data security

Subscribe to data security via RSS

Woman talking with alphabet letters coming out of her mouth.At least, that is, unless overheard, written, or recorded. Just ask anyone following the presidential campaigns.  Absent concrete evidence, spoken words evaporate and any discussion of them quickly devolves into the type of “he said, she said” game usually seen in low-budget television courtroom dramas and on playgrounds.  A few weeks ago, my colleague Peter Sloan posted All we really need to know about Information Governance we learned in kindergarten.  Let’s ponder an additional learning point from Mr. Fulgham:

When you go out into the world, watch for traffic.

Continue Reading Sticks and stones may break my bones, but words will never hurt me….

Hands pointing towards businessman holding head in hands concept for blame, accusations and bullyingBeing a CISO is a tough gig.  The perpetual deluge of news items on hack after hack, breach after breach, has finally conveyed that data security is an imperative for all companies, large and small.  But the perception still lingers that the Chief Information Security Officer (or the InfoSec team) will single-handedly prevent breaches at “our” company – and if one should occur, will take care of the response.  For some CISOs, it may feel like High Noon, all over again.

This is unfair to the CISO, and wrong on at least two counts.  First, regardless of the CISO’s job description, the full range of cyber risk exceeds the scope of the CISO’s practical control.  Second, effective breach response requires up to ten channels of coordinated activity, and nine of the ten fall outside of the CISO’s authority.Continue Reading Why govern your information? Reason #10: It’s a when, not if, world for data breaches

3d blue cubes come together from different directions. Dr. Stephen Covey reminded us that “important” is not the same thing as “urgent.”  Records retention reminds us that important is not the same thing as exciting.  I get it – records retention schedules are boring.  But the fact remains that literally thousands of records retention requirements apply to your organization’s information.  I know, because my firm finds and tracks these laws as part of our many years of retention schedule work for clients across industries.  And your regulators expect you to know them too.Continue Reading Why govern your information? Reason #11: Thousands of federal and state records retention laws apply to your company

Cat watching a movieIn my last post I talked about how organizations can get employees to follow security advice. Today’s riff is on “making it personal.” Make security self-serving.  In other words, answer the question, “What’s in it for me?”  Corporate security is inextricably linked to personal privacy—here’s why.
Continue Reading Corporate security – “What’s in it for me?”

Broken brick wall and blue sky with clouds.This week, with echoes of vintage John Mellencamp in the air, the U.S. Court of Appeals for the Sixth Circuit took a gavel to the wall that for years has blocked consumer class actions for data breach claims – Article III standing.  In Monday’s unpublished, 2-1 decision in consolidated cases against Nationwide Mutual Insurance Company, the court ruled that plaintiff consumers had standing to pursue negligence claims against Nationwide arising out of a 2012 security breach, in which hackers stole personal information of 1.1 million customers.

The Sixth Circuit is now aligned with the Seventh Circuit, which just last year in its Neiman Marcus decision similarly lowered the bar for Article III standing in consumer data breach litigation.Continue Reading Consumer data breach litigation standing – the walls are crumblin’ down

Donald Trump speaks during introduction Governor Mike Pence as running for vice president at Hilton hotel Midtown ManhattanIt’s certainly been a wild, heated presidential race.  Information governance has remained at center stage, ever since President Obama’s successful 2008 rallying cry, “Data We Can Believe In.”  And the 2016 candidates have followed suit, with Bernie Sanders’ “What We Need is an Information Revolution,” Hilary Clinton’s “Information for America,” and Jeb Bush’s succinct slogan: “Data!”

But no candidate has tapped into the electorate’s visceral hopes and fears for information governance with more gusto than Donald Trump.  As election day nears, it’s time to take a closer look at Mr. Trump’s positions on managing information compliance, cost, risk, and value.

I’m calling for a total and complete shutdown of data entering our computer systems, until our IT representatives can figure out what the hell is going on.

Continue Reading The politics of information governance

View of crowd covering earsBy now, you’ve surely heard about the hack of the Democratic National Committee that gathered thousands of email messages, the contents of which were exposed by WikiLeaks and ultimately caused Chairwoman Debbie Wasserman Schultz to resign. But did you also know that only last fall, the DNC commissioned a two-month security risk assessment that yielded dozens of recommendations to improve the security of its network? The real story is what happened next.
Continue Reading Why people ignore security advice, and what to do about it

KindergartenSometimes we make things way too complicated – especially our relationship with business data. Allow me to “kidnap” Robert Fulghum’s classic poem – wisdom in effectively governing information compliance, cost, risk, and value is not found exclusively at the top of the data science mountain, but there in the sandpile at kindergarten.  Here are the things we learned there:
Continue Reading All we really need to know about Information Governance we learned in kindergarten

Retina ScanOK, “souls” is alliterative, but a bit over the top.  How about instead “selling our bodies for security,” such as our retinas, our fingerprints, or our faces?  Multifactor authentication is indeed a useful security access control, the combination of two or more of (1) something you know, (2) something you have, and (3) something you are.  Thus, requiring both a password or PIN (something you know) and also a token or certificate (something you have) should be more secure than merely requiring a password.

The problem is that as biometric authentication becomes more widespread, our immutable characteristics are in play, in a when not if world of data breaches.  Getting hacked can cause harm and embarrassment, but if biometric authentication becomes widespread, the post-breach “loss of face” will be literal … and also permanent.
Continue Reading Selling our souls for security

Hammer ponding computer keyboardPoor data. Though more essential to business than ever before,  data is simultaneously frustrating for its inaccessibility, intimidating in its volume and complexity, distrusted for its unreliability, maligned for its management costs, and feared for its litigation, privacy, and security risks.

But let’s not cast business data as the culprit. Data is basically inert.  It sits where we store it, goes where we send it, does what we (or some system programmer) tell it to do, and is as secure as the safeguards we provide.  Data is not the “actor” – good, bad, or indifferent.  We are.

If we’re honest with ourselves, we can see that most every problem we experience with business data has its root in what people do, or fail to do, as individuals, work teams, or organizations:Continue Reading People don’t have data problems ….