A previous column discussed the value of data, how it is monetized by bad actors, and how executives typically do not understand the answer to that most critical of questions: “Where does our most critical data reside?” Too often, this seemingly simple question receives only looks of confusion or dismissal. Asking a CFO, or any non-IT executive, will at best result in, “Ask my chief information/technical/data officer.” Asking the CIO and CTO usually results in, “You have to ask the business,” and so the conversation goes in circles.
Only a chief data officer (CDO), typically someone with a PhD or MS in data or computer science, will have the tools and ability to independently determine the location of a business’s most critical data. And only very large, multibillion-dollar corporations will have the breadth and depth of technology infrastructure to support having a CDO.
The overwhelming majority of businesses have no CDO. There are no regulations that require them, and the expense to fund a CDO office can be significant. So how does one ascertain the location of critical data? Below are some very basic guidelines for beginning the process of finding the data risk mitigation answers.
Tracking Down Data
The first step to work with the IT organization to build a list of all data storage locations within the enterprise. This list must include—
- desktop storage, both internal and external;
- on-premises storage, including every storage array in any onsite backup location;
- offsite or third-party backups, if any;
- all storage services on public clouds;
- all storage services on hybrid clouds;
- all storage services on private clouds; and
- all storage on noncomputer devices including smartphones, tablets, thumb drives, and CCTVs.
Once this list is assembled, the information must be broken down by each of the above locations to determine—
- which applications or data are stored in which locations;
- the naming conventions used in each of the locations;
- how much data is being stored; and
- how much redundant data is being stored.
Next, determine the following:
- Which data are privately identifiable information (PII) or private information (PI), as per the Federal Information Security Management Act (FISMA), the Privacy Act of 1974, the California Consumer Privacy Act (CCPA), 23 NYCRR 500 and the General Data Protection Regulation (GDPR)?
- Which data are protected health information (PHI) as per the Health Insurance Portability and Accountability Act of 1996 (HIPAA), CCPA, and GDPR?
- Which data are cardholder data as per the Payment Card Industry Data Security Standard (PCI DSS), CCPA, 23 NYCRR 500, and GDPR?
- Which data may be subject to the Gramm-Leach-Bliley Act (GLBA) or the Wall Street Reform and Consumer Protection Act?
Finally, decide which data are most consequential. Examples include the following:
- Intellectual property (IP) data
- Accounts payable/receivable) data
- Financial forecast data
- Strategic plan data
- Legal hold data
- Passwords, PINs, and other security/access information.
Once the data are ranked, assign financial impacts to each of the various data groups. When doing so, understand the systemic cost of a breach of any of these items, but also make sure to understand the regulatory costs that an entity will potentially face. While businesses do not like to discuss these issues, they become material in understanding risk. There are issues around third-party indemnification to study, cyberinsurance issues to discuss, and potential regulatory costs to consider:
- HIPAA violations are can be up to $50,000 per each violation, with a $1.5 million cap per provision (and there can be many provisions) during a calendar year, as well as a potential jail sentence of up to 10 years when the breach is due to personal gain or malicious reasons.
- PCI violations can cost up to $231 per record.
- CCPA violations can cost up to $7,500 per customer incident, plus up to $750 or actual damage.
- GDPR violations can cost €20 million or 4% of worldwide revenue, whichever is greater.
- 23 NYCRR 500 violations are punishable by fines deemed appropriate by the New York Superintendent of Financial Services, up to and including revocation of the license to do business.
The average cost for a midsized enterprise in the United States to remediate a data breach in 2018 was $10.3 million—the more unknowns, the greater the cost. In addition, the FBI estimates that for every 100 days of dwell time (i.e., the period from the actual attack to the organization’s discovery of the attack), the cost of remediation doubles. As an illustration, consider the impact of over 1,300 days of dwell time for Starwood’s data breach. The ultimate cost to Starwood/Marriott will be approximately 8,192 (213) times the original cost of the breach. Remember as well that 70% of all cyberattacks are directed against 50% of the U.S. companies with annual revenues of between $10 million and $500 million. Of the attacked firms, 60% fail after six months due to the cost of remediating the attack.