By now, you know that October is Cyber Security Awareness Month in the US and across the European Union. We know many SecurityStreet readers work in information security and are already “aware” - so this year we're equipping you for executive tier cyber security discussions. We kicked this off last week with a piece on why security matters now.
This post focuses on duty of custodianship, and in the coming weeks we will be posting on building security into the corporate culture through policies and user education; how organizations can make security into a strength and advantage; and crisis communications and response.
For this week’s topic, we’re discussing data custodianship.
When choosing to keep data, we have a legal and custodial responsibility, because we do not own that data. As a result, keeping data introduces an element of liability for your business, and protecting it is expensive and complex. . Inventorying and eliminating regulatory data reduces liability, saving time and money.
Imagine hiring a babysitter for the fist time, and they show up five minutes before you are scheduled to leave the house. No prior communication, no advanced information requested – and now you’re worried you’re going to be late.
“Hey there, I’m here- have a good time tonight!” the sitter says walking in the door and sitting down on the couch.
That’s it!? “Do you care to know the number of, ages and names of our children? If there are any special needs, medical issues, habits, dietary restrictions, bed times, or the last time they ate? Do you need to know when we are coming home, or how much we are paying?”
There is a very clear difference between the concerns and interests of a parent and this babysitter; those differences nicely illustrate the decisions companies make unintentionally when handling sensitive and regulatory data. Unlike babysitters, enterprises may have the luxury of choosing what responsibility we inherit.As corporate decision makers, we have the option of not storing data.
The holy trinity of misunderstood data is PCI, PHI, and PII.
- PCI is information relating to the Payment Card Industry – think of credit and debit cards.
- PHI is Protected Health Information, as defined by the Health Insurance Portability and Accountability Act (HIPAA).
- PII is Personally Identifiable Information – also under HIPAA.
Said again differently – companies are hesitant to destroy data, but retaining certain kinds of data involves expensive protection in the face of very real liability. More often than not, a very expensive decision to retain regulatory data is made without knowing what is at stake, often at a business level unacquainted with the associated costs and risks.
The current pervasive thinking is that gathering data creates “business intelligence,” which enables the business to operate more effectively and build new or stronger lines of revenue. Unfortunately, this data also attracts criminals who know they can turn a healthy profit for this stolen information on the black market. Defending against these attackers is time-consuming, expensive, and extremely challenging.
Attackers cannot steal data you don’t have, so eliminating specific data sets can massively lower your liability and reduce your expense.
A solid business case review makes sense. Some data must be stored for a period of time. Some abstracted data can provide business and market intelligence. Custodianship drives us to make informed decisions and to be deliberate about the investment required to protect data the company does not own.
By choosing to retain this data, we choose to retain risk and liability; your company will be held accountable for success or failure in safely caring for this data.
Keep only what you really need. Make sure whatever you need to run your business is vigorously protected.
And we strongly urge you to look into what liability protection you have around security threats. You may think you’re covered and actually find that you are not.