Three Ways Data Breaches Are Reshaping Data Governance

Register now

If it feels like data breaches are occurring more frequently, it’s because they are. There were 579 reported data breaches in 2014, a 27.5 percent jump from the year prior, research shows. In California alone, 18.5 million of its 38 million residents – close to half – were affected by hackers last year, according to a report by the state’s attorney general.

These numbers aren’t surprising, considering that headlines everywhere trumpet the ordeals of major corporations like Target, Neiman Marcus, Home Depot, Anthem and many more, putting data security front-and-center in the public consciousness.

All of that increased attention can lead to public fatigue, frustration, and mistrust of the corporations with which they share their data. In fact, 35 percent of people say they would stop shopping at a retailer if that company lost their personal information, according to a survey of nearly 2,000 U.S. consumers.

The onus is on businesses to step up security, but how can organizations protect data against a wave of smarter, better organized, highly funded cyber criminals who always appear to be a step ahead of traditional security defenses?

Three Data Governance Realities

Moving forward, organizations will be pressured to demonstrate that they can be trusted to capably handle private information, as well as understand and apply the policies that govern this data. The solution for businesses may be a more proactive and intelligent approach to data governance, which is being driven by three pressing issues that will reshape how businesses collect, protect and maintain personal information.

1. The Push for Data Traceability

With the public increasingly cognizant of the amount of personal data they share with businesses, the organizations that collect this information will need to do a better job of determining how much stored data could be potentially exposed in a breach. Businesses need more context around stored data and a stronger understanding of the type of personal information that is collected and how it is protected.

Metadata analysis enables businesses to take stock and identify which systems interact with what data, where that data is stored, how much of it is personally identifiable data (PID), and more. This can reveal gaps in data security or material risk factors – a crucial capability for businesses that desire proactive breach mitigation.

As an example, consider a major financial services organization using a metadata solution to track the PID it shares with third-party partners. If that partner were to have a data breach, the financial services firm has the tool it needs to identify overlapping risks and quickly inform customers that their data may be compromised. That’s better than playing catch up.

2. Regulators Cast a Wider Net

Healthcare organizations have long lived under the harsh gaze of federal regulators. Now the sheer pace of data breaches and the wide range of affected verticals – from retail to finance to telecommunications and beyond – has encouraged regulators to scrutinize the data protection strategies for more corporations and industries across the board.

Take the European Union’s “Right to be Forgotten” concept. According to a Google report, the search engine giant has removed nearly 290,000 Web links from its search results in the past 10 months. The removals were an effort to comply with a May 2014 EU court ruling that allows individuals to request certain material be deleted from the Web to protect their privacy.

Lawmakers are also putting direct pressure on businesses to take better care of consumer data. On September 30, 2014, the California legislature signed into law an expansion of its data breach regulations, requiring thousands more businesses that maintain PID to take “reasonable” precautions to secure customer data. Legislators in the state say there is room to tighten these regulations in the future.

Those are just two examples of how businesses of all kinds must now reconsider matters of personal privacy, but there are many others, including the insurance industry’s new Own Risk Solvency Assessments (ORSA) to evaluate insurer risk, and the Federal Trade Commission’s push for increased transparency for data brokers.

3. A Focus on Big Data Ethics

Heightened awareness of data collection has spurred consumer discomfort with how much companies actually know about them, calling into question whether it is ethical for organizations to collect personal data and use it for commercial gain.

Target, for example, earned public scorn in 2012 when, based on an analysis of recent purchases, it was able to infer that a high school-aged customer was pregnant – and send her coupons for baby clothes – before her own father even knew.

Facebook has long been criticized for collecting personal data about its users and selling it to advertisers. As a result, an entire social network – Ello – was publicly launched last year under the premise that it was the anti-Facebook, promising never to collect or sell users’ personal information. This demonstrates how critical data privacy has become to the common consumer.

The ethics of data collection are moving to the forefront of public discourse, and regulators and businesses are responding. Again there is the example of the FTC regulating data brokers, who reportedly collect information on consumers’ personal interests, health and politics to sell to advertisers. Additionally, organizations such as the Information Accountability Foundation are leading discussions about big data governance and accountability in light of public concern.

Data is at the Center of the Conversation

Data breaches aren’t likely to recede as a pressing consumer issue any time soon, and the consequences for those who fail to protect private information will remain significant. However, the spotlight is squarely on businesses and how effectively they can govern, collect, protect and maintain sensitive corporate data. The pressure to keep data safe will likely encourage many more businesses to get to the root of the issue – how they govern data – to seek a better solution. If you don’t have a formal program in place, now is the time to get one started.



For reprint and licensing requests for this article, click here.