In just a matter of weeks the COVID-19 pandemic has turned our entire world upside down. To stem the spread of the virus, many organizations have been forced to close their premises to employees and operate virtually. Huge numbers of workers are now doing their jobs from home by connecting remotely into their employers’ IT systems. It’s a revolution that, even after the pandemic has passed, may never be fully reversed.
For employers and employees alike, working remotely represents a great opportunity to remain productive under extremely difficult circumstances. But it also provides new opportunities for malicious actors. The World Health Organization (WHO) has already been forced to issue warnings concerning cybercriminals who are “disguising themselves as WHO to steal money or sensitive information.”
That’s why it’s more important than ever that companies take aggressive steps to safeguard what is perhaps their most important asset – their data. But that can’t be accomplished on an ad hoc basis. Instead, organizations need to define the specific processes and procedures by which they will manage their data. The goal is to accomplish the company’s business objectives while ensuring that its information is kept secure, private, and in compliance with regulatory requirements. In other words, what’s needed is a well-designed data governance process.
Why data governance is critical
The U.S. Department of Education defines data governance as “an organizational approach to data and information management that is formalized as a set of policies and procedures that encompass the full life cycle of data, from acquisition to use to disposal.”
The purpose of data governance is to ensure that an organization’s data is available as needed for business purposes, but that it also remains secure and private under all circumstances. Not only is that necessary from the standpoint of meeting business goals, but in recent years such protection has become a prime regulatory mandate. Both the European Union’s General Data Protection Regulation (GDPR) and the new California Consumer Privacy Act (CCPA) focus heavily on safeguarding the personal information (PI) of their residents. Both require companies to implement written and auditable data governance plans designed to ensure the protection of any personal information they may hold.
Both also mandate that data “subjects” be provided with the ability to manage their PI in specific ways. This includes the right to receive copies of all information the company has about that person. Individuals invoke these rights through Data Subject Requests, or DSRs.
Key elements of an effective data governance plan
With the increased vulnerabilities inherent in having large numbers of workers accessing corporate systems remotely, developing and implementing an effective process of data governance is critical. Let’s take a brief look at several items that should be included in that process:
1. Determine what information must be protected
If your data governance regime is to be effective in protecting personal information, the first question to be answered is just what PI is. Here’s the definition given in section 1798.140 of the CCPA:
“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Listed as specific examples are “Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.”
But this list is by no means definitive. A key part of the definition is the phrase, “or could reasonably be linked, directly or indirectly, with a particular consumer or household.” That means that even if no specific identifier, such as name or address, is present, if it is possible by correlating disparate bits of information to identify an individual, all that information is accounted as part of that person’s PI. For example, 87% of the US population can be re-identified using only three attributes: gender, zip code, and date of birth. So, if each of those data items appears somewhere in the system, perhaps in widely separated and apparently unrelated datasets, they would still have to be accounted for as elements of that individual’s PI.
That’s why PI that is regulated under CCPA is often spread throughout a company’s IT infrastructure and may not be directly associated with a primary identifier such as a name. As Drew Schuil, President & COO of Integris puts it, “CCPA regulated personal information (PI) is everywhere.”
A modern data governance scheme must include processes for identifying such apparently isolated bits of an individual’s PI.
2. Develop policies and procedures to keep data secure and private
According to the U.S. Department of Education, your data governance policies and procedures must ensure that “data are collected, managed, stored, transmitted, used, reported, and destroyed in a way that preserves privacy and ensures confidentiality and security.”
Your plan should specifically address items such as:
- maintaining network and data security using procedures such as access limitations based on roles and responsibilities, strict password management, multi-factor authentication (MFA), use of a virtual private network (VPN), etc.
- ensuring that only de-identified data goes to remote users, and that reasonable efforts are made to eliminate the possibility that subjects can be re-identified by assembling different data elements from various sources
- maintaining data quality (accuracy, validity, completeness, consistency, timeliness)
- instituting incident response procedures for identifying, reporting, and mitigating risks or intrusions
Endpoint security is critical. Your data governance plan should specify security policies for the desktops, laptops, tablets, smartphones and Wi-Fi connections workers use at their remote location. Sensitive information, especially PI, should never be stored on such devices unless it is encrypted. As David Higgins of CyberArk says, “We should assume endpoint devices are already compromised or soon will be.”
3. Identify the what, where, and why of protected data
The greatest challenge to fulfilling DSRs is identifying data relating to individuals wherever it may reside across your infrastructure.
That’s why it is critical to conduct a data inventory to identify all data elements pertaining to a given person. You should ascertain why each data type is being collected and retained; what legitimate purpose does it serve? Where does it reside? Will any ever be stored on remote workers’ devices?
The governance plan must include means of keeping this inventory up to date as data streams are added or modified.
Conducting such surveys and identifying correlations manually to bring together all elements of an individual’s regulated personal information is extremely challenging, and becomes practically impossible as data volumes grow. It is, in fact, the most difficult aspect of successfully responding to DSRs. To overcome that challenge, you’ll need appropriate software tools to automate the process.
Integris provides state-of-the-art tools for identifying all the bits of PI associated with a particular subject wherever they may reside within your system.
If you’d like to know more about how Integris can help you implement top-notch data governance in the COVID-19 age, please contact us.