There is no ‘one-size-fits-all’ when it comes to compliance. Each regulation has a different focus, with different rules aligned to its individual purpose, sometimes with conflicting requirements. For example, financial institutions must comply with anti-money laundering (AML) and fraud regulations involving strict controls on transaction reporting. Yet AML compliance must be in line with GDPR which focuses on the capture, using, securing and discarding of customer personal data.
However, the ultimate purpose of these regulations is not to increase workload, but assure data is reported accurately, protect it from inappropriate use and to identify possible illegal activities. Unfortunately, many companies first find out that they are not adequately managing and/or protecting their data before a visit from the regulators – rather when they experience a data breach.
The impact of a data leak
Under GDPR, companies now have only 72 hours to report the event to the affected individuals (they must report to supervisory authorities as soon as they know a breach has occurred). This three-day turnaround means businesses must be much more on the ball in terms of knowledge of their data inventory and security systems.
Between 2013-2014, almost three billion Yahoo user accounts were affected in a hacking attack, making it the largest data breach in history[1] and yet, it took over two years for Yahoo to report it. Not only did the breach harm Yahoo’s reputation, it cost real money. They faced a $23 million fine by the SEC and the incident also threatened Yahoo’s acquisition by Verizon, who cut the deal by $350 million.
While Yahoo’s data breach was caused by security flaws, the Facebook/Cambridge Analytica scandal shows the potential damage when the use of data cascades out of control. It involves the unauthorised use of personally identifiable information of up to 87 million Facebook users. While the data was harvested through permissions given by a third-party quiz, questions were raised about how the data was provided to Cambridge Analytica and what rights they had to use it.
Facebook’s share price dropped 8.5% and, more importantly, polls showed a 66% drop in consumer confidence in Mark Zuckerberg who was subjected to US Congressional and EU scrutiny. Just 28% of the Facebook users surveyed after Zuckerberg’s testimony believed the company is committed to privacy, down from a high of 79% just last year[2].
The lesson is that the entire extended data supply chain must be carefully managed. An organisation must know the location of the data, if they have the right to use it, afford the requisite level of protection, be immediately aware when it has been breached and know the population of individuals affected. The institution must also know where their data goes and track it to ensure it is not subjected to improper or disallowed use. If an organisation fails to manage its data along this complete journey, the regulators will be the least of their worries.
Fines are, after all, typically a one-time event – and a successful company can often quickly recover from the financial setback. Reputational damage is different, since it has significant public exposure, and especially when customers lose their trust in a brand the result is an impact to the company financially in the long run – not just directly through loss of business, but also through a drop in market value.
Technology is not only helpful – it is essential to achieving and maintaining compliance. Automated discovery and data lineage creates and maintains transparency into processes and the data being managed. Reporting supports an “audit ready” position so supervisory authority inquiries can be answered without a fire drill while data intelligence change detection prevents new problems from sneaking in.
A data catalog ensures that any user can easily access data as needed. A software-driven or intelligent data catalog can locate even the most complex data, ready for analysis and decision making. This will enable users to spot personal information amongst new data and a data lineage version comparison alerts them to changes in how that personal data is handled.
What data a company chooses to collect, store and discard very much depends on the sector in which they operate. However, there are some steps that almost any company can take such as capturing the information only directly related to your product or service and keep it in a limited number of databases.
When it comes to specifically storing sensitive data, simple actions like avoiding generic passwords and applying guardrails is crucial.
Technology solutions such as Data Intelligence can go a long way to providing peace of mind here. Intelligent Data Analysers examine data and metadata to promote comprehensive understanding, including detailed automated data lineage for insight at a deeper level. Out of the box reports assist with GDPR compliance, offering a GDPR inventory dashboard and a set of reports summarising Privacy Impact Assessments (PIAs).
These and process maps that show how protected data moves through the organisation are critical to data security and compliance. These can show where data is vulnerable and if and how it moves to outside processors or outside protected areas. The company will need to record that protections are in place through model agreements and binding corporate policies.
Today’s reliance on data to fuel predictive analytics means businesses believe there is value in keeping data lakes for future business goals. However, they need to become better at discarding what is not necessary and GDPR helps by being very specific about when information is supposed to be deleted.
Nothing can provide total protection against data leaks. The only answer is to do everything possible to reduce the risk and then ensure there are ways to prove the measure taken and fend off the worst effects. This way both financial penalties and reputational damage can be minimised and contained.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.