Data Privacy and Breach Planning for Organizations
New OMB Memo defines data breaches and standards for securing PII and can better prepare IT teams for breaches involving PII. If you are stressed about data privacy, you can download our eBook that walks through how to keep your SharePoint content safe.
On Jan 28th, the interwebs recognized Data Privacy Day, the annual ‘holiday’ intended to raise awareness among individuals and corporations about the importance of safeguarding privacy online. Didn’t hear about it? That’s because Data Privacy Day (DPD) came and went without much fanfare. This is unfortunate, because safeguarding privacy is a key aspect of data breach planning.
As an astute observer of random global holidays (my favorite is Create a Vacuum Day on Feb 4), I appreciate the sentiment of DPD, especially given a risk climate where privacy is increasingly under assault. Data breaches are on the rise, sensitive data is being exposed, identities are being stolen, and companies – let alone individual consumers – are struggling to stay ahead of an expanding threat surface. But, while well intentioned, holidays alone aren’t enough to remind people to protect their privacy online. Companies in particular need to pay attention to how they are storing personally identifiable information of employees, customers, and partners, and continuously assess how corporate security practices stack up.
On this front, earlier in the month, the Obama White House Office of Management and Budget (OMB) issued new guidance for Executive agencies on how to prepare and respond to data breaches involving PII. Memoranda 17-12, while specific to the is good reading for anyone in the commercial sector who works in information protection and security.
What I like about M-17-12 is that it establishes a coherent, focused foundation for InfoSec planning around PII. This is important because PII is as much an organizational asset as it is a liability; companies have very valid reasons to collect and store this information, especially of their employees and customers. But this data is more often left under-classified, under-secured, and thus, exposed, creating significant financial, legal, and reputational risks for its corporate custodians.
Why Data and Breach Definitions Matter
In an earlier blog post, I explained why organizational stakeholders need to reach a uniform definition of sensitive data prior to starting an information governance process. No two people on any team, let alone within the same company, will share the same definition of sensitive information. This ambiguity is among one of the many reasons why information classification initiatives fail in most businesses.
Moreover, it’s not IT’s job to figure out what information needs to be protected; classification and protection is a function of line of business owners who create, store, and share the content as part of their job descriptions. In many companies, especially highly regulated entities, legal personnel, Human Resources, and compliance teams need to be a part of this process. IT leaders have to implement appropriate security safeguards to ensure that business users can leverage corporate information systems in a way that doesn’t hinder usability and productivity, but they shouldn’t be the ones deciding.
In short, definitions matter because they serve as an organizational anchor for information governance and security planning. Unstructured data stands a much greater chance of being protected if everyone understands what content needs to be locked down.
The M-17-12 memoranda lays out precise definitions for what constitutes a data “incident” and a data “breach.” These definitions are a great starting point for companies who are starting or re-evaluating their information governance and protection planning:
Definition of an Incident: An occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.
Definition of a Breach: The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses personally identifiable information or (2) an authorized user accesses or potentially accesses personally identifiable information for an other than authorized purpose.
The distinction thus rests squarely around PII. A breach, in other words, has to involves the loss, disclosure, or ‘unauthorized access’ of personally identifiable information. This is a great distinction. But this also sets a fairly low threshold for what constitutes a breach.
Proactive Steps Towards Better Data Privacy
Example? Consider this.
An ordinary and well-intentioned end user, let's call her Stacy, stumbles across an Excel spreadsheet. It details the salary information and social security number of every company employee. This spreadsheet was located in a document library within the Finance group’s SharePoint team site. Problem is, the permissions on the item were broken, so the well-intentioned user gained access and saw information he wasn’t authorized to see. This would certainly constitute a breach per M-17-12 definition. And, depending on a variety of other regulatory factors, this may trigger data breach notification obligations.
Breaches need not be conducted from the outside – and they need not be malicious. Indeed, the M-17-12 definition of a breach does not include intent; a breach may occur because a Site Admin failed to manage permissions on a site containing PII-laden documents. Breach preparedness and privacy protection are two interconnected objectives. An organization that knows its privacy obligations and takes proactive steps to safeguard PII is lightyears ahead of an organization that’s solely thinking about defending a network perimeter against attack.
What does this mean for you?
At Metalogix, many of the largest banks, healthcare organizations, and governance agencies depend on our solutions and counsel manage and protect enterprise content within Microsoft SharePoint, Office 365, and file shares. Data privacy is no longer something you can ignore, and we're here to help.
If you are interested in learning more, click here.
Jai Dargan is a Senior Director of Product Management at Metalogix, where he directs the strategy Metalogix’s security and compliance solutions. In this capacity, Jai guides the direction of Metalogix products aimed at securing content collaboration, including ControlPoint, Sensitive Content Manager, and Insider Threat Index. Prior to Metalogix, Jai was a co-founder at Pim Labs, LLC, a startup company (acquired by Metalogix) that built solutions for securing social networks and sensitive content. He holds a Masters Degree from Georgetown University and an undergraduate degree from New York University.