FORUM: Data management and compliance issues
August 2014 | SPECIAL REPORT: TECHNOLOGY IN BUSINESS
Financier Worldwide Magazine
FW moderates a discussion on data management and compliance issues between Michael Bruemmer at Experian Data Breach Resolution, Harriet Pearson at Hogan Lovells, Christian Toon at Iron Mountain Incorporated, and Stuart D. Levi at Skadden, Arps, Slate, Meagher & Flom.
FW: What key trends have shaped the information management and data privacy space over the last 12-18 months?
Bruemmer: We have seen three main trends shaping the information management and data privacy industry over the last year and a half. First, organisations have accepted data breaches are a reality. According to CNN Money, a staggering 432 million US accounts have been accessed through breaches during the last year alone, exposing the personal information of 110 million Americans – nearly half of the nation’s adult population. Second, more businesses are implementing breach response plans to prepare for these security threats. Research from the Ponemon Institute has shown that organisations with a preparedness plan in place can save up to 25 percent in costs in the aftermath of a breach. Finally, more trade organisations and leading companies are recognising the importance of addressing the issue for the good of all in their respective industry. The Retail Industry Leaders Association (RILA) is a great example of this industry collaboration, having recently launched a cybersecurity initiative.
Pearson: I see three separate trends. First, Big Data has come of age. Business leaders across industries are investing resources to glean actionable insights from increasingly large sets of data. Significant new privacy and related policy and legal questions result. Second, in light of the Target and other well-publicised breaches, concerns about the security of digital data and the systems on which such data resides have now firmly taken up residence in corporate boardrooms. The amount of attention being paid by corporate directors and senior management to the legal, reputational and related risks associated with data and IT is unprecedented. And third, the effect of unauthorised revelations by Edward Snowden about the US government’s intelligence gathering activities cannot be overstated. The environment in which American business now operates has shifted, forcing businesses to develop strategies – such as transparency reports – to address questions about governmental access to data held by the private sector.
Toon: Businesses everywhere now operate in an information landscape that is defined by the increasing volume, variety and velocity of information moving through the business, and by a wide range of risks. The 2014 Information Risk Maturity Index from Iron Mountain and PwC suggests that, regardless of size and sector, companies everywhere are struggling to manage information risk and many are not getting sufficient benefit from the information they hold. This trend suggests UK businesses are not using their information to speed up the development and launch of better products and services. The index surveyed senior managers at European and North American businesses with 250 to 2500 employees and a further 600 firms across both continents with up to 100,000 employees, in the legal, financial services, pharmaceutical, energy, insurance and manufacturing and engineering sectors. It revealed that only 18 percent of UK firms use information to increase their speed to market, and just over 12 percent say information has boosted product or service development cycles. Despite regarding information as a business asset, just 35 percent employ data analysts to extract value from their information. The findings of the study at both mid-market and enterprise level also show that, while many have the policies and processes in place in terms of strategy, people, communications and security, the majority have not followed through to implementation and monitoring. Companies know what to do but do not ensure their plans succeed. Too few measure, too few educate and too few communicate. If companies aren’t driving compliance or measuring effectiveness, then they don’t fully understand their exposure to risk, and this makes them vulnerable to data breach and non-compliance.
Levi: Undoubtedly, the key focus for most companies today is cybersecurity. Companies realise that privacy ‘best practices’ includes not only good technical security, but sound internal governance as well. This includes, involvement of C-suite executives, regular reporting, and – for public companies especially – involvement of the board. In addition, companies are implementing and formalising security training for employees, especially when it comes to the use and handling of personal information. Companies realise that its security policies and procedures are only as strong as the ‘weakest link’ in the chain. All too often, privacy breaches occur because an individual was duped into surrendering their password.
FW: Have there been any recent legal and regulatory developments affecting the way companies store, access and share data in your region?
Pearson: Several noteworthy developments have raised the profile of data-related issues for companies operating in the US, and prompted additional investments of time and resources. Everyone has watched intently the aftermath of the breach affecting Target and its cardholders, which included the launch of lawsuits and investigations and coincided with a senior management change. The challenge by Wyndham Worldwide to the Federal Trade Commission’s authority to regulate data security under section 5 of the Federal Trade Commission (FTC) Act is currently on appeal to the Third Circuit court, but even as that question is deliberated by the courts the practical effect of the FTC’s ongoing efforts to enforce data privacy and security practices continues to drive company attention to data practices. The first-ever enforcement by the FTC against users of the EU-US Safe Harbour has also prompted companies to take a second look at how well their internal practices support their self-certification to the Safe Harbour. The recent European Court of Justice decision in the matter involving the right of an individual to be ‘forgotten’ online has had a significant effect on how web-based businesses in my part of the world in particular think about European jurisdiction over their operations. And the issuance of the National Institute of Standards and Technology (NIST) Cybersecurity Framework is probably the most underappreciated development in the data security and privacy field – the Framework is incredibly well done and instantly became an authoritative resource for companies wanting to confirm that they have appropriately organised their approach to data protection.
Toon: The European Parliament recently voted through amended data protection proposals. These new reforms represent the EU’s first major overhaul of data protection legislation since 1995 and will introduce significant changes to the way personal data can be used. Once approved by the European Council, the 28 member states will have two years to become fully compliant. For many businesses, this will seem a long way off and, therefore, it can be quite tempting to just wait and make any changes when they become a legal requirement, but that, I suggest, would be a mistake. In the wake of the widely-publicised NSA revelations around government snooping, consumers across Europe are likely to welcome the greater personal protection and rights proposed by the new EU reforms as a long-overdue step in the right direction. Many businesses, however, will be challenged by the new obligations that are likely to come their way. The new EU data protection reforms are intended to replace the current patchwork of national laws. Companies would be accountable to a single European supervisory authority, rather than 28, enabling simpler, more cost-efficient business in the EU, the economic benefits of which are estimated at €2.3bn per year. The draft requirements directly address issues such as customer consent and the need to notify regulators of a data breach within 24 hours. Many firms currently invest more resources dealing with the fallout and investigations of data loss, rather than on adequately protecting it in the first place. This needs to change and the reforms are looking to address this. Failure to protect data sufficiently will have serious financial consequences, with the potential for fines in the event of an incident of up to 5 percent of a private sector organisation’s turnover. However, financial penalties for data breaches have been in place for some time, and have apparently done little to encourage increased responsibility in the management and protection of sensitive information. Businesses would do well to act now to better protect their information, regardless of the threat of incoming legislation.
Levi: Although there is considerable discussion on a number fronts in the US, it seems unlikely that new privacy or cybersecurity legislation will be enacted at the federal level. Each of Congress and the general public are not sure what shape such legislation should take. However, we are seeing far more enforcement activity by the Federal Trade Commission and at the state level. I anticipate that trend will continue here in the US. The FTC, in particular, wants to signal to its data privacy counterparts in the EU that the FTC takes this matter seriously and will be vigorous in enforcement. This has not changed the way that companies store, access and share data per se, but it has likely made them more conscious of how they handle data.
Bruemmer: We have heard more talk than seen action in terms of regulatory developments. Although the US now has 47 states with data breach notification laws, Congressional committees have not been able to get traction for a national standard. Currently US agencies like the Office of Civil Rights have been overseeing how healthcare organisations store and share data under the HIPAA-HITECH Act. However, ongoing regulatory discussions, enforcement agencies playing a role, and state laws have affected companies’ behaviour by ultimately encouraging a bigger investment in cybersecurity and data encryption. According to an industry study there has been a steady increase in the deployment of encryption solutions, with 35 percent of organisations employing an enterprise-wide encryption strategy. Encrypting sensitive data will improve an organisation’s security posture and help protect against cyber attacks.
FW: How have global authorities increased their monitoring and enforcement activities with respect to data protection and privacy in recent years? In your experience, is government guidance on combating cyber risk effective?
Levi: The government has shied away from making specific security recommendations. However, documents like the NIST Framework have provided companies with good guidance on how they should think about and approach cybersecurity issues and governance. In addition, parts of the US government, such as the Department of Justice have stressed to companies that they can share information about cybersecurity attacks and security measures. This is a critical development since information sharing is a key component of cybersecurity protection, and companies were concerned – for antitrust reasons – about doing so. I think we are starting to see a new era of information sharing both within the private sector and between the private and public sectors.
Bruemmer: With more data being stored in the cloud and moving seamlessly across country borders, data breach notification has become a global policy trend. Currently, there are 35 countries with laws or guidelines related to data breach notification and procedures, representing 100 percent growth in the past five years. Currently, the US Federal Government has developed the NIST framework for cybersecurity, which establishes standards and guidelines to promote the protection of critical infrastructure. Furthermore, the FTC, the Securities and Exchange Commission (SEC) and Department of Health and Human Services (HHS) have become more active in their enforcement against companies who do not protect personal information. At this juncture, any guidance is certainly helpful. The key for companies is to have experts, including outside privacy counsel, to help them better navigate these murky legal waters when a breach occurs.
Pearson: International cooperation amongst data regulators is increasing and getting better. The annual global conference of data protection authorities, and work underway among those regulators in between such conferences, has led to the transmittal of ideas – like data breach notification – from the US to other jurisdictions. The fact that the FTC brought a number of Safe Harbour cases recently is also related, I believe, to the ongoing dialogue among regulators about the efficacy of various methods of cross-border data transfer. The approval of the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules program, and the recognition of the US to participate in it, is another milestone in regulatory cooperation. Enforcement agencies are also cooperating more closely than ever on cybersecurity investigations, and that trend will doubtless continue. Cyber risk is a complex issue that in my view cannot be addressed via ‘check the box’ compliance regimes as it is inherently a risk management exercise. Therefore, well-done guidance, such as the NIST Cybersecurity Framework, is an important contribution government working with the private sector can make.
FW: In your opinion, do companies fully understand their duties of confidentiality and data protection in an age of evolving privacy laws? Are boards sufficiently aware of how much personal information their company handles, and the sensitivity of this information?
Toon: I believe businesses should be doing more to scrutinise, mitigate and manage their own information risk supply chain, as part of a Corporate Information Responsibility (CIR) program. Examples of good practice are already in place. In Germany, for example, organisations are already obliged to make a member of staff responsible for data protection and ensure compliance in line with national laws. The biggest challenge for the EU will be to get all countries to match this standard. Meeting new requirements will involve taking stock of current practice and ensuring processes and policies are up to scratch. Waiting until the legislation is passed could be too late for many. For example, processes for identifying and reporting an incident need to be efficient, with the monitoring of data integrity common practice. This has become more complex with the prevalence of social media and mobile devices. Consequently, there is a greater requirement for firms to understand exactly what information they hold in physical and digital formats and where that information resides. Boards must understand a data breach does not just represent a financial risk; it represents a serious threat to brand reputation and customer loyalty. With social media on the rise, bad news travels faster and further than ever. Even the smallest incident could have serious consequences for the future of an organisation if they are found to be at fault. Every organisation should give serious consideration to its role as the responsible custodian of sensitive information. Businesses across Europe would be advised to consider their exposure to information risk and seize the opportunity of the impending regulatory changes to assess whether they have the right processes and policies in place to minimise that exposure.
Bruemmer: In general, companies are aware and understand their responsibilities. But the question is how much a priority it is within the organisation and what resources they place behind being properly prepared. Also, the awareness of how a breach affects a brand’s reputation and expectations by consumers of the company is increasing. Research shows that consumers often discontinue their relationships with a company after a breach, so organisations have now recognised their obligation to better protect customers. The increased publicity around breaches due to ‘mega’ incidents, and the resulting impact on businesses, has certainly also grabbed the attention of executive leadership and boards of directors. But again, the question is whether they fully understand responding to a data breach or security incident is not simply a compliance exercise, but requires a focused effort to plan ahead, respond appropriately and regain the trust of consumers, employees, patients, vendors and shareholders.
Pearson: Board and senior management-level understanding of the value and risk inherent in data is increasing. Boards in particular have increased their oversight of corporate activities, especially in light of the SEC’s increasingly active questioning of public company disclosures about privacy and cybersecurity risk. There is increased demand for directors and counsel who are ‘cyber-literate’, or who can with some training and experience get there.
Levi: Boards are only beginning to get up to speed on this critical issue. Many surveys show that boards know this is a critical issue, but are not yet fully informed. Over the next year, I anticipate that this will change as boards bring in privacy and security experts to educate them; demand reports from company executives; and even designate individuals within the board, or an audit committee, to stay on top of this of this critical risk issue.
FW: What are the key risks to D&Os arising from data management and compliance issues? In your experience, is there a lack of understanding about regulatory obligations and related liability?
Bruemmer: One of the primary risks is directors and officers relegating cybersecurity as an IT responsibility. They should understand they too are in the hot seat for properly addressing data management and compliance issues. Today, there isn’t necessarily a lack of awareness or understanding about the susceptibility of a data breach or its impact. Certainly, with the widespread media and regulatory attention on data breaches, executives of all levels can’t plead ignorance around the legal requirements to respond to a security incident. Furthermore, more government enforcement groups are educating and working with organisations to have a data breach response plan prepared. However, there is still slow progress in taking action. Findings from the 2013 study, ‘Is Your Company Ready for a Big Data Breach?’ showed that almost 40 percent of companies do not have a response plan even after experiencing a breach.
Pearson: Clearly, every director and officer seeks to discharge their fiduciary responsibilities to their organisation. In my experience, in this dynamic area the hard part is defining what actions are needed to do that – that is a moving target that changes as the threats and technologies evolve, and as the legal and reputational risks are better understood. Even if a board or senior management team has looked at data and security issues 12 or 18 months ago, enough has happened to justify a review and confirmation of the sufficiency of the programs for which they have oversight responsibility.
FW: Outsourcing data management functions can reduce running costs and provide access to cutting-edge equipment. But what are the downsides of allowing third party access to sensitive information?
Pearson: Third-party involvement in almost any type of process is now a facet of modern-day organisations. The important thing to do is control for the risks introduced. The first step is to conduct a realistic risk assessment, asking “What are worst things that can happen if third-parties have access to sensitive data, and how should the organisation mitigate those risks?” Then, take steps to do that, and do not forget that, frequently, the most significant risks come in low-tech forms such as contractors with over-broad access to systems and documents.
Levi: The risk of third party access to data is generally the same as the overall risk in outsourcing; namely once you hand over a function to a third party, you lose some aspect of control of that function, thereby exposing you to greater risk. In the area of data security, the more parties that are handling your sensitive information, the greater the risk. In addition, hackers may look at a vendor as a prime target since, if they are able to hack the vendor, they may have access to the data of multiple clients. Imposing stringent cybersecurity guidelines on vendors, and auditing their compliance, is therefore critical.
Bruemmer: In two-thirds of healthcare breaches during the past 24 months, Ponemon Institute research has indicated a third party – or business associate – was involved. So far in 2014, prominent breaches were all the result of third-party security compromises impacting retailers, financial institutions, healthcare providers and consumers. Any organisation, regardless of the industry, needs to enforce the same cybersecurity standards with outsourced vendors as within their own organisations, and include those security requirements in their contracts to ensure they are legally obligated to fix data problems should a breach occur. Furthermore, the requirements for sub-contractors should be audited and enforced on a semi-annual basis, depending on the level of sensitive information an organisation and its third-parties handle.
FW: What can companies do to manage internal data privacy risks and threats, such as liabilities arising from lost devices or the actions of rogue employees?
Toon: Business survival relies on successful information management. It has to be a board-level issue because of the risks associated with it, which include reputation, compliance, customer relationships, value and the need to remain competitive. Businesses need to think about three things when managing risks. First, awareness – you need to understand the potential impact, financial and reputational, of not managing information risk and acknowledge that these risks require board-level attention. Second, policy and process – you need to implement a company-wide program to manage information and reduce risk, with leadership coming from the very top. You need to monitor, measure and improve what you put in place. Third and finally, culture change – you need to foster a culture of information responsibility so that your people value company information, understand what is expected of them and are the first line of defence in mitigating information risk.
Levi: For all the sophistication of cyber attacks, all security experts will tell you that the human element is critical and often overlooked. In some cases this is an inadvertent disclosure of a password by an employee not being careful, but in other cases it is a rogue employee. Companies need to be vigilant in this area starting with the hiring process. Companies should also have regular training sessions to create a culture of vigilance, careful monitoring of employee activity, and strong responses when a breach occurs. In addition, companies should have robust policies and procedures in place to limit employee access to areas required for their performance.
Bruemmer: Perhaps not surprisingly, human error is the most common cause in a data breach scenario. In fact, nearly 80 percent of all data breaches have employee negligence as the root cause, according to the Ponemon Institute. To manage internal threats, risk managers should begin by ensuring all employees have a background screening prior to employment or handling sensitive data. Second, every employee within an organisation should go through an annual job-specific privacy and security training session – no exceptions, even in the C-suite. Finally, conducting random background screening after an employee is hired can serve as a best practice.
Pearson: One of the most important things companies can do has nothing to do with technology. Working thoughtfully and strategically to embed a culture of security within one’s organisation can pay dividends for many years and in many ways. The most thoughtful companies I know treat security awareness as a culture and change management initiative, rather than an annual compliance duty.
FW: Do you believe that a strong culture of data protection is developing in your region and, more broadly, across the globe? Are companies beginning to proactively implement appropriate controls and risk management processes?
Levi: A strong corporate culture absolutely is critical. Companies are increasingly on top of this issue, and realise they have no choice. The threat is real and constant, and no company is immune. In addition, the liability risk to companies – both in terms of monetary damages and harm to reputation can be significant. The Target case is a good example of that. Moreover, employees are slowly beginning to realise that cybersecurity needs to be part of the culture of any firm. Fewer and fewer employees believe that ‘it will never happen here’ or that they would never be the source of a password leak. But, repeated training is key. A client of ours recently implemented a rigorous training program on ‘phishing attacks’ and the way that hackers can try and get your password. About two weeks after the program ended, they had an external security firm launch a fake phishing attack. It was startling how many employees, all of whom had just received training, were deceived. It provided a good lesson on how important it is to drive this point home on a regular basis.
Bruemmer: With a number of recent large high-profile breaches filling our news feeds, and improved regulator involvement combined with a company’s understanding of the significant reputational and financial costs of a data breach, I have seen the evolution of a much stronger culture of data protection in the US. However, it is translating that awareness and understanding to action, which is still progressing slowly. Outside the US, there is more awareness for the data protection issue at-large, but that has not yet translated into the same level of guidelines or controls that have been implemented domestically. But, with the changing landscape, there should be optimism for the continued growth and maturity in data protection as we look to the future.
Pearson: I see a great deal of evidence that companies are investing resources and attention in data protection and management. Much is still done in response to government regulation and the prospect of litigation, but increasingly I see boards and senior management taking proactive steps to protect their company’s – and their own – reputations while maintaining the ability to realise value from data.
Toon: I believe businesses are beginning to realise the seriousness of the issue. Yet more businesses should be looking to proactively address it. They should consider how they stack up in terms of strategy, communications, people and security. They must move from awareness to putting in place a plan that would work for their business. Driving a response to risk is increasingly important too. The risks are growing and the operational environment is getting more complex. The volume of data which businesses hold is increasing exponentially and the risk of data breaches is increasing. There’s been a lot of discussion but organisations need to look at information across their business. I want to elevate the issue out of the IT manager function and get it onto business leaders’ agenda.
Michael Bruemmer is vice president with the Experian Data Breach Resolution group. He has more than 25 years in the industry, with expertise in identity theft and fraud resolution. Mr Bruemmer currently resides on the Medical Identity Fraud Alliance Steering Committee, Ponemon Responsible Information Management (RIM) Board, and the International Association of Privacy Professionals (IAPP) Advisory Board.
Harriet Pearson is a partner in the Washington, DC office of Hogan Lovells, where her practice focuses on privacy and cybersecurity. She advises companies and boards of directors on legal risk assessments and mitigation strategies; enterprise-wide governance and compliance programs; security and privacy incident responses and remediation; investigations and enforcement; cross-border data transfers; regulatory compliance; and legislative, regulatory and self-regulatory processes.
Christian Toon has a wealth of experience for ensuring governance, risk and compliance requirements are met at organisations across the continent. He works with industry leaders in business and is a knowledgeable adviser on all aspects of information security, frequently commenting on the latest threats and how consumers and businesses can best protect their sensitive information.
Stuart D. Levi is co-head of Skadden’s Intellectual Property and Technology Group, and coordinates the firm’s outsourcing and privacy practices. He has a broad and diverse practice that includes outsourcing transactions, technology and intellectual property licensing, privacy and cyber security advice, cloud computing agreements, and technology transfers. Mr Levi also counsels clients on a variety of issues, including website and technology policies, intellectual property matters and legislative compliance.
© Financier Worldwide
THE PANELLISTS
Experian Data Breach Resolution
Hogan Lovells
Iron Mountain Incorporated
Skadden, Arps, Slate, Meagher & Flom LLP