Although the misuse and loss of both corporate and personal data can expose even the most reputable firms to significant legal, regulatory and reputation risks, for years, information privacy in the U.S. has been protected only through an amalgam of narrowly targeted rules governing specific sectors. Although many countries have passed recent legislation to protect data privacy, the American legal system has relied mostly on self-regulation (and oftentimes litigation) to address breaches in data privacy and security - mostly after the fact. However, new data privacy statutes are increasingly being discussed by state and federal legislators across the U.S. If enacted into law, these regulations will have direct impact on a company's data governance policies.
In some industry sectors, data privacy laws have already taken hold. For instance, the health care industry is required to comply with the The Health Insurance Portability and Accountability Act (HIPAA), which governs how health care organizations handle and distribute information on a patient's medical history. In addition, the financial services industry continues to wrestle with the Gramm-Leach-Bliley Act of 1999, which requires affected companies to comply with privacy policies that govern how information can be disseminated within and between banks and brokerages. Lawmakers are paying increased attention to the Personal Information Protection Act, which was recently signed into law in Japan. It will come as no surprise if this is used as a template for future legislation in the U.S. and other countries.
Many senior managers from all business segments still need to better understand the opportunities for improvement in existing corporate data privacy and security practices. This often means taking a more strategic role in championing firm-wide data governance, iteratively verifying that these policies are continually and effectively enforced and in adherence with relevant legal, contractual and regulation requirements. A good data governance policy will enumerate specific business use cases for all categorizations of corporate data access and usage. Such cases will help formulate a unified and well-defined collection of standards that support regular monitoring and auditing. A robust data privacy/security policy will be comprised of many functional components and address the following:
- Access control: Business use of data must be balanced with timely distribution so that access to all information can be managed properly through authentication and entitlement controls, without sacrificing data quality, integrity and completeness.
- Risk assessment: The business value of all information must be benchmarked, along with existing risks to this information.
- Monitoring: All activity on company networks and systems must be cogently monitored, logged and audited for unusual patterns.
- Accountability: Sufficient logs of all network activity must be kept by monitoring processes so that both processes and individuals can be accountable for their actions.
- Incident and exception handling: A chain of command must be put in place for tracking, reporting and responding to security breaches/violations, equipment loss and occurrences of noncompliance with data governance precepts.
- Customer transparency: Customers must be aware of how their data is being protected or exposed to tracking technologies such as cookies or Web beacons.
- Education: All users of enterprise data must be educated with respect to good data security practices. Especially important is a full understanding of company Internet usage policies.
- Dispensation: Occasionally there will be a business requirement for the use of nonsupported firm hardware devices. Such an exception means that the advantages of such use must be greater than the risks of usage.
- Data profiling: It is often prudent to assign various classifications (such as public, confidential or highly confidential) to various strategic sets and collections of data.
- Mobile and remote computing controls: Activity conducted on corporate mobile devices must be tightly controlled. Such devices must also be physically secured at all times, especially when off company premises. Careful attention should be paid to firm-approved authentication mechanisms such as token cards or smart cards. If any mobile or remote communications device that contains (or has access to) firm information resources is lost, stolen or suspected to have been tampered with, management must be informed immediately.
- Architectural best practices: All entry points to company networks should be secured by up-to-date access control gateways with multiple and layered security control points. Intrusion detection systems (IDS) will eliminate single points of (protective) failure, making security breaches less probable.
- Consistency of coverage: Appropriate quality and security controls must be consistently implemented on all business processes and data distributed outside company boundaries.
A cross-company data security policy will help promote the security and privacy protection of all enterprise data. Good data security is part of good IT governance and consequently rolls up to sound corporate governance. Your firm's objective should be to transform data governance from a circus of yearly audits to real-time change-driven processes that will enable you to assess and manage risks in parallel across all business segments and ensure compliance with the regulatory laws of the land.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access