Don’t Just Lock Up the Family Jewels

AIIM recently released a report, “Data Privacy: Living by New Rules,” which found that 26 percent of the organizations it surveyed had suffered loss or exposure of customer data in the preceding 12 months. Additionally, 36 percent of smaller organizations, 43 percent of mid-sized, and 52 percent of large organizations had reported a data breach within that same time period.

Those numbers may be surprising to some folks, but based on Doculabs’ experience with clients, I’m actually surprised they aren’t a little higher. For the record, we’ve been looking at this issue for a while now ourselves, and will be publishing our own analysis soon (similar to our research into Data Lifecycle Management and Information Governance.  So stay tuned!

In the meantime, there are a couple of key things I take away from the AIIM research results. The first is that your organization is vulnerable, no matter the size. It’s not just the Fortune 500 companies that need to be worried about protecting sensitive data; it’s everybody. The second item is that it’s likely not a matter of if you get breached; it’s a matter of when. This is a refrain we hear from a lot of our clients, and it’s a message we try to send to those organizations who aren’t worried about it—yet.

So what can you do? You could go out and buy a new solution to encrypt data and monitor your environment, but that can get complicated and expensive, real fast. We’ve found that the organizations that are tackling this in a strategic and successful way take a somewhat different approach, using some “quick-win” tactics to augment potential technology solutions. This results in an immediate positive impact to the organization, something board members and executives love to see.

Broadly speaking, you need to have ownership over the problem of protecting sensitive data. We’ve seen a lot of Chief Information Security Officers (CISOs) be designated as the ones to champion the cause. Regardless of who owns it, the responsibility needs to fall with one single department or group. Ownership by consensus won’t work.

Successful organizations also develop an inventory of their repositories and of the content contained within each of them. They then establish a policy that classifies information into easy-to-understand categories and identifies which types need to be retained and which can be purged. Records, information under legal hold, and business-critical content below a specified age should be retained, but everything else can go. When you do get breached, do you want an exposure of only the minimum amount of PHI/PII/PCI you are required to retain, or do you want an extra 15 years of data out there that can be exposed?

My main takeaway from the AIIM survey results, coupled with our anecdotal evidence from clients, is that the most successful organizations reduce their sensitive data footprint, in addition to properly securing their data. But as I mentioned, we’re doing some research of our own in this area, looking at just how organizations of all sizes are approaching the problem of information security. So check back for our analysis—and to see how your own organization compares.

Rich Medina
Jim Polka
I’m a Principal Consultant. My expertise is in security-based information management and strategic deployment of ECM technologies.