In doing so, they have come face to face with a huge reality check: although it has been more than 20 years since EU privacy laws went into effect, very few companies know what data they have, where it all goes, or what protections they are supposed to have. This is because (1) many companies do not have data inventories and (2) privacy compliance requirements are not thoroughly integrated into cyber-security programs.
Digital asset management is one of the cornerstones of any cyber-security program: an organization has to know what assets it has in order to secure them. Internationally accepted best practices and standards for cyber-security programs require (1) asset inventories of hardware, applications and data with assigned asset owners and (2) the designation of information classifications for data based upon risk and magnitude of harm. Common classifications for data are Top Secret, Secret, Confidential, and Public. Although some organizations may have more or fewer classifications, asset management experts discourage organizations from establishing too many classifications, because compliance becomes more difficult and information may be inconsistently classified.
Where Oh Where Is My…Data Inventory
The risk posture of any company is weakened if it does not have a data inventory with formally assigned business owners and information classifications. Even with basic data inventories, very few companies have mapped data flows so they know which users access sensitive data and the jurisdictions involved. As a result, it is difficult for cyber-security personnel to know what data are subject to privacy protections or to determine effective privacy and security controls.
Let’s take this apart. Companies need to know:
- What data they have and the data classifications assigned
- What software applications use the data
- What users access the data and where those users are located
- Where data are collected and stored.
IT departments and cyber-security teams focus on inventories of hardware and software applications because these assets have to be maintained. Many companies do not have formal data inventories because they assume data used by a system will be protected as part of the application controls. Thus, they develop and maintain only software application inventories. Companies commonly assign application owners, but not data owners, making the application owner the de facto owner of the data that are generated and maintained by the application. For example, the chief financial officer may be designated as the owner of an organization’s financial application and, as such, is the implied owner of the financial data that are used and maintained by the application.
Under this approach, the application owner approves access to the application and data used by it. Application owners know what the application does, but they generally are not well informed about the various data that the application may use or know the data classifications of these data. The problem, of course, is that an application may use data owned by other business units. For example, a financial application may use employee data that are owned by the human resources department. When access is approved for the financial application, access to the data it uses is also approved.
Disconnect Between Privacy and Cyber Security
If an organization does not have a data inventory, data classifications often are not formally assigned and documented. Some classifications of data may have been established as part of a records management process, but these classifications might not have been extended to electronic forms of data and recorded in a data inventory. At the core of this problem is a disconnect between privacy and cyber-security personnel.
Privacy personnel attempt to identify personally identifiable information (PII) and data subject to privacy laws and regulations or contractual requirements. They develop policies and procedures and train personnel on privacy requirements and proper data handling, but they are seldom responsible for an organization’s data inventory.
One must remember that organizations have lots of data that are not considered PII and aren’t under the purview of a chief privacy officer, such as pricing and customer lists, intellectual property (IP), trade secrets and other business know-how, customer data, strategic plans, etc. It is equally important for these data to be protected and have adequate controls in the cyber-security program, because these data are highly targeted by cyber criminals and insiders.
As organizations increase in size and operational complexity, problems occur when data ownership and information classifications are not formally specified. Without proper owner control over data, access may be granted to personnel who do not have a need, or the access may be broader than necessary, increasing the insider threat.
Best practices require the owner of an asset to determine data classifications, approve access to the system and data, and approve change management. It is critical that privacy personnel understand how privacy controls are integrated into a cyber-security program. Controls to protect data are supposed to be based on the information classification and the risk categorization that is assigned to the application. These controls should be jointly determined by the company’s data owners and cyber-security and privacy personnel. All too often, however, controls are determined solely by the IT and cyber-security teams.
When an organization suffers a cyber attack that impairs its IP and business data, the company will be not be able to demonstrate to regulators and investors that it is in alignment with best practices if it doesn’t have data inventories, information classification, and data mapping. The company won’t even be able to show it was controlling access to the data, because it was controlling access to applications only. With the EU GDPR effective only since May 25, it is uncertain how the regulation will be enforced, but many privacy experts expect some stiff penalties will get levied against infringing companies to set an example of enforcement under the GDPR.
“The identification of data in an organization and inventorying it is a critical element of review in a risk assessment,” says Tom Smedinghoff, a privacy and cyber security partner with Locke Lord in Chicago and former chair of the Science & Technology Law Section of the American Bar Association. “Whether a control is required by GDPR, the New York financial regulations, HIPAA, Massachusetts breach laws or any other regulation, if a company doesn’t know its data and how it flows through the business processes, it cannot adequately assess the risks,” he adds. “Many of the activities in cyber-security programs are also compliance components of privacy laws, so there has to be better coordination between privacy and cyber-security personnel if organizations hope to manage their compliance risks.”
Coordination between legal, IT, cyber-security, and privacy personnel is not very mature in most companies. Although these personnel are generally aware of each other’s activities, they lack coordination on controls and risk management. Performing a risk assessment is an excellent first step in getting them to work together, and it enables them to engage with the risk manager on cyber risk insurance and risk mitigation.
Insurance agents and brokers can play a role in helping their clients understand their data and compliance risks and develop effective risk strategies. “There is great interest now in insuring against GDPR violations. Insurers offering these policies may require companies to have mature data inventories and other optimal privacy practices in place so they can better manage the risk,” says Jeffrey Batt, vice president of Marsh’s cyber practice.
Westby is CEO of Global Cyber Risk. email@example.com