by Cathy Nolan
I know you are all busy creating or approving standardized definitions, consolidating data, checking for data quality, and all the many activities of Data Governance. But I want to introduce one more task, and it might be the most important thing you can do for your organization—keeping your company’s PII (Personally Identifiable Information) safe from internal or external breaches and making sure it complies with both State and Federal mandates.
Because Data Governance (DG) works across the company, DG is in the best position to point out all the personally identifiable information the organization holds and they are also in the best position to get consensus from all the interested parties which can include Risk Management, Compliance and the Legal Department.
Here are some specific things Data Governance can do when dealing with PII data:
- Recommend standards and procedures for safeguarding personal data
- Coach developers in avoiding putting sensitive data in programs
- Monitor compliance regulations and identify exceptions within your company
- Identify who has the power to make decisions on privacy issues
- Help reconcile privacy and security issues before they are in production
Knowing how to classify sensitive data and where that data resides, will help your organization avoid a costly data breach which could mean fines, litigation and a loss of public confidence. What is sensitive data? Basically it is any information that can be used to distinguish or trace an individual’s identity; for example name, social security number, date and place of birth, mother’s maiden name, biometric records and any information that is linked or linkable to an individual, such as medical, educational, financial, and employment data.
Data Profiling is one way to find the sensitive or PII data your company holds. Some of this data might be legacy data and not apparent in current programs. As we all know, the business wants to keep data forever, but this poses a risk to the company in any breaches and/or future litigation. Profiling your data might discover things that used to be acceptable like social security numbers being used as Customer IDs, information about an employee’s race and ethnicity, or information on a person’s criminal record. All of these items are protected under Federal law.
You might not think of your company as a “data broker” but many retail and service companies sell their customer data to 3rd. parties. In addition the huge marketing companies are actively collecting more and more purchasing data for the manufacturers who are THEIR customers. And if you are a company that does sell your customer data to a 3rd. party—you want to make doubly sure that the data you have in your databases is correct.
Statistics show that Financial crime is slowing down—there are already so many stolen credit cards out there that they are selling for as little as $5 each. But Identify Theft is going up. One big area is the theft of medical Information. HIPPA requires your organization to disclose any breach of PII Health information or face a hefty fine. Recently a 1.5 million dollar fine was given a health care company who didn’t properly disclose a breach. In another instance a lawsuit has been filed after a hacker attack on a health insurance company that potentially exposed information on 10.5 million individuals.
But you don’t have to be in the health care industry to face litigation. Banks are suing companies in the aftermath of breaches for reimbursement of their costs associated with false credit card charges and replacing those cards with new ones. Federal courts have approved class-action suits against retailers who have experienced breaches and Experian is being sued over allegations that the company failed to detect that a customer of Experian misused the information they obtained from them. Sony recently reached a tentative deal to settle a class-action lawsuit stemming from a data breach of employee personal data.
Conducting an inventory of all data that require protection is a critical step and maintaining an up-to-date inventory of all sensitive records and data systems, including those used to store and process data. This enables the organization to target its data security and management efforts. So while it is the responsibility of every employee to protect PII data, organizations need to have rules and processes regarding the handling of that data. Unfortunately, enforcing these standards is very difficult and only someone who has access to data throughout the organization can see where personal information is used and stored. This is where Data Governance can be most effective—helping the data management team recognize where to focus security efforts which in turn will protect your company’s trusted name or brand.