Data Protection
A Practical Guide to Managing Your Risks
A White Paper by Raj Chaudhary and Michael Del Giudice
Audit | Tax | Advisory | Risk | Performance
Protecting valuable information
assets, including personal data about
employees, students, customers,
and medical patients, is an
enterprisewide responsibility. When
creating a data privacy program,
an organization should align its
strategic enterprise risk objectives
and follow a top-down approach
to achieve the greatest benefit.
Data Protection: A Practical
Guide to Managing Your Risks
Whether dealing with financial records, medical data, or intellectual property, the
necessity to protect sensitive data is not new. Today, the data protection landscape
is evolving quickly with the introduction of new types of technology and legislation
that mandates how organizations manage data and security breaches. In addition, as
media scrutiny rises, public awareness of a breach has a greater likelihood of inflicting
significant damage to an organization’s reputation.
Every organization faces the daunting challenge of how to best safeguard its data.
Data has become a critical element in every facet of modern business, from customer
relationship management to marketing to communications. It is stored in a variety of
forms, from its primary location in databases and filing systems to its backups and
copies on PCs, disks, and paper. It is
transmitted electronically across networks
as well as sent physically via delivery
services. Organizations must develop
modern data privacy programs to manage
this data in all its various forms.
As with any difficult and complex issue,
there is no silver bullet when it comes to
protecting data. A data privacy program
must safeguard data while allowing it to
be used to advance an organization’s
interests. A well-designed program
seeks not to lock and encrypt every
word and byte but rather to establish
top-down controls to mitigate risk.
Developing and maintaining an effective
data privacy program is a critical
component of good organizational
governance. It begins with senior
leadership establishing a culture of awareness about the importance of safeguarding
data assets and extends through coordinated actions among all business units,
divisions, and departments.
A data privacy program seeks to establish guidelines and standards for protection
and enable employees, from senior leadership on down, to evaluate and implement
safeguards that meet privacy objectives. It sets up appropriate monitoring to identify
controls that are not operating effectively so that corrective actions can be taken before
data is lost, stolen, or corrupted. The program must also address the organization’s
response in the event a data breach occurs.
www.crowehorwath.com
3
Crowe Horwath LLP
Trends
Ever since people began keeping records, there has been a need to protect valuable or
sensitive information. Five thousand years ago, when Sumerian merchants kept track
of purchases and sales on clay tablets in cuneiform script, they stored the information
in stone vaults that survived for dozens of centuries. Back then, the need was simple:
Preserve a record of income and expenses. As long as no one stole the clay tablets, the
information was safe.
Today, protecting the privacy of an organization’s records – especially those containing
personal information about employees, customers, students, and medical patients – is
known as data security and safeguarding, and the stakes are much higher than in the
days of those ancient entrepreneurs. Should employers, schools, or medical providers
fail to protect personal information entrusted to their care, they could face costly fines,
expensive litigation, and, most important, incalculable reputational risk.
On April 2, 2011, the public learned that millions of customers’ names and email
addresses were exposed in a data breach involving major banks, retailers, and other
companies that outsourced online marketing campaigns to Epsilon, a consulting firm
based in Irving, Texas. The Privacy Rights Clearinghouse called the incident “the
largest security breach ever.”1
A few weeks later, Sony announced that hackers had broken into the company’s popular
online gaming network. Some reports said the breach exposed personal data, including
up to 12 million unencrypted credit card numbers.2 In June, Citigroup revealed that
an unauthorized user gained access to its credit card system and viewed personally
identifiable information from some 200,000 accounts.3
Data privacy is making headlines – for all the wrong reasons. Data privacy breaches are
becoming weekly, if not daily, events, as hackers become more sophisticated in their
efforts to penetrate the defenses organizations mount to protect consumer information.
At the same time, federal and state governments are beginning to impose costly
penalties when organizations fail to take adequate steps to protect consumer data:
■■ On Feb. 22, 2011, the Office for Civil Rights of the U.S. Department of Health and
Human Services issued the first civil money penalty imposed for violations of the
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The fine
totaled $4.3 million.
■■ On March 28, 2011, a major Boston restaurant group agreed to pay $110,000 to the
commonwealth of Massachusetts to resolve allegations that the company had failed
to take reasonable steps to protect its patrons’ personal information in a data breach
involving payment card information. This fine was the first imposed under what many
people consider to be one of the strictest state data privacy laws in the country.
4
Data Protection: A Practical
Guide to Managing Your Risks
As these incidents show, the extent and impact of data losses can be significant. To
protect consumers, the federal government and most states have passed laws requiring
businesses and other organizations to both safeguard personal data and notify affected
individuals when that data has been breached.
■■ The Financial Services Modernization Act of 1999, also known as the Gramm-LeachBliley Act, requires financial institutions to provide notices to their customers about
their information-collection and information-sharing practices. Consumers may “opt
out” if they do not want their information shared with nonaffiliated third parties. The
law also requires that financial institutions implement appropriate safeguards to
protect this information from internal and external threats.
■■ Privacy provisions of HIPAA have established regulations for the use and disclosure
of protected health information, which generally includes any part of a patient’s
medical record or payment history. The law also calls for implementing appropriate
controls to protect the privacy of this data by controlling and monitoring access.
In 2009, the Health Information Technology for Economic and Clinical Health Act
was passed. The act strengthened the HIPAA requirements, including those related
to notification responsibilities if a breach occurs and to compliance enforcement.
■■ In the absence of federal legislation, many state legislatures followed the lead
set by California to establish privacy laws that require consumer notification in
the event of a breach. These laws, although slightly different from state to state,
have brought privacy breach issues formerly discussed only in back rooms and
boardrooms to public attention.
Faced with possible lawsuits, reputational damage, and fines, corporate and government
entities have been forced to increase their safeguards over nonpublic data – and the
enterprise risk implications are significant.
■■ On the international front, the European Union (EU) has been at the vanguard of data
privacy for more than a decade. The European Commission’s 1995 directive on data
protection (Directive 95/46/EC) established stringent laws for protecting personal
information, both within the EU’s borders and among other countries seeking access
to that data. Because of this, organizations wanting to operate in the EU are required
to increase their safeguards over the data they manage, especially as it is transferred
to and from the EU.
Faced with possible lawsuits, reputational damage, and fines, corporate and
government entities have been forced to increase their safeguards over nonpublic
data. Because of the number of complex laws, the volume of pending legislation, and
the short expected time frame in which to respond to an incident, the enterprise risk
implications are significant.
www.crowehorwath.com
5
Crowe Horwath LLP
Challenges
Organizations face many challenges in protecting information assets:
■■ Data is widespread, with new technologies stretching
or eliminating organizational boundaries;
■■ Access management is a balancing act;
■■ Data security breaches are expensive; and
■■ Expected incident response times are getting shorter.
Data is widespread. Few organizations today operate within the confines of four walls.
Many have facilities all over the world, mobile employees, and business partners or
vendors in multiple locations. These personnel and business partners need access to
the organization’s information to accomplish their business objectives, so data must be
readily accessible and available in multiple types of media and storage repositories.
Data is replicated from site to site, travels with mobile employees, and is shared with
business partners. Information is increasingly accessible on the Internet, commonly
through cloud-based solutions, and it is increasingly mobile with powerful mobile phones
and tablets, USB flash drives, and portable hard drives. In addition, physical copies of
sensitive data continue to exist, with high-speed printers and all-purpose printer/fax/
scanning devices increasing the risk of disclosure.
Access management is a balancing act. Providing appropriate access to data is
difficult. Access management programs attempt to effectively control access to data,
restricting access based on a need to know. However, if not implemented correctly,
these programs can also significantly interfere with the ability to conduct business.
Universities, research hospitals, and similar organizations have entrenched principles of
information sharing for learning and innovation. Other organizations, such as financial
institutions and healthcare service providers, need all of their employees to be able to
serve customers and patients in a timely and accurate manner, with access to the data
necessary to perform their jobs. Striking the right balance – supporting core business
goals while minimizing data privacy risks – is critical.
Data security breaches are expensive. It is much less costly to protect data than it
is to recover from a security breach. A survey by the Ponemon Institute LLC, a data
security research organization, put the cost of data security breaches in 2010 at an
average of $214 per compromised record. The average total organizational cost of a
breach was $7.2 million, including printing and postage of notification letters, obtaining
legal advice, offering credit monitoring subscriptions to customers, implementing a
customer support hotline, and customer defections. The costs associated with security
breaches continue to rise each year.4
Expected incident response times are getting shorter. Because so many notorious
data security incidents have occurred and so many laws require organizations to inform
affected consumers promptly, organizations must respond more quickly than ever to
data security breaches.
6
Data Protection: A Practical
Guide to Managing Your Risks
Some large organizations experience potential breaches daily. These incidents include
not only the possible loss of data but also the exposure of confidential information to
individuals or organizations not authorized to access it. As a result, the sophistication of
procedures and tools necessary to identify, document, escalate, and respond to potential
information security incidents is increasing.
Organizations must have data security plans in place. Otherwise, it is very difficult to react
to a breach with the required speed and accuracy. Incident response plans that have been
formally developed, discussed among members of management, and communicated to
employees become crucial tools for responding appropriately to a security incident.
Solutions
In spite of the challenges involved in protecting data, solutions are available. This
section describes the characteristics of an effective data privacy protection program
and provides some guidelines and basic steps an organization must follow to create
and implement its own program.
Data Privacy Protection Program
To defend against the various threats and comply with the growing body of state and
federal laws and regulations, every organization needs to develop an enterprisewide data
privacy protection program that meets the following requirements:
■■ It is aligned with the organization’s strategic objectives.
■■ It has the full and visible support of senior leadership.
■■ It starts at the top of the organization and permeates all units,
divisions, and departments.
■■ It is championed and managed by individuals with sufficient
expertise in information and information technology security.
■■ It is effectively communicated to all employees.
■■ It addresses all relevant data repositories and risks.
■■ It is monitored actively and tested for effectiveness.
Aligning an enterprisewide data privacy program with business objectives is
essential for success. Without understanding the business case for the use of data,
it is difficult to design and implement appropriate controls to safeguard valuable
information assets. The need to use data must be documented so that management
and information security can design an effective solution with as few restrictions as
possible. For example, if an organization needs to deliver sensitive data to consumers,
the security of the delivery method must be balanced with the users’ needs. Information
security, IT, and customer service professionals will have to work creatively to find a
method for delivery that is secure yet easy to use.
www.crowehorwath.com
7
Crowe Horwath LLP
Senior level buy-in is a key requirement for the success of any data privacy
program. Establishing the appropriate “tone at the top” and developing a corporate
culture that places great emphasis on protecting information assets will go a long way
toward assuring that employees follow the desired policies and procedures.
In addition, middle management plays an integral role in enforcing data security
standards. Organizations might send middle management to specific training or
provide checklists for departmental self-assessment. These steps will help prepare
managers for appropriate policy enforcement actions, which may include checking
employee trash bins to confirm that the shredding policy is being followed and
checking desktops to confirm that sensitive documents are appropriately secured,
computers are locked, and passwords are not written down and in view.
Developing a data privacy program from the top down, rather than from the bottom
up, is another crucial success factor. Too many organizations view data privacy as the
responsibility of the IT department. Certainly, IT plays a major role in helping to develop,
select, and implement appropriate solutions, but responsibility for the overall success of
the program is an enterprisewide issue. It is much more effective to identify sources and
uses of data by starting at the top, with the business case, rather than from the bottom.
In addition, taking a top-down view enables organizations to employ a risk-based
approach to the protection of information assets. All customer information systems
are not created equal. Understanding the relative sensitivity of data and the impact of
its loss or breach is important when designing a successful program.
Every enterprisewide data privacy protection program must be championed by someone
with sufficient information and IT security knowledge who can act as a subject-matter
expert and receives enough resources to manage the program.
The program must be championed by someone with sufficient IT and security
knowledge. Every initiative of this type needs a champion or chief coordinator who
can act as a subject-matter expert. Management should appoint an information
security officer, manager, or equivalent who receives an appropriate amount of
resources to manage the program.
The information security officer should develop a strong network of consultants,
peers, and professional organizations on which to rely for support. Attending training
and industry conferences on information security and privacy should be an ongoing
requirement so that this individual is able to keep pace with the latest threats,
vulnerabilities, and safeguards.
8
Data Protection: A Practical
Guide to Managing Your Risks
Without communication to – and buy-in from – all employees, a program cannot
be effective. Even the most skilled security professional cannot control every aspect
of data privacy. Employees need to be able to implement the security program and
propose changes if it is not effective.
Managers need to be empowered to monitor their staff for compliance. For example,
while the security officer can contract with a vendor for document shredding, place
receptacles throughout the facility, and establish a policy for document destruction, each
employee must make a conscious choice to dispose of sensitive data appropriately.
Managers must play a role, monitoring employees’ disposal of documents and even
periodically checking garbage cans for sensitive data.
Today’s technologies place even more onus on the employee, as it is easier than ever to
move data to personal devices, share with external partners or vendors, or transfer to online
cloud-based solutions. In fact, for some organizations, employee awareness could be the
most critical component of effectively managing the risks associated with data privacy.
Data protection programs must address all technologies leveraged for storing,
accessing, or transmitting data. One of the greatest challenges in a data protection
program is the ability to protect data that proliferates across various technologies. Data can
be stored in a database, on mobile storage technologies, or on cloud-based repositories.
Data can be accessed through both standard and Web-based applications, or via mobile
devices such as tablets. Data can be sent via email or other file transfer solutions. These
various methods for storing, accessing, and transmitting data must be assessed and
controlled to manage data protection risks at an appropriate level for the organization.
Independent testing will validate the level of program effectiveness. Once a data
privacy program has been developed in line with organizational objectives, supported by
leadership, disseminated in a top-down fashion, championed by a skilled professional,
and communicated to employees, it must be tested. Management must seek an
independent analysis to identify areas in which the program should be expanded or in
which it has not been implemented effectively. Testing must occur periodically to assess
how well data protection strategies are addressing current risks and threats.
Data Protection Road Map
When developing a data protection program, organizations must:
1. Identify what data the organization has and where it is stored;
2. Classify the data based on its sensitivity;
3. Protect the data by defining controls standards for data at rest,
in transit, in presentation, and during disposal; and
4. Respond in the event of a security breach.
www.crowehorwath.com
9
Crowe Horwath LLP
1. Identification. The first step is to understand the types of data an organization
maintains and where that data resides.
The organization may already be conducting activities such as data mapping, risk
assessments, and records management inventories to understand what data the
organization maintains. Management may need to conduct interviews to determine
whether data inventories are comprehensive and accurate, and whether particular
types of information assets, such as electronic files and reports, disks, and paper
repositories, are represented accurately in the inventories.
If there are no data inventories, the organization will need to conduct a baseline risk
assessment to establish a starting point for the data audit. When conducting the data
inventory, organizations should:
a. Identify all departments and divisions that affect data privacy because of
the information they store, process, or transmit. Within these departments,
inventory all relevant functions that use sensitive data, such as personal
information about employees, customers, students, and medical patients;
trade secrets; and proprietary business data.
b. Identify the assets that support each function and have an impact on data
privacy. These include databases; software applications; network components
such as servers and workstations; mobile media (mobile devices, tablets, USB
drives, and backup tapes); vendors and third-party service providers; and
paper repositories and paper-based processes or forms.
c. Determine the volume of data within each of the repositories, as well as how the
data can be accessed and extracted. This can be accomplished by engaging
the individual data owners and asking questions about the data and how they
access and use it. This information is critical to understanding the risks and
threats to the identified data repositories.
There are two approaches to identifying data. One is to use automated software tools
that comb through logical data repositories to find relevant data. The other approach is
to discuss data usage and storage with key stakeholders. While tools provide an efficient
approach, they also increase the likelihood of false positives, as they may not be able to
“see” some data – such as encrypted repositories or physical documentation – and do
not allow an understanding of how the organization uses data. Most organizations use
a combination of the two approaches to improve the accuracy of the data inventory and
obtain a comprehensive understanding of how personnel are accessing and using data.
Once all the data has been identified, including an understanding of how data is being
used, the organization should assess the necessity of that data. Data minimization is the
process of eliminating data that is not necessary. This could result in the consolidation of
databases, or it could simply lead to the removal of unnecessary sensitive data, such as
Social Security numbers, collected on standard forms.
10
Data Protection: A Practical
Guide to Managing Your Risks
2. Classification. Focusing on information assets that pose the greatest risk to
the organization’s ability to protect data will help focus critical resources. Data
classification programs allow organizations to set stringent standards of control
for data whose breach would pose the greatest risk. Data should be labeled in
accordance with its classification level.
At this point the organization should have:
■■ A comprehensive inventory of organizational data;
■■ An awareness of the volume of data in the repositories;
■■ An understanding of how data is being used, accessed, and handled; and
■■ All data classified based on sensitivity.
The organization can now use this information to prioritize each individual repository
based on the risk.
3. Protection. Once the organization understands the scope and relative risk levels
of the data it is responsible for safeguarding, appropriate policies and procedures
governing the protection of the organization’s data must be defined. These policies
should include regular independence testing, a program for ongoing training and
building awareness, and reinforcement of the “tone at the top” through periodic
organizational communications.
After standards are defined, a formal control framework must be adopted that defines
the expected controls to protect data, considering the organization’s appetite for
risk and regulatory drivers. When defining these controls to protect sensitive data, it
is important to understand the data life cycle because different stages may require
different types of controls:
■■ Data at rest refers to data storage, whether in file cabinets or on a server.
■■ Data in motion refers to data transfer, which is primarily used when data is being
exchanged electronically, but also when physical files are moved.
■■ Data presentation, also known as data in use, refers to data that is being used or
accessed, including such outcomes as being displayed on a monitor.
■■ Data destruction refers to steps organizations take when they no longer need
access to certain data. Controls over shredding paper files, overwriting hard drives,
and other tasks come into play.
Often, organizations view data protection as an IT function, when instead they should
regard it as an enterprisewide responsibility. Senior management must set the tone at the
top so that all staff members understand that data protection is part of everyone’s job,
not just the people who run the technological infrastructure.
www.crowehorwath.com
11
In simple terms, the basic control structure for data protection can be thought of as
the “Four A’s”:
■■ Authentication – Who is requesting access to data?
■■ Authorization – Do those individuals have permission to access the data?
■■ Audit – How is access to data monitored?
■■ Administration – How is data governance communicated throughout the organization?
Contact Information
Raj Chaudhary, PE, CGEIT, CRISC,
is a principal with Crowe Horwath LLP
in the Chicago office. He can be
reached at 312.899.7008 or
[email protected].
4. Response. Once an organization has identified and classified its data assets, and
policies have been created for protecting the data, the final step in developing a data
protection program is to develop an incident response plan:
Mike Del Giudice, CISSP, CRISC, is with
Crowe Horwath LLP in the Chicago office.
He can be reached at 630.575.4359 or
[email protected].
■■ Identify the ways in which the organization might become aware of a data security
incident and how management should be notified.
1
■■ Identify who will be on the response team, and the roles and responsibilities each
person will have.
■■ Identify action plans, documentation required, and when and how the organization
will notify consumers.
■■ Discuss the action plan and walk through a mock incident so that all stakeholders
are prepared in the event of a real breach.
■■ Review existing notification requirements at both the state and federal level to
confirm existing procedures address appropriate requirements.
Conclusion
Managing data privacy in today’s rapidly changing environment is not a simple task. New
technologies and complex regulatory requirements governing the protection of valuable
business records – especially those containing personal information about employees,
customers, students, and medical patients – are evolving almost every day. In order
to establish a program that is effective and scalable, organizations must implement a
holistic response to assess this ever-evolving data protection landscape.
Mike Lennon, “Massive Breach at Epsilon
Compromises Customer Lists of Major Brands,”
SecurityWeek, April 2, 2011, http://www.
securityweek.com/massive-breach-epsiloncompromises-customer-lists-major-brands
Liana B. Baker and Jim Finkle, “Sony PlayStation
Suffers Massive Data Breach,” Reuters, April 26,
2011, http://www.reuters.com/article/2011/04/26/
us-sony-stoldendata-idUSTRE73P6WB20110426
2
Suzanne Kapner, “Citi Admits Customer Data at
Risk After Breach,” Financial Times, June 9, 2011,
http://www.ft.com/intl/cms/s/0/885a54e8-922511e0-9e00-00144feab49a.html#axzz1fP6B1GHN
3
Ponemon Institute, “2010 U.S. Cost of a Data
Breach,” http://www.symantec.com/about/news/
resources/press_kits/detail.jsp?pkid=ponemon
4
www.crowehorwath.com
When printed by Crowe Horwath LLP, this piece is printed
on Mohawk Color Copy Premium, which is manufactured
entirely with Green-e® certified wind-generated electricity.
Originally published December 2011
The Mohawk Windpower logo is a registered trademark of Mohawk Fine Papers Inc.
Green-e is a registered trademark of Center for Resource Solutions.
Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity.
Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically
disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North
Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. This material is for informational purposes only and should not be construed as financial or
legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. © 2011 Crowe Horwath LLP
TR12912