Strong security defense starts with prioritizing, limiting data collection
Dow Jones, parent of The Wall Street Journal, is among the latest companies to expose highly sensitive data, including the identities of global government officials, politicians and political influencers, on the public cloud. This high-profile breach was alarming for many reasons, the largest of which is that the authorized third party responsible for instigating the breach shouldn’t have had direct access to the 2.4 million records that were unnecessarily stored in a centralized database.
Companies that require access to, or answers from, sensitive personal data have a responsibility to install strict access controls. Leveraging technology that can carefully limit corporate access to the individual records that an authorized party needs ensures that information never has to be stored all in one place.
Organizations such as Dow Jones that store and manage large volumes of data in centralized database are presented with an inherent vulnerability, putting the company at risk when a breach of this magnitude occurs.
As cybercrime, user fraud and other security threats become more prevalent and detrimental, the ability to confidently know who you’re dealing with online has become ubiquitous, but what most companies tend to overlook is the responsibility and liability that they automatically assume when they collect and store personal data in order to validate their constituents. As a result, some businesses hold large volumes of personal data because they believe it’s necessary for comprehensive identity and credential verification, but this practice can be risky, especially for companies with weak or limited data protection protocols in place.
Data breaches have costly repercussions, including loss of customers, compromised intellectual property, loss of brand trust and, of course, meaningful revenue declines that result, but regulatory penalties can be the most expensive of all consequences.
For example, violating GDPR’s strict rules around data privacy can warrant fines of up to €20M, or 4 percent of the worldwide annual revenue of a company. The introduction of this EU law in May 2018 prompted some U.S. States to develop their own individual data privacy regulations such as the California Consumer Privacy Act and the Colorado Consumer Protection Act.
More recently, the House and Senate held hearings to initiate U.S. federal privacy legislation, which will likely impose fines on American companies without adequate personal data protection processes in place.
While it’s unrealistic for businesses to operate without personal data, it’s also critical to have a healthy internal dialogue about how an organization manages the data it actually needs, as well as how it collects and holds that data, in order to identify and implement appropriate security measures. Every organization is ultimately responsible for choosing if and how they handle personal data, but they need to be considering ways to minimize their data requirements without sacrificing the need to verify users, because the threat of cyber attacks isn’t going away.
Establishing Privacy by Design and Data Minimization policies from the beginning (or as soon as possible) helps organizations identify vulnerabilities before they fall victim to massive data breaches. Prioritizing such data management practices tends to be less costly and frustrating than navigating post-breach damage control.
Organizations can start by evaluating what data they need, how they collect, transfer and store that data, and then conduct a cost/benefits analysis to determine which risks (and how much) they’re willing to assume.
Ultimately, an organization’s best and most realistic approach to data security is to only use (or act) on data that is absolutely necessary to meet its business goals.
Organizations should follow these four guidelines as they consider their approach to data security:
- Execute thoughtful data protection and security processes
- Question the collection of data that’s invaluable or potentially risky
- Balance the value of the data with the potential liability of holding it
- Understand that when it comes to personal data, less is more
Technology exists to help businesses get the verified personal data they need without having to hold or manage personal information in one place. Any centralized database that holds personal data will certainly be vulnerable to a breach, and the only way to prevent this is to find a streamlined solution that enables businesses to access the data they need to operate without requiring them to be responsible for holding and protecting that data within their infrastructure.