In 2022, businesses face some uncomfortable facts:
- Suffering data breaches may be more probable than avoiding one.
- Regulators require you to know what data you have, where it is located, and notify those affected by a breach promptly.
- When breaches occur, unprepared organizations suffer the most embarrassment and biggest financial penalties.
The more prepared your business is, the easier it is to face the facts. That means understanding and controlling your data is more important than ever.
That’s where information governance comes into play. At its core, information governance encompasses the strategies you use to handle, classify, store, and protect your data.
So how do you prepare?
It starts by understanding regulations and reporting requirements, and having a plan in place to deal with them.
Understanding Regulations
Information governance requires you to keep yourself up-to-date on the laws and regulations surrounding the data in your systems.
When things go wrong, too many businesses just cross their fingers and hope for the best.
Unfortunately, excuses like “It’s OK, we’re too small,” or “Our customers probably aren’t covered by that law,” simply don’t work.
California, Pennsylvania, New York, and the European Union (EU) are just a few governments with laws regarding data breaches. Failure to notify the public means heavy fines could be imposed – and such laws don’t care about your company’s size.
You might even face additional fines, such as those warned of and imposed by the Federal Trade Commission on companies failing to protect consumers from the Log4J vulnerability.
However, in an increasingly mobile world, regulated data can enter your systems in unexpected ways, making information governance tricky.
For example:
- A Pittsburgh hospital treating a German tourist (EU laws apply).
- A township issuing traffic tickets to CA, NY, and Irish residents (CA, NY, and EU laws apply).
- A contract manufacturer in Cleveland collecting business cards (containing names, email addresses and phone numbers) for potential clients in CA, NY, and the Netherlands (CA, NY, and EU laws apply).
Most laws offer some scope, penalties, and reporting requirements, but can be vague about details. Take a look at a few examples:
- California requires:
- CA residents to be notified in the event of a breach.
- For a breach of more than 500 residents, state agencies must receive copies of the notification.
- Disclosure “within the most expedient time possible and without unreasonable delay.”
- Civil penalties of $2,500 per unintentional violation and $7,500 per intentional violation
- Pennsylvania requires
- Disclosure “notice without delay”
- Civil penalty of up to $7,500 per violation
- New York requires (from multiple regulations: NY Privacy Act, SHIELD Act, etc.)
- Disclosure “shall be made in the most expedient time possible and without unreasonable delay”
- Civil penalty of up to $250,000 and $15,000 per violation
- The European Union requires
- Disclosure notification to EU regulators within 72 hours of a breach
- Penalties of up to €20 Million or 4% of global revenue
Of these regulations, the most difficult to meet is the EU regulators disclosure.
If your business recognized a data breach, would you know if the data included an EU resident’s personal information?
Would you know and be able to notify the right authorities within three days? What if you discovered a breach on a Friday night?
With the right information governance policies in place, your team will know exactly what steps to take, and who they need to contact.
Data Classification & Control
Data classification provides the key to timely notification and appropriate security measures.
Regulators don’t care if a ransomware attack steals your marketing plans. But, if 23 years of your employees’ personal information is stolen, like one company, expect government agencies to step in.
But, information governance is more than just avoiding penalties in the aftermath of a data breach. Many laws also include clauses that provide citizens with the right to delete their data.
How can you verify that you’re in compliance if you don’t know where the data resides?
Even further, different retention laws apply to different types of data. For instance, credit card information or stock trading records have their own requirements, while some data must be preserved for anticipated lawsuits.
These special data classes require increased security, such as encryption of data at rest, or restricted access to important files and folders.
Practical Information Governance
Most organizations keep decades of data without any classification, all dumped onto shared data servers.
But, with the right information governance, you can better locate and protect your most valuable data assets.
Though implementing proper data classification and additional controls are modern requirements, it can also be time consuming to implement and secure.
If you find yourself struggling to piece it all together, outside consultants can dramatically speed up the process.
Data experts can search and analyze unstructured data for social security numbers, credit card numbers, and other regulated data, and implement encryption and access restrictions.
If your team is ready to organize and protect your data, contact Ideal Integrations at 412-349-6680, or fill out the form below. Our consultants can provide a no-obligation review of your systems, and organize and protect sensitive data.