Blog | Faruki PLL

Twelve Days of Data Governance

Written by Scot Ganow | December 23, 2016

As we count down the waning days of 2016 and enjoy the holidays with family and friends, it is the perfect time to take account of your business' data practices and how you can improve them in the New Year. As with our own minds and bodies, perhaps you had a significant event that changed the way you do business or maybe threatened your business.  Or, like our waistlines, perhaps your business lost or gained some data this year.  So, here is a quick run-down of 12 things your business might want to consider as you say good bye (or riddance) to 2016 and welcome in 2017.

12.     Take account. You cannot govern what you do not understand.  Look over your data footprint and consider what changed this past year.  You really cannot do this unless you have a broader data governance plan which includes those basic building blocks of data classification and data mapping.  You cannot manage it if it doesn’t have a name and you do not know where it is.

11.     Know thy customer.   Do you know in which states you do business or on whose residents you possess personally identifiably information? Yes, yes, silly question, right?  Well, it takes so little to add customers doing business online and selling products all over the country.  Did you know that if you have a data breach, you may also have reporting obligations in each state in which you have customers?  A proactive step to breach planning (remember, it is WHEN not IF) is understanding the state law requirements governing the breach of personal information.  As I have written about before, the clock is ticking differently in many states.

10.     What did you gain? Did you get into a regulated area, like using consumer reports (FCRA) or maybe collecting protected health information as part of your self-insured health plan (HIPAA)?  Or, perhaps you began doing business in other countries, such as those that are member states in the European Union (EU Data Directive/General Data Protection Regulations), or Canada (PIPEDA).  Data can be easy to acquire but so can the regulatory obligations that come from handling information for just one customer or business.

9.      What did you lose? Did you jettison a business or product line this year?  And with it, did you get rid of data you will no longer need or use?  Did you ensure the appropriate return or destruction of that data?  Sometimes the best security for data is not having it in the first place.  In the end, data you have properly gotten rid of is data that cannot be breached.  Take a moment and not only review such changes, but your policies and procedures on data retention and destruction.

8.      What else did you lose? Also, if you are regulated by HIPAA, and you had a breach of less than 500 individuals in 2016, you have until the end of February to submit your annual report, if you have not already. More generally, if you have had security incidents in 2016, now is the time to do a proper after–action assessment and implement those changes you identified to prevent the same thing from happening again. (You know, those things everyone thought was critical during and after the storm of the breach, but became less of a priority once things calmed down.)

7.      Get stronger in the New Year.  As the calendar flips,  it is time to change access credentials, potentially finally forcing strong passwords across your system.  Better yet, implementing two factor authentication to your systems containing the most sensitive  information through the use of security tokens or other technology. Are biometrics for you? Maybe they are.  You should just take time to consider the risks and benefits.

6.     Bake it in. Cookies and fruit cake are great.  Ok, cookies are great. You should also be baking privacy and security into your new products and services.  In the mad dash to get products to market, don't forget the need to provide configurable options to customers to manage their personal information and provide clear notice of those options.  Build in security at all levels to protect that information. This is hardly a new recommendation, but is a best practice often overlooked. And do it now. Not only is bolting on safeguards after the fact expensive and an operational nightmare, but doing so exposes your company to scrutiny from customers, media and yes, plaintiffs' counsel and regulators.

5.      Think about who's trying to get in. We are not talking about jolly men in red suits and beards.  Rather, one of the most common sense, but often overlooked risk management strategies is thinking about who would want to do your business harm and why?  Are there other companies, even countries or former employees who would have reason to attempt to access your systems or take your sensitive information? Taking time to think about your "enemies" can help you focus and leverage your (often limited) resources on the more likely risks to your business.

4.      Check out those logs. If you don't do it regularly already, check your system logs for irregular activity and things that just don't comply with your normal operating practices. Indeed, after considering the risks and likely bad actors as recommended above, you might have better ideas of where to look. Often, intrusions are not detected until weeks, months, even years after they have occurred (think Yahoo!).  Take some time to look things over.  There may be evidence right in front of you.

3.      Beware the Grinch.  And not all acts showing up in such logs are as ominous as malware or an active hack by an outside threat.  For example, did you have employees exit the company on bad terms?  Were there large data pulls to off-site systems or thumb drives in that time frame before and after their termination?  Logs should be able to tell you. This is also a great reminder about ensuring your HR policies for hiring and terminating employees address timely and appropriate information access permissions being changed and monitored.

2.      Train.  Speaking of employees, training is probably the single thing you do that can have the biggest impact on not only your data governance and general compliance, but in preparing and responding to data breach.  Every year employees tops the list of security risks and sources of breaches. Take this time to prepare and schedule effective training for employees to understand your company's risks and obligations and how it meets those obligations through its policies and procedures.

1.      Train.  Oh yeah, TRAIN!!  No this is not a typo.  I am just trying to make the point how valuable and important this is to your success in collecting, using and sharing sensitive information in 2017.  When I speak with regulators, this is one of the most common failures in companies cited for violations or suffering breach.  It is not enough to have policies and procedures and train your employees once a year.  Sorry, but true.  You need to implement an active awareness program to keep privacy and security a part of their day-to-day operations.  Send out emails announcing new phishing scams and other risks being reported each day (read the news) to keep your employees from letting the bad guys in the door.  (It only takes one of them to open the gates to the kingdom.) Make it fun.  Create games and quizzes on your own policies and procedures, to keep employees engaged and to encourage them to be an active part of your security program.

Like fighting the battle of the bulge and keeping up with New Year's resolutions, data governance can seem never ending.  This is because it is never ending.  So, pace yourself.  Pick off one or two of these items in the next couple of weeks and make a plan for the rest.  As with any goal, success starts with but a few steps at a time. Happy New Year!