A recent article in the Boston Globe titled “Tougher Consumer Data Rule Adopted: Businesses Must Improve Safeguards,” described how “state regulators released new rules … ordering businesses to better safeguard consumers' personal information.”1 This got me thinking about the often-overlooked relationship between master data management (MDM), data governance and data security.
Companies that don’t have MDM capabilities yet usually don’t have a data governance organization either. But it’s a critical best practice to implement MDM technology in concert with developing a data governance organization (if not already in place).
In fact, I argued in my blog that “successful MDM programs are probably better described as successful data governance programs that implemented MDM as part of their overall strategy.” So a governance-centric approach to MDM allows you to “build in” the proper attention to data security. However, there are two fundamental challenges:
- Problems caused by someone’s intention - i.e., a poorly designed system that allows a disgruntled employee (or an outside hacker) to directly compromise the security of customer data in your MDM hub.
- Unintentional problems - even if your MDM environment is well designed in terms of data security, it may indirectly enable something like “innocent” downloading of customer data to a laptop, which can then be lost or stolen.
The new Massachusetts regulations come on the heels of a series of embarrassing breaches:
- Retailer TJX: at least 45.7 million cards exposed,
- Supermarket company Hannaford: potentially exposed 4.2 million credit and debit cards,
- Mortgage company Countrywide Financial: more than 45,000 Massachusetts consumers affected and
- Bank of New York Mellon: personal information from more than 400,000 Massachusetts residents.2
The new regulations require companies that handle personal information, such as credit card accounts and Social Security numbers to encrypt data stored on laptops, monitor employee access to data and take other steps to protect customer information, beginning January 1, 2009. Massachusetts Governor Deval Patrick also signed an executive order requiring state agencies to take similar measures.
In my own work, I’ve been entrusted with the customer databases of several Fortune 500 companies. The protections my firm employs include using fingerprint readers to control logging onto our laptops and PCs as well as military-grade encryption of all data on our hard drives.
When evaluating MDM vendor’s offerings, ask the hard questions about how their products secure your enterprise’s master data:
- Does it allow information to be downloaded to users’ hard drives?
- How is it protected at the operating system and database level?
- Does the vendor offer encryption, at least for critical data like Social Security numbers and credit card numbers?
Once your data governance organization starts getting organized, designate one member of your governance council as the “data security guru.” There are a large number of government regulations with which you’ll have to comply.
Be the first to comment on this post using the section below.