A recent article in the Boston Globe titled Tougher Consumer Data Rule Adopted: Businesses Must Improve Safeguards, described how state regulators released new rules ordering businesses to better safeguard consumers' personal information.1 This got me thinking about the often-overlooked relationship between master data management (MDM), data governance and data security.
Companies that dont have MDM capabilities yet usually dont have a data governance organization either. But its a critical best practice to implement MDM technology in concert with developing a data governance organization (if not already in place).
In fact, I argued in my blog that successful MDM programs are probably better described as successful data governance programs that implemented MDM as part of their overall strategy. So a governance-centric approach to MDM allows you to build in the proper attention to data security. However, there are two fundamental challenges:
- Problems caused by someones intention - i.e., a poorly designed system that allows a disgruntled employee (or an outside hacker) to directly compromise the security of customer data in your MDM hub.
- Unintentional problems - even if your MDM environment is well designed in terms of data security, it may indirectly enable something like innocent downloading of customer data to a laptop, which can then be lost or stolen.
The new Massachusetts regulations come on the heels of a series of embarrassing breaches:
- Retailer TJX: at least 45.7 million cards exposed,
- Supermarket company Hannaford: potentially exposed 4.2 million credit and debit cards,
- Mortgage company Countrywide Financial: more than 45,000 Massachusetts consumers affected and
- Bank of New York Mellon: personal information from more than 400,000 Massachusetts residents.2
The new regulations require companies that handle personal information, such as credit card accounts and Social Security numbers to encrypt data stored on laptops, monitor employee access to data and take other steps to protect customer information, beginning January 1, 2009. Massachusetts Governor Deval Patrick also signed an executive order requiring state agencies to take similar measures.
In my own work, Ive been entrusted with the customer databases of several Fortune 500 companies. The protections my firm employs include using fingerprint readers to control logging onto our laptops and PCs as well as military-grade encryption of all data on our hard drives.
When evaluating MDM vendors offerings, ask the hard questions about how their products secure your enterprises master data:
- Does it allow information to be downloaded to users hard drives?
- How is it protected at the operating system and database level?
- Does the vendor offer encryption, at least for critical data like Social Security numbers and credit card numbers?
Once your data governance organization starts getting organized, designate one member of your governance council as the data security guru. There are a large number of government regulations with which youll have to comply.
For a good list, see Part III, Data Security, Privacy, and Regulatory Compliance, and Appendix C, Regulations and Compliance Rules Impacting Master Data Management and Customer Data Integration Projects in Master Data Management and Customer Data Integration for a Global Enterprise, by Alex Berson and Larry Dubov.
As your data governance organization develops and matures, and as your MDM implementation progresses, schedule periodic data security discussions with stakeholders, business owners, project team members, corporate legal teams, etc. This will help ensure that you dont forget anything important and that you strike the right balance between good security practices and analysis paralysis, where everyone is so paranoid about security breaches that the whole project seems to grind to a halt.
If youre fortunate enough to have an IT person responsible for data security in the enterprise, bring that person in early and get his or her input throughout the project. Your company may never have had one comprehensive source of customer data before (the vaunted single view of the customer), so the IT security person may scratch his or her head at first. But later on, youll be glad you recruited him or her into your efforts.
Another good question to ask your potential MDM vendors during the selection process is does your product track read access to the data? There have been some embarrassing cases.
Fortunately, the principles for developing a secure MDM hub and instilling good security practices in a data governance organization are not new or unique.Good IT and businesspeople are aware of the relevant regulations and are complying with them in other areas. But make sure you reach out to them in your MDM project, or you could be in for a nasty surprise late in your project timeline (or even worse, after your new MDM hub goes live).
1. Todd Wallack. Tougher Consumer Data Rule Adopted: Businesses Must Improve Safeguards . The Boston Globe, September 23, 2008.