff negligence or bad practice was the most frequent cause of data loss for these organizations.
Create sensible policies, rules and IT controls that make it easier for end users to do their jobs effectively with the systems and controls that you want them to use. At the end of the day, your employees will do what they need to do to get their job done. Help them by making it simple to use the systems you can control.
3. Get Ready for the Cloud
Most organizations will move some data to the cloud — whether it’s intentional or not. For instance, many employees are already storing and sharing business content in personal cloud applications, like Dropbox or Box. They typically use these due to ease-of-use and access — leaving IT administrators and security officers with little control over how the information is managed.
Before moving to the cloud, understand the data that you hold. Only then can you begin to take a risk-based approach to storing it appropriately.
2. Hire a Chief Privacy Officer or Data Protection Officer
Regardless of whether or not having a privacy officer is mandated by law, you should hire one. Data breach incidents and the cost of those events will only continue to rise, as we saw in 2015. This person is responsible for helping your company make informed decisions about risk and reward, as well as what you should do with data versus what you can do with it.
1. Ask Not for Whom the Bell Tolls
It is no longer good enough to wait or to think that a data breach will happen to someone else — limit the chances of it happening to your company. And if it happens to you, be prepared to respond quickly and mitigate the damages.
Every item on this list will help you be better prepared for another year of extensive and expensive data breaches. Don't wait for things to go wrong to get your senior management interested. Get them to the table early and keep them involved.