The more things change, the more things stay the same. As compliance matures as an industry, we sometimes forget the foundational best-practices that our programs are built upon. Every last Friday of the month, we revisit some of our most educational posts from the past. We think you’ll find they are just as relevant today.
Originally published October 2017
You’ve just been sued. Your first thought might not be about data, but your second or third one should be.
There were an estimated half-billion internet-connected devices joining global networks last year and today employees are communicating through everything from the corporate email system to Snapchat.
Information is the lifeblood of the modern corporation, but it can also be its Achilles heel. Terabytes of business critical data can turn into potentially incriminating evidence when scattered across thousands of connected devices. This can cripple an organization if it gets dragged into a high-stakes lawsuit or government investigation. That’s why key departments and positions within your organization need to know where critical data is at all times and the specific pathways to retrieve that data on demand. This archival and retrieval process should also be well documented, so that in the unfortunate case when data is missing, you’ll have a defensible argument for why it cannot be produced.
The stakes are higher than ever and the playing field gets bigger each day. There were an estimated half-billion internet-connected devices joining global networks last year and today employees are communicating through everything from the corporate email system to Snapchat. Throw in the explosion of Internet of Things (IoT) devices, each creating its own little evidence trail, and you need a comprehensive data strategy five minutes ago.
Start With a Data Threat List
First, make the problem manageable. Start by identifying your top three worries. For a manufacturer, this list might include data that could wind up appearing in a product liability lawsuit. For an internet startup, it might concentrate on human resources. Whatever your worries are, rank them in priority based on the potential damage they can do to your organization.
Next, based on your level of concern, start examining where the critical data is generated and stored. What information are you creating, and for what purpose? How about vendors and outside contractors?
In answering each of these questions, keep in mind the elements below:
- BYOD (Bring Your Own Device): Your organization, like many others, has likely allowed BYODs to increase end-user productivity. But the associated risks must be identified and information gathered to best understand and manage risks. These risks include everything from the loss of mobile data to local employment laws under which employees are extending their work days by accessing BYODs after hours. Other critical policies and procedures to consider are IT security and privacy policies and communication to employees about proper (and improper) BYOD use, what data can be on BYODs, and protocols for the physical security of the devices.
- Hoarding: Some people save a copy of everything “just in case.” It may seem like a good idea at the time, but it can be disastrous later when you have to tell the judge, “Your Honor, I know we said we couldn’t find any records relevant to your order but it turns out an employee had them …” You can guess the rest. If you have data, you need to know about it. And if you don’t have data, you need to be certain of it. Further, you need to have an established data retention policy, communicate it broadly, and enforce it rigorously.
- Outside Vendors: Your supply chain is also your data chain. Compliance with your data retention and security policies need to be part of every contract.
- IoT We touched on this above. It is very likely your systems are collecting data from various devices. To address this phenomenon, you first need to inventory each one and ask the same questions: What data are they recording? Why? Where does it reside? When is it destroyed?
- Foreign Jurisdictions: This is becoming a serious headache for data minders, especially true now with General Data Protection Regulation (GDPR) that threaten fines of up to 4 percent of global gross revenue for failing to secure everything from personnel records to retail purchase histories of EU citizens, wherever they do business.
Contain the Problem with Your Compliance Ecosystem
If you have a well-designed compliance ecosystem, including a data retention policy that is monitored and enforced and regular reports to the board of directors, you can get a handle on these proliferating threats. And in the U.S., at least, judges and regulators are far more likely to cut you some slack when the almost inevitable mistake occurs and stray information evades the first sweep of the subpoena duces tecum (discovery order, in plain English).
It’s impossible to quarantine every stray bit of data, but you can approach the problem intelligently and with the thoroughness applied to other business issues like physical security. At a recent conference on this topic someone noted: “I don’t know of any company that said ‘Wow I’m glad I kept all that information.’” That’s the attitude you need to have toward corporate data. It’s vital to running your business, but in the wrong hands, it can be the vital tool for a raid on your assets.