Smart Practices, October 2009

Can IT executives turn risk mitigation into a management opportunity?

By John W. Verity

IT executives are caught in a dilemma. With more commerce and vital business activity being conducted online, and with disk storage costs plummeting, it has never been easier for enterprises to accumulate mountains of data; much of it extremely sensitive. Yet, more data means more risk, too — risk of data leaking into the public domain and more risk of suffering stiff penalties for failing to comply with a fast-expanding web of tough privacy regulations.

Not so long ago, nightly backups and disaster recovery plans seemed sufficient to manage the risks relating to enterprise data. But now, encryption, identity management, authentication and other security technologies are just the start of a larger campaign to protect critical data against privacy and security breaches.

If “digital assets are the crown jewels” of today’s business, says Andrea M. Matwyshyn, Assistant Professor of Legal Studies and Business Ethics at The Wharton School at the University of Pennsylvania, “companies need to develop an ethic of data care” to protect those assets.

      Andrea Matwyshyn

Matwyshyn says that IT executives can use compliance and data-risk management to demonstrate leadership and knowledge of the business by establishing “a dialogue between IT’s technical experts and other business decision makers.” It’s also a chance to rationalize data-retention policies by determining which types of data truly need to be collected, stored over the long-term or purged as soon as possible.

Regulatory Burdens

Regulatory compliance is dramatically raising the stakes. From government agencies to healthcare providers to retailers, enterprises around the world must adhere to a proliferation of policies and practices. In the U.S., state and federal digital privacy regulations aim to keep customers’ personal information private. But absolute security is thorny, at best, in the face of sophisticated hackers, crafty cyber-criminals, easy-to-lose laptops, wireless networking, cloud computing, pocket-sized hard drives and increasing use of social networking services like Facebook and LinkedIn. (see sidebar).

As a result, IT faces “a real dilemma,” says Gene Mainen, Enterprise Risk Manager at FundQuest Inc., a Boston-based financial services subsidiary of BNP Paribas. Risks are increasing, but so are penalties for failures to comply with protective legislation. “While we are managing risk and complying with regulations, we still need to maintain business agility and high levels of customer service,” Mainen says.

      Gene Mainen

Under a Massachusetts state regulation slated to take effect next March, for example, even inadvertent leaks of certain types of consumer-related data by a business will result in fines of as much as $5,000 per lost record. And as of October 1, businesses that operate in the state of Nevada are requested to encrypt residents’ Social Security, driver license and bank account numbers before transmitting that data over a public network.

“While privacy breaches have always been a very serious issue,” says Mainen of FundQuest, the greatest harm was direct liability to those injured by the disclosure. That’s likely to change if, as most observers expect, the majority of U.S. states follow Massachusetts and Nevada in adopting much stricter consumer-protection rules than now exist. Some expect the U.S. federal government to issue regulations that will try to standardize the state laws now on the books.

The current regulatory environment is particularly hard on providers of financial services such as FundQuest. Since 2004, the federal Securities and Exchange Commission has required such firms to archive for seven years all e-mails and instant messages as a way to help with investigations of insider trading and other improprieties. But keeping all that data raises the risk of privacy leaks which, under the new regulations, can result in not only a damaged reputation but serious monetary fines, Mainen says.

Compliance, California-style

Public agencies are struggling with risk and compliance, too, says Mark Weatherford, California's Chief Information Security Officer: "We have to comply with virtually every privacy regulation that the private sector deals with,” he says, such as the Payment Card Industry data security standards and the Health Information Privacy Protection Act, as well as Internal Revenue Service rules protecting tax-related information.
   
One of Weatherford’s main goals since taking office last year has been to establish a uniform data-security framework for all of the state's 130 agencies, commissions and boards to use. He also works to “evangelize” the importance of compliance and data security across the Golden State, explaining the risk environment to both state entities and local businesses. Auditing is routine, too. "We self-audit as much as we can," Weatherford says, "and depending on the regulatory environment involved, we host external audits, as well.” At any one time, dozens of audits are under way.

      Mark Weatherford

“Everyone’s struggling” with the additional requirements, says Matwyshyn, whose book, Harboring Data: Information Security, Law and the Corporation, was recently published by Stanford University Press. She advocates shifting away from the “ethos of data hoarding” as a good first step in alleviating the problem.

According to Matwyshyn, “Many organizations have grown up thinking that more data is better,” and that they can wait to figure out what data to keep. But this is far from “the optimal form of risk management,” she says. “Not all data is equally useful, and the more high-sensitivity data you store, the more you become a target.”

Too Much Data?

Customer data, Matwyshyn says, is particularly prone to being retained long after its business value has faded. “Traditionally, marketing departments have stored customers’ entire purchase history, perhaps 10 years of data. But consumers’ profiles evolve,” so the most valuable data about customers is actually the most recent snapshot. “Old data just muddies your view. Storing too much data increases storage expense and increases the company’s exposure.”
  
Brian Thomas, partner in the Risk Advisory Services group at Weaver & Tidwell, a Texas-based accounting firm, concurs: “The business side needs to ask, what data do we really use?” Thomas recommends mapping “what your organization looks like from a data perspective. Classifying your data helps you to understand what data you have and the sensitivity associated with each category,” he says, “Then, IT has to figure out where all this data resides: Which apps actually use this information?”
  
This initial classification exercise may be laborious, he says, but the payoff comes in greatly reduced risk for the organization as a whole. The legal department will be better able to identify the data that’s required for the sake of compliance, and IT can purge the rest. “IT serves the business; it can’t tell them what to do. So, IT needs to facilitate, but it can’t do the whole thing.” Thomas encourages IT to get buy-in from chief financial officers and chief operating officers, too.

     Brian Thomas

IT’s Role

Matwyshyn says that IT has a “broad role” to play in risk management. Besides “showing how technology fits into the big picture of the organization,” CIOs also need to guide leaders into adopting positive security strategies. “Unless someone takes the leaders by the hand and explains to them the big picture concerning risk, they frequently won’t see it for themselves.”

Despite the best intentions of risk managers, the most vexing challenge remains how to balance compliance against business agility and speed-to-market. “What if someone sends us trading instructions to act on; will [the transaction] be held up by security measures?” Mainen asks. If FundQuest fails to process trades fast enough, it not only faces penalties but the possibility of customers taking their business elsewhere.

To meet its multiple goals, FundQuest moved its data processing to two new, especially secure data centers and began testing its network against penetrations multiple times a year. It also standardized on a single brand of PDA, made encryption mandatory for all e-mails and all data on laptops, and implemented two-factor authentication for all devices connecting to its network from outside its firewall.
  
Mainen says that while data security has always been important, when it became clear that data compliance would become an even bigger issue about three years ago, it established a Security Working Group that brought together managers from all across the company, including IT. “The people responsible for risk and IT have to be talking regularly to make sure we all meet our goals,” Mainen says. “It has been a subject of continuing education for all of us.”

     Philip Gordon

And education may be a core driver. Philip L. Gordon, an attorney who specializes in employment and labor law at Littler Mendelson in Denver, notes that “at the end of the day, compliance is more about policy and people. Technology alone won't solve the problem.”

John W. Verity is a business and technology writer based in Santa Rosa, Calif.

Smart Enterprise Exchange does not provide legal advice. Neither this document nor any technology solutions or business practices referenced herein shall serve as a substitute for the reader’s compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, policy, standard, requirement, mandate, administrative order, executive order, etc.-- collectively, “Laws”) referenced in this document. The reader should consult with competent legal counsel regarding any Laws referenced herein.

ASK THE EXPERTS

Philip L. Gordon

Philip L. Gordon chairs the Privacy and Data Protection Practice Group of Littler Mendelson, a law firm representing management in employment matters. He has counseled hundreds of clients on workplace privacy and data protection issues, including electronic surveillance; compliance with domestic and foreign data protection laws, security-incident response; background checks; and new technology in the workplace. Gordon authors the blog, www.workplaceprivacycounsel.com and speaks frequently on workplace privacy issues. He serves on the Advisory Board of BNA's Privacy and Security Law Report and the IAPP's Educational Advisory Board. He is a graduate of Princeton University and the New York University School of Law.

pgordon@smartenterpriseexchange.com

Gene Mainen

Gene Mainen is Enterprise Risk Manager at FundQuest Inc., a Boston-based financial services subsidiary of BNP Paribas. He joined FundQuest as Operational Risk Manager in 2002, and became Enterprise Risk Manager in 2005. He has 15 years of experience in the financial services business and also worked for 3M and was the leader of two successful business start-ups.

gmainen@smartenterpriseexchange.com
Gene is also a Smart Enterprise Exchange member and can be contacted on the Exchange.

Andrea M. Matwyshyn

Andrea M. Matwyshyn is Assistant Professor of Legal Studies and Business Ethics at The Wharton School at the University of Pennsylvania. Her book, Harboring Data: Information Security, Law and the Corporation, is due out this fall from Stanford University Press. Matwyshyn is a recognized expert on legal and policy issues related to corporate information security and consumer data privacy, and she is a graduate of Northwestern University. amatwyshyn@smartenterpriseexchange.com

Brian Thomas

Brian Thomas is a Partner in the Risk Advisory Services group at Weaver & Tidwell, a Texas-based accounting firm. Trained as a civil engineer at the University of Texas, Austin, Thomas has been an IT management consultant for 10 years. He joined Weaver & Tidwell in 2007 when that firm merged with McDonald, Fox and Lund, P.C., where he was a principal. bthomas@smartenterpriseexchange.com

Mark Weatherford

Mark Weatherford was appointed Director and Chief Information Security Officer (CISO) of the California Office of Information Security in June 2008. In this role, he oversees the state’s cybersecurity activities as well as information security program policy, standards and procedures. Weatherford has also recently guided state efforts to consolidate four IT organizations into the California Office of the State Chief Information Officer.
He previously served as the CISO for the State of Colorado. A former U.S. Naval Cryptologic Officer, Weatherford led the U.S. Navy’s Computer Network Defense operations and the Naval Computer Incident Response Team. At the Raytheon Company, he built and directed the Navy/Marine Corps’ Intranet Security Operations Center (SOC) in San Diego, Calif.
Weatherford holds a master’s degree from the Naval Postgraduate School. He is a member of the Multi-state Information Sharing and Analysis Center, the National Association of State Chief Information Officers, the Information Systems Security Association, and the Information Systems Audit and Control Association. He also holds Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) certifications. mweatherford@smartenterpriseexchange.com
Mark is also a Smart Enterprise Exchange member and can be contacted on the Exchange.