by Jim Barkdoll, CEO of Titus
In recent weeks, the Federal Trade Commission (FTC) expanded its probe into the privacy practices of tech giants to include internet service providers (ISPs) AT&T, Verizon, Comcast, and T-Mobile.
This move broadens the national conversation around information handling and data security in the United States and raises the stakes for organizations across all industries. And while the conversation currently centers on ISPs, make no mistake – every business should now be working to strengthen their data security strategy.
Until the FTC probes, many people hadn’t realized just how much data is bought and sold between large businesses—information such as real estate data, buying trends, healthcare information, and much more. In fact, there is an entire industry of marketing companies built on how much data they can obtain and then sell.
Once personal data moves beyond the organization that originally acquired it—and to which the person willingly supplied it—consumers can no longer track it. They no longer know what organizations have it and have no way of knowing how their PII is being used or whether policies are in place to continue protecting it.
Consider what we learned about Facebook having released user passwords stored in plain text in an unprotected Excel file. This should have set off alarm bells in all corners of the country. Every company has this sort of sensitive information residing on servers, on desktops, and on tablets. Often, it’s inadvertently—or intentionally—sent in an email to wide distribution lists and uploaded to random cloud repositories.
This begs a few questions. What other documents containing personally identifiable information (PII) do most companies have? Are they being protected? Do the powers that be at these companies even know where these documents are stored?
A Global Privacy Movement
GDPR sparked a global conversation around data security and information handling and has been perhaps the most significant driver of security compliance worldwide. While organizations are challenged to understand and comply with the regulations, GDPR enforcement has triggered several other regions (including two of the world’s most populous countries – Brazil and India) to begin their own privacy regulation initiatives. The FTC inquiries could be seen as a good step in this direction in the United States.
It’s critical that concerns move out of the conversation phase into actual protection of information so it can’t be hacked, re-used, divvied up, and sold. Many organizations did rush to put privacy statements in place before GDPR enforcement began. That’s great.
However, the downside is that people must frequently agree to crazy “privacy” terms to continue engaging with some businesses or using their websites. In their privacy terms, these companies say they will protect our data. But as we’ve seen with Facebook, it’s not clear what steps they’re taking to do this or whether these steps are sufficient.
Moreover, in some privacy statements, they spell out clearly that they will indeed make our personal information available to marketers. If we opt out, we can no longer participate in whatever it is they are offering.
We’ve known that the risks of poor data handling are numerous—costs associated with retrofitting an infrastructure that has been breached, making reparations to people whose data was compromised, legal fees and, of course, significant brand damage. But now, there is the possibility of also being scrutinized and held accountable by the FTC, which takes things to another level entirely.
How can organizations ensure that they are up-to-date on the best practices for identifying and protecting sensitive data?
While many countries have implemented national data regulations, the U.S. has yet to do so (and may never get to that point). On the other hand, the latest round of FTC probes could be the first step in that direction.
The California Consumer Privacy Act (CCPA) is another good step but not comprehensive enough. Other states may follow suit with their own regulations. Without clear guidelines to follow, however, organizations must take on self-regulation to ensure the safety of their customers’ information as well as their own critical business data.
Five Steps Forward from the FTC Probe
A solid cybersecurity plan is table stakes—every organization must get on board at this point. The FTC scrutiny is only likely to broaden into other industries. Here are five ways that organizations can begin to manage their data to create a foundation of protection and security.
Properly Identify Data as It Is Generated
As people generate data they need be able to categorize and apply sensitivity to those data categories as is applicable.
For example, does the document or email contain HR data or health information? According to your policies, does that mean the data can only be shared with certain individuals inside and even outside your organization? Combining data categories and sensitivity organizations can bring context to data protection and build effective policies.
Consider a Holistic Data Strategy
Regulations do not discriminate between data types. To put a holistic plan in place, your organization must consider a strategy for all data types, whether it is data sitting in fields in a database or data generated by humans as text in emails and documents. A holistic strategy is a must, as it puts in place steps across a program to address all data types over time.
Have Hands-On Digital Policy Managers
A person or a group of people within the organization must take responsibility for implementing data security policies. That should include overseeing policy creation by working with business leaders and department stakeholders to understand what data each area of the business generates and how it should be treated.
It is integral to custom data categories unique to the business to implement the appropriate digital tools to facilitate policy adherence. They also must educate users across the organization and revisit company data handling policies on a regular basis. As the business evolves, new data requirements will emerge.
Ensure All Data Security Tools Work Seamlessly Together
Rather than complicate data management and protection with another independently running tool, organizations should consider data categorization solutions that integrate with their existing security tools such as data loss prevention (DLP) technologies, cloud access security brokers (CASB) and enterprise digital rights management (EDRM) tools.
Explore Machine Learning to Simplify Data Handling
Training machine learning algorithms to help users identify data within their day-to-day workflow is one way to ensure adherence to data security policies.
Revisiting the policies and retraining the algorithms is an ongoing job that will help make the data categorization tools more effective. As the tools become smarter and smarter, certain aspects of policy management can be automated. But human oversight will always be important for context setting and deeper understanding of unique data types.
Ultimately, businesses must be able to identify sensitive information across their enterprise—at creation and at rest. They need to encrypt and protect that information when it is in motion, whether it’s being emailed or uploaded to a cloud repository. And they need to apply identity and access technologies to ensure that all of their data is being shared with the appropriate people.
By getting ahead of the game and implementing a foundation of data security policies that include identification and categorization for better information handling, organizations can ensure they will be ready to meet any regulations—or FTC inquiries—that may be coming down the pipeline.
Thanks to Jim Barkdoll, CEO of Titus, for his unique perspective and article!
- More Expert Commentary and Coverage of the GetHealth Exposure - September 14, 2021
- GetHealth Platform Misconfiguration Exposes 61 Million Fitness-Tracking Records - September 13, 2021
- Panther Labs Releases State of SIEM 2021 Report - September 13, 2021