(This blog post was written by Diane K. Carlisle, executive director of content at ARMA International.)
So, your attempt to manage the governance, risk, and compliance (GRC) program with a series of complex spreadsheets leaves you in a state of massive depression. You’ve decided the obvious solution is to purchase a piece of software so you can easily track and monitor all your compliance issues. Simple enough, right?
While we’d all like to believe that technology is the magic answer to our woes, there are many factors to consider before you can make a wise software purchasing decision. You must have a clear understanding of organizational compliance requirements, internal business processes, and existing tools to avoid purchasing and implementing software only to find that you still have gaps and vulnerabilities in your compliance program.
The information governance/compliance intersection
The most stringent tests of an organization’s compliance with its internal and external requirements come through third parties, such as an agency regulator or — in the case of litigation — the opposing counsel or a judge. At the heart of these types of inquiry is that third parties need to judge the organization’s actions, or inactions, and the impact they have on compliance.
An organization’s compliance requirements spring from a complex array of legislation, regulation, industry expectations, and its own voluntary commitments regarding how it will conduct business. While the requirements for each organization will vary significantly, all organizations need a reliable means of demonstrating compliance with these requirements. That demonstration nearly always takes the form of documentation — and this is where compliance intersects with information governance.
A planning framework for information governance
An organization that can demonstrate it has established policies and procedures, a way to measure its compliance with them, and a plan for improving its compliance in areas that need it can show that it takes its compliance obligations seriously. These companies will typically fare better with auditors and judges than those that take a more ad hoc approach.
For organizations in the ad hoc category, ARMA International has two invaluable tools that can help them position themselves in the former category. They can use the Generally Accepted Recordkeeping Principles® (Principles) to develop an information governance framework, and the Information Governance Maturity Model (Maturity Model), which is based on the Principles, to assess its program, plan for improvements, and measure its progress.
The Principles framework defines the characteristics of a holistic information governance program and the essential hallmarks of effective records and information management, which is the foundation for information governance. There are eight Principles, each thoroughly explained on the ARMA International website.
The benefits of information governance
The Principles make it clear that to achieve reliable results, the organization must hold individuals accountable for their defined recordkeeping responsibilities. It also must put into place policies, procedure, and tools that apply throughout the records and information life cycle.
Adopting this framework and implementing the defined recordkeeping controls creates an information governance program that will:
- Serve as a guide to planning: The Principles specify key controls that will help the organization achieve compliance. These controls contribute to authentic records and information that can be relied upon for both business decisions and compliance requirements. Without these program elements in place, records may be incomplete, inaccurate or missing all together.
- Provide an objective means for measuring progress and sufficiency: A key part of the Principles framework is the Maturity Model mentioned earlier. This five-level metrics model is used to measure the maturity of the information governance program and identify gaps that can leave the organization vulnerable. Once the organization establishes this baseline, it can use the Maturity Model on an iterative basis to show progress improvement over time.
- Demonstrate a conscious focus on recordkeeping: The courts are not holding organizations to a standard of perfection. But they do want to see evidence that the organization is addressing issues as they arise. Even better, this information governance framework will help the organization pre-empt problems by guiding it in taking proactive steps to improve processes and technology tools.
- Prepare the organization for “pop up” audits: When there is consistent attention to recordkeeping policies and procedures and an appropriate use of tools, an organization needs not fear the “pop up” — or a surprise audit.
Governance and compliance: A natural collaboration
Information governance is central to an organization’s ability to demonstrate compliance with both internal and external requirements. The Principles framework provides a means to gain a solid understanding of the organization’s compliance requirements. There may already be software that can be adapted for compliance purposes, or new software may still be needed. But with a better understanding of the records and information management program, you can ensure that the new software complements what is already in place.
Diane K. Carlisle, IGP, CRM, is executive director of content at ARMA International, a not-for-profit professional association and authority on governing information as a strategic asset.
The U.S. Securities and Exchange Commission (SEC) announced this month that it has approved a contentious pay-ratio rule first introduced by the Dodd-Frank Act five years ago. Also in recent regulatory news: The SEC reiterated its stance on protecting internal whistleblowers and is fighting to redefine its regulatory role on Wall Street.
SEC approves CEO pay disclosure rule
Earlier this month, the SEC voted to adopt an executive pay-ratio disclosure requirement that was first introduced under the Dodd-Frank Act when it was approved by Congress in 2010. The provision will require public companies to disclose their chief executives’ yearly compensation in proportion with employees’ median earnings.
The requirement is highly controversial, and its adoption was delayed for years because opponents argued that the rule’s supporters wanted to shame CEOs instead of illuminate pay gaps. They also contended that implementing the rule will needlessly drain companies’ resources.
“Here we are, on the cusp of adopting a nakedly political rule that hijacks the SEC’s disclosure regime to once again effect social change desired by ideologues and special interest groups,” said SEC Commissioner Daniel Gallagher, one of the rule’s opponents, in a statement.
However, proponents such as Economic Policy Institute President Lawrence Mishel said the rule is an important step toward greater corporate transparency.
SEC extends Dodd-Frank protections to internal whistleblowers
The SEC also released guidance about how to interpret whistleblower rules under the Securities Exchange Act of 1934. The document bolsters the agency’s viewpoint that whistleblowers who report misconduct internally before informing the SEC are protected by the employment retaliation protections provided by the Dodd-Frank Act.
The guidance is at odds with recent court rulings on Dodd-Frank’s vague language on what constitutes a “whistleblower” and who is entitled to the whistleblower protection rules, reported The Wall Street Journal. The law’s whistleblower provisions provide retaliation protections to those who report wrongdoing to the SEC, but the agency maintains that this extends to those who first report violations internally. The agency’s recently released guidance is meant to give whistleblowers greater clarity about the SEC’s stance on the matter, as well as give whistleblowers more confidence they will be protected when reporting internally, Jordan Thomas, a partner at Labaton Sucharow LLP, told WSJ.
“The SEC is sending clear message to the whistleblowers, companies and courts about the scope of its authority to prosecute cases involving retaliation against whistleblowers,” he said.
To redefine role, SEC ramps up pursuit of high-profile cases
The SEC is also ramping up efforts on high-profile cases that could revamp its role as a Wall Street regulator. The trend comes as SEC detractors claim that the agency is not assertive enough in its enforcement against prominent wrongdoers, and is instead too focused on low-profile cases, according to The New York Times.
These high-profile cases include the following: pending charges in an investigation involving insider trading and cybersecurity; pending investigations into insider trading activity by golfer Phil Mickelson and sports gambler William T. Walters; and a pending investigation into Wall Street’s employment of the children of China’s political elite.
The Times reported the SEC’s progress comes during a slowdown of criminal investigation into insider trading activity in New York due to a recent court ruling that makes it more difficult for federal prosecutors to pursue these cases.
Massachusetts Senator Elizabeth Warren, the U.S. Chamber of Commerce and law professors are among those critics that have called on the agency to be more aggressive when pursuing criminal investigations against Wall Street.
The U.S. Justice Department is in the process of taking on a compliance specialist to help determine whether to prosecute companies charged with foreign bribery. Also in recent GRC news: Mead Johnson Nutrition Co. will pay the SEC $12 million to settle foreign bribery charges; and a Goldman Sachs unit will pay $1.8 million for failing to accurately report trade orders to the Financial Industry Regulatory Authority.
U.S. Justice Department hires compliance counsel
The U.S. Department of Justice (DOJ) will hire a compliance counsel to help prosecutors decide whether companies charged with foreign bribery are victims of rogue employees or are willfully turning a blind eye to compliance and should be prosecuted.
The hire is the DOJ’s response to concerns in the business community that some companies do not get enough credit for establishing solid compliance programs that try, but ultimately fail, to prevent foreign bribery acts by conducted by employees, reported The Wall Street Journal.
The new counsel has already been chosen and is being vetted. In addition to helping DOJ decide whether to prosecute bribery claims, the compliance specialist will also aid in determining appropriate fines and whether further monitoring is necessary, Andrew Weissman, chief of the fraud section of the DOJ, told the WSJ.
The compliance counsel will also assist the DOJ’s fraud division with other investigations, including healthcare and securities charges.
Mead Johnson will pay $12M in bribery settlement
Mead Johnson Nutrition Co., a global manufacturer of infant formula, will pay $12 million to settle U.S. federal civil charges alleging that the company’s Chinese subsidiary bribed doctors and other health professionals to recommend its flagship product, Enfamil.
The Securities and Exchange Commission (SEC), which announced the settlement last week, also alleged that the Chinese subsidiary paid health professionals to give Mead Johnson patient contact information to be used for marketing purposes.
The bribes added up to $2 million between 2008 and 2013 and generated about $7.8 million in profits for the manufacturer, according to the SEC. Mead Johnson failed to correctly record the payments, and lenient internal controls allowed the subsidiary to draw the bribes from “off-the-books slush funds,” said the head of the SEC’s foreign corrupt practices unit.
The SEC said that Mead Johnson conducted internal investigations to resolve the charges, and took corrective measures such as improving accounting controls and establishing a unit to monitor compliance.
Goldman Sachs to pay $1.8M for reporting negligence
The clearing and execution unit at Goldman Sachs Group Inc. must pay $1.8 million for failing to report “a substantial number” of details about its alternative trading system orders to a Financial Industry Regulatory Authority (FINRA) auditing system. The negligence occurred over a seven-year period.
Goldman Sachs didn’t confirm or deny the charges in reaching the civil settlement. A company spokesperson said Sachs reported many of the issues to FINRA, made voluntary moves to fix the problems and aided the FINRA investigation.
Further Goldman Sachs violations included sending inaccurate order data to FINRA for more than eight years and not implementing adequate controls to prevent infractions.
Numerous regulations were introduced worldwide to make financial services institutions more resilient following the monetary crisis of 2007 to 2008. Now, these regulations, which global management consulting firm Accenture collectively calls global structural reform (GSR), are having an impact on how companies target spending: More than half of financial institutions expect to invest $200 million to revamp their business models so they can meet GSR regulation requirements, according to Accenture’s 2015 Global Structural Reform Study. The report’s authors said that while the investments are a step in the right direction as these organizations strive to build resilience in the wake of the crisis, their focus is more on complying with the demands of GSR regulations like Dodd-Frank and Basel III than on strategies to stay competitive in the long term.
The study is based on a survey of 131 global banking, insurance and capital market institutions. Fifty-six percent of these institutions reported planning to spend $100 million or more on technology expenditures related to GSR, and another 56% anticipate $100 million or more in non-technology spending to comply with GSR. Nearly one-third of those surveyed expect to spend at least $500 million on GSR expenditures.
These significant investments are justified, wrote the study’s authors, considering that only about 21% of these organizations have achieved compliance with key GSR regulations. Furthermore, respondents expect an increase in the number of full-time employees dedicated to business changes to meet GSR requirements: 61% plan to dedicate 100 or more full-time employees to technology changes, and 69% will add non-technological employees.
Despite the heavy compliance focus, there are organizations making strides in thinking strategically about GSR by revamping their business processes and product suites. For example, 57% of respondents indicated they will tailor their geographic footprint, and half plan to divest geographic units or relocate their headquarters or business units. The authors believe these moves could lead these organizations to consider new technologies or operational models that are not as costly or risk- and capital-intensive. Moreover, 48% said they are doubling down on their core competencies over the next two years to achieve market-driven specialization, while 62% are planning to launch new products or services over the next two years.
Although compliance officers are relatively new to the leadership table, they must strike a balance between adding strategic value to their organization and meeting the requirements of GSR regulations, said Samantha Regan, one of the authors of the study and a lead in Accenture’s regulation and compliance practice.
“It is important that strategic changes to the organization — such as changing where and how a firm conducts its business or leveraging new, more sophisticated technologies and digital applications — are implemented in incremental stages and are in line with the changes the firm is undertaking for regulatory purposes,” she said in an email.
Compliance officers and their firms can achieve this by crafting a clear roadmap that first tackles the minimum regulatory requirements and eventually supports enhanced capabilities and evolving business models to help them compete in their target markets, said Regan.
“Compliance professionals who can keep pace with this changing ecosystem, partner with the front office and help the organization effectively meet changing regulatory [and] customer demands will be integral in driving competitive advantage,” she added.
Five years after the Dodd-Frank Act was enacted, the creators of the law contemplate the wide-ranging legislation’s impact on the financial and banking industries. Also in recent GRC news: The SEC heads a civil probe into public companies potentially involved in the FIFA bribery scandal, and critics voice concerns regarding the SEC’s use of in-house judges in administrative cases.
Creators of Dodd-Frank law reflect on its history
This week marked the fifth anniversary of the Dodd-Frank Act of 2010, the sweeping U.S. federal law that overhauled regulatory processes in the financial and banking sectors. There is continuing debate over the law’s merits: Advocates argue it makes banks less risky, while critics claim it hurt smaller banks and crippled the economy. The legislation’s sponsors, former Sen. Christopher Dodd and former Rep. Barney Frank, recently sat down with The Wall Street Journal to discuss its impact.
Dodd and Frank discussed what they consider the most significant impact the law made, and one aspect that they would change. Other points they touched on were why they believe the legislation has made the financial system safer; how confident they are about the death of “too big to fail” institutions; and the concerns about Dodd-Frank driving more financial activity into the less-supervised shadow banking system.
SEC leads new FIFA corruption investigation
The goal of the probe, which is in its early stages, is to investigate whether publicly traded companies involved in soccer contracts violated U.S. federal anti-bribery laws such as the Foreign Corrupt Practices Act (FCPA), and if enforcement action is needed. Although the FCPA largely applies to government corruption, the law contains corporate books and records keeping requirements that prohibit commercial bribery.
Critics challenge SEC’s in-house judicial process
The SEC itself is also under scrutiny, as the commission faces new criticism about its use of internal judges when it pursues cases rather than bringing them to Federal District Court. The passage of the Dodd-Frank Act first gave the SEC the option to file certain cases using its own administrative proceedings. Today, cases such as insider trading charges that in the past were typically pursued in a Federal District Court are more likely to be heard by the SEC during these in-house administrative proceedings.
Some detractors of the SEC’s administrative hearings — including Judge Jed Rakoff from the U.S. District Court for the Southern District of New York and the U.S. Chamber of Commerce — claim that they give the SEC an unfair advantage.
Peter J. Henning, a professor at Wayne State University Law School, argued in The New York Times that the debate goes further than that. There’s also the perception that the internal hearing process is in some ways flawed compared with federal court cases, and that it is inherently a “closed system in which the agency acts as both prosecutor and judge over the case,” Henning wrote. Some of these limitations, Henning said, include the following: Defendants are not granted pre-trial discovery rights and instead must rely on information gathered by the SEC; the initial decision in the proceedings is made by a judge employed by the SEC; and appeals must be heard by SEC commissioners before the cases can go to federal appeals court.
Henning proposes that the SEC compromise with critics of its administrative hearings by modestly expanding discovery rights. “The notion that the S.E.C. has gathered all the relevant information, and that a defendant cannot question witnesses in advance of a trial, goes against the view that each side should have the same opportunity to put on its case,” Henning wrote.
SEC commissioner Luis Aguilar strongly urged his colleagues at a cybersecurity conference last month to push Reg SCI up on their priority lists, particularly in terms of widening the regulation’s coverage. Also in the news: The PCI Council updates its peer-to-peer encryption standard; the SEC proposes a rule that will enable companies to take back executive bonuses; and more.
SEC commissioner calls for Reg SCI expansion
The U.S. Securities and Exchange Commission commissioner is calling for the regulator to broaden the scope of Regulation Systems Compliance and Integrity (Regulation SCI), a rule that was passed last November to extend the SEC’s oversight to include the automated information systems of certain regulated entities, namely stock exchanges, plan processors, specific clearing agencies and alternative trading systems.
In a speech at the SINET Innovation Summit last month, Commissioner Luis Aguilar gave a sweeping speech on the challenges of tackling cybercrime. He spoke about the SEC’s “multifaceted” approach in meeting these challenges, including inspecting regulated entities and implementing new rules such as Reg SCI.
Aguilar (pictured left) praised several aspects of the rule: its risk-based approach, emphasis on helping entities develop procedures based on their unique risks, and mandates that require senior management and the board to be actively involved in cybersecurity. However, Aguilar also urged the SEC to expand its scope, because at the moment, it doesn’t cover many participants in the market, including over-the-counter market makers, stockbrokers and transfer agents. He added that this should be the SEC’s “top priority.”
In addition to improvements to Reg SCI, Aguilar entreated fellow commissioners to update the SEC’s guidelines so that public companies can better respond to cybersecurity incidents and provide “better and more timely information” on the specific risks and cyberattacks they face.
PCI Council updates P2P encryption standard
Last month, the Payment Card Industry Security Standards Council (PCI SSC) updated one of its eight security standards in response to feedback from early adopters in the market. The standard addresses point-to-point encryption (P2PE) tools, which encrypt account data in transit between the point of sale (POS) and the secure decryption environment.
According to PCI SSC, the update, which is laid out in the document PCI Point-to-Point Encryption Solution Requirements and Testing Procedures Version 2.0, provides more flexibility to P2PE solution providers, as well as to merchants that use P2PE. Specifically, the PCI SSC’s listings of validated P2PE solutions and applications will now include P2PE components, or services that fulfill particular P2PE requirements, to make it easier for these providers to develop PCI-compliant P2PE products for merchant customers. Additionally, P2PE v2 provides merchants more options on how to implement and manage P2PE technology: They can either manage P2PE tools for their POS locations, which includes enacting the rule’s requirements for separation of the two environments; or they can work with a P2PE solution provider to manage a PCI-compliant P2PE product based on their business needs.
New SEC rule to let companies “claw back” executive bonuses
A rule proposed by the SEC will enable companies that issue faulty financial statements to “claw back” their senior executives’ bonuses once those statements have been restated. The regulation will apply to companies listed on U.S. stock exchanges.
The proposed rule, required by the Dodd-Frank Act of 2010, targets executive bonuses (aka “incentive-based compensation”), the size and payment of which depend on whether a corporation meets or surpasses particular financial metrics. Currently, executives are allowed to keep their bonuses despite their companies correcting artificially inflated financial statements.
While current rules do allow companies to claw back compensation of CEOs or CFOs, the new rule will have a broader scope, including “any other person who performs policy-making functions for the company” in addition to senior officers, said the SEC. It will also apply to pay earned over the course of three years, versus one year under existing regulations.
Wells Fargo, Raymond James and LPL will pay $30M to overcharged clients
Wells Fargo & Co., Raymond James Financial Inc. and LPL Financial Holdings Inc., three of the largest brokerages in the U.S., will have to pay more than $30 million to clients they overcharged on mutual-fund sales, the Financial Industry Regulatory Authority (FINRA) announced Monday.
The wealth-management units of the three firms applied mutual-fund sales charges to the accounts of certain retirement-plan customers and charitable organizations, which should have been waived according to the Employee Income Security Act.
The three companies will not have to pay a fine, because they discovered the inappropriate charges themselves and reported the problems to FINRA. According to one regulator, the firms failed to adequately oversee the financial advisors selling the mutual funds because they didn’t provide them with “critical information and training.”
The U.S. government data breach announced last week began a year ago, giving the perpetrators plenty of time to access federal employees’ personal information, according to the NSA. Also in recent GRC news: A new bill would give Europeans the same data protection rights as American citizens, and a flaw in popular mobile apps could leave billions of data records vulnerable.
NSA: U.S. security clearance data hack began a year ago
The recently discovered breach into the security clearance computer system of the Office of Personnel Management (OPM) began a year ago, according to new information disclosed by the National Security Agency (NSA).
The substantial amount of time between the start of the breach in the summer of 2014 and its discovery earlier this month allowed hackers the ability to accomplish a far-reaching cyberattack, NSA general counsel Stewart Baker told The Washington Post.
The OPM’s security clearance network contains personal and financial information on millions of current, former and prospective federal employees.
The White House has not publicly disclosed whom they suspect executed the breach, but unidentified U.S. officials speculate the perpetrators were hackers sponsored by the Chinese government, according to the Post. Senior U.S. officials say that in the past 12 to 18 months, the Chinese government has started building large databases containing Americans’ information for counterintelligence purposes.
Bill extends U.S. data protection rights to Europeans
A bipartisan bill introduced last week in the U.S. Senate will, if passed, extend to Europeans the same rights American citizens have under the Privacy Act of 1974. The Senate bill would allow Europeans to take legal action against U.S. agencies that misuse their private data. Some members of the European Parliament said that the legislation will not only restore the trust of both American and European citizens in the wake of Edward Snowden’s revelations, but also kick off future data-sharing deals between the E.U. and U.S. governments, according to Politico.
One detail that needs to be cleared up before the bill is put to a vote is whether everyone in the EU — and not just citizens — would be covered under the new law.
Mobile app flaw could leave billions of records vulnerable
German security researchers have discovered a flaw in the way thousands of popular mobile apps store information online, leaving about 56 million pieces of unprotected data vulnerable to attackers. The exposed information includes passwords, addresses and location data. Researchers declined to name the vulnerabile applications, but said they include popular ones available from the Apple and Google app stores.
The issue lies in the way most mobile app developers authenticate users when storing their data online. Most app developers use a default option that allows hackers easy access to the app — and a user’s private data, the security researchers reported.
“In almost every category we found an app which has this vulnerability in it,” Siegfried Rasthofer, one of the researchers, told Reuters. Those categories include messaging, gaming, social networking and bank transfer apps. The researchers predicted that the number of records affected will likely be in the billions.
Feds probe Cardinals for hacking into private Astros network
The FBI and the U.S. Department of Justice are investigating officials from the St. Louis Cardinals for hacking into the private computer system of the Houston Astros to steal information on Astro players. Data stored in the Astros’ internal network included trade discussions, player evaluations and scouting methods.
Law enforcement officials believe a Cardinals staffer accessed the Astros database by trying out passwords that Jeff Luhnow — a former Cardinals executive who is now an Astros general manager — used during his stint in St. Louis. Federal officials are uncertain on who committed the act.
Experts say that while cyberespionage is common among U.S. companies, this is the first known occurrence in the professional sports world. It could also result not only in disciplinary measures by Major League Baseball, but also criminal charges for the violation of the Computer Fraud and Abuse Act of 1986, a federal law.
(This blog post was written by Aislyn Fredsall, an editorial assistant for the TechTarget CIO media group through Northeastern University’s co-op program.)
Is security no longer a major concern for the Internet of Things? Judging from an IoT panel discussion during the 2015 MIT Sloan CIO Symposium, this statement might not be as outlandish as it sounds.
The panel, titled “The Internet of Things: Challenges for a Connected World,” focused on some of the issues facing IoT, including the development of IoT technology and the obstacles of introducing it in the enterprise. Unsurprisingly, security was also among the problems discussed.
“Security’s huge and just like the rest of IT, no one is investing enough in it,” said Michael Chui, a partner of the McKinsey Global Institute and former CIO of the City of Bloomington, Ind. “IoT both increases the attack surface, or creates more vectors, [and] increases the consequences of a breach.”
But besides a few superficial references, the discourse did not actually focus on security until members of the audience specifically asked about it. It is possible that the panel planned to talk about IoT security and just did not get to it within the allotted time, but the fact that security was not a priority discussion topic is telling.
While no one would argue that security is no longer a problem at all for IoT, maybe it is not as big of an issue as it once was.
Fellow panelist Richard Soley, executive director of the Industrial Internet Consortium, placed importance on IoT security when he described how “one of the first two groups created” for the Industrial Internet Consortium was “focused on creating security use cases and applying those security use cases to all the test beds that we develop.”
However, Soley also downplayed how much progress is still needed regarding IoT security by suggesting that it is a problem that can never completely be solved. He voiced this sentiment with his mantra of “it’s going to happen” concerning security breaches.
“First of all, we need to preface any answer [about IoT security] with: It’s going to happen,” he said. “It doesn’t make sense to say we’re not going to do this because of increasing attack surface. It’s going to happen.”
Soley made it clear that breaches are inevitable but that this is not a reason to avoid or postpone adopting IoT technology. In fact, the inevitability should be embraced with IoT adoption.
“The point is we’re going to take advantage of Internet technology because it’s cheap and because we have ubiquitous connectivity,” Soley said. “If we’re going to provide any kind of data privacy we’re going to have to solve the security issues, but you’re never going to get them 100% [solved] and you shouldn’t expect to get them 100% because we don’t have it in the physical world either.”
At least for Soley, it seems that security was not discussed more during the panel because there was nothing new to say on the topic. Enterprises don’t need to develop new security innovations to confront the problems they’re facing with IoT security; they just need to fully utilize already available technology.
“I think that current security technology is perfectly up to the task; it’s just that most of us don’t bother,” he said.
Aislyn Fredsall is an editorial assistant for the TechTarget CIO media group through Northeastern University’s co-op program. She is currently in her third year at Northeastern, where she studies English.
U.S. officials say the recent hack of government computer systems affects 4 million current and former federal employees, but the breach could have impacted private citizens, too. Also in the news: Apple hyped new privacy protections as it updates Siri, while U.S. and EU officials moved closer to Safe Harbor revisions.
Concern for private citizens’ data after U.S. government hack
U.S. officials announced last week that hackers breached the computer system of the Office of Personnel Management (OPM) in December 2014, compromising the personal information of about 4 million current and former federal employees. The intrusion is the largest known U.S. federal data breach in recent years, according to The Washington Post.
The U.S. government suspects that the breach was sponsored by the Chinese government, but China has denied its involvement. The hackers’ goal was to use the stolen personal data to recruit spies, access weapon plans and obtain other confidential information.
Sources told ABC News that federal investigators are now looking into whether the hack affected more than just the reported 4 million former and current employees, including private citizens who have never worked for the U.S. government.
At the G7 Summit in Germany earlier this week, President Barack Obama said that his administration will strengthen the nation’s cyberdefenses in the wake of the breach. “In the case of state actors, they’re probing for intelligence or in some cases trying to bring down systems in pursuit of their various foreign policy objectives,” he said at a news conference at the summit. He also encouraged Congress to pass cybersecurity legislation.
Apple updates Siri, extols user privacy
At Apple’s Worldwide Developers Conference (WWDC) earlier this week, the company unveiled new “Siri” personal assistant features, including capabilities to scour through emails, correlate contacts and extract contextual data from private texts.
Despite how reliant these services are on user data, Apple VP of software engineering Craig Federghi stressed that the company keeps culled data as anonymous as possible and does not share it with third parties. He also said that Apple isolates that data to the user’s device, and that all the information stays under the user’s control.
“All of this is done on-device and it stays on-device under your control. We don’t mine your email, your photos or your contacts,” Federghi said during a speech at the WWDC. He also underscored that Apple has never used search queries to mine personal emails or photos, or to build user profiles.
U.S., EU officials move forward on Safe Harbor revisions
After allegations surfaced that American companies were spying on European citizens, U.S. and European Union officials announced they are finally closing in on updating the Safe Harbor agreement, according to The Wall Street Journal. Safe Harbor is a 15-year-old pact that regulates the way that U.S. companies export and handle European citizens’ personal data.
European officials are giving the U.S. another month to reach an accord on reforming the pact. EU Justice Commissioner Vera Jourova told the WSJ that disagreements remain between the two sides, particularly around the extent of how U.S. security authorities are legally allowed to access consumer data collected by U.S. companies.
(This blog post was written by Jeff Whited, senior manager of education development at ARMA International.)
By leveraging big data as an asset, organizations are tapping new business efficiencies and revenue streams. Credit card companies, for instance, sell data on customers’ buying habits. Healthcare systems aggregate data on treatment regimens and outcomes in an effort to trim costs. Urban planners and other constituencies use government information to advance their goals.
But organizations that allow their data stores to grow into “big data” — which Gartner Inc. defines as “high-volume, high-velocity and high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making” — must be vigilant in protecting that data against the privacy concerns of customers, patients and the public at large.
Every few months the headlines scream about a massive data breach— the Home Depot, Target, Anthem and Sony incidents come easily to mind. While it’s tough to account for the reputational damage of such breaches, the actual dollar costs are often graspable. According to an October 2014 article by Brian Nichols of The Motley Fool, Target’s stock fell 7.5% in the first year after the breach was made public. In the first six months, Target’s costs related directly to the security breach hit $378 million.
By retaining vast quantities of data– including so-called dark data, which Gartner defines as “information assets that organizations collect, process and store in the course of their regular business activity, but generally fail to use for other purposes”–organizations are increasing the opportunities for personally identifiable information (PII) to be exposed.
So, it becomes a matter of balancing the risk of retaining big data vs. the reward of monetizing it.
According to the Nichols article, Target has spent at least $100 million to protect itself from future attacks by investing in a new technology infrastructure with enhanced security measures.
Such a step is reasonable, of course. But the best tools and technologies are worth little if they’re not part of a carefully planned initiative. The smartest way to address these security issues is to implement an enterprise-wide information governance (IG) program that is aligned with the organization’s mission, goals and culture. Such a strategic initiative brings together senior stakeholders to make sure the organization’s data is governed in a manner that increases business efficiencies and complies with all laws and regulations.
At the heart of good IG is good recordkeeping, and therefore the senior records manager must be a key player in the IG initiative. Also vital to the program are compliance officers to help ensure the recordkeeping practices are satisfying the demands of such laws as Sarbanes-Oxley for the financial industry and the Health Insurance Portability and Accountability Act; IT executives to provide the right tools and to help effect proper protection policies; legal counsel to help assure the defensibility of the program; and senior managers from the business units to provide realistic guidance on how the information is created and used.
Organizations wishing to monetize their big data should work to mitigate the security risks by implementing an IG program that treats records as the strategic assets they really are. Such a program will help identify gaps in the business processes, minimize legal and compliance risk, and potentially save enormous sums of money in discovery and litigation.
Jeff Whited is senior manager of education development at ARMA International, a not-for-profit professional association and authority on governing information as a strategic asset.