Deloitte - Data Leakage Protection Services Review
|
|
|
|
Nymity's Independent Privacy Solutions Review provides an unbiased assessment of the legal and privacy benefits of Deloitte's Data Leakage Protection Services by detailing how these services will help your organization comply with privacy laws and reduce your exposure to data breaches. |
Privacy Compliance: Data Leakage Protection
An unauthorized disclosure of personal information is a violation of all 23 privacy laws in Canada. Unauthorized disclosures occur when personal information is disclosed to individuals where it would not be reasonable to believe the organization had consent for this disclosure. Unauthorized disclosures include all inappropriate leakages of personal information whether it is as a result of lost or stolen computer, inappropriate employee access to business applications, either maliciously or accidentally, or inappropriate third-party access to personal information. Many, if not most, privacy incidents investigated by the Privacy Commissioners' offices across Canada result from some form of a data leakage.
Along with unauthorized disclosures, having inadequate safeguards is also a violation of privacy law. Several of the Privacy Commissioners' orders and findings dictate that organizations must make "reasonable security arrangements". In one finding involving a retail organization, the Federal Commissioner found that the organization should have adequate safeguards, including an information-security governance structure, overseen by the Chief Information Officer. The finding stated the organization had a duty to monitor its systems vigorously and if it had, it would have been aware of the intrusions (data leakages). The risk of a breach was foreseeable and as a result the organization was required to inform the Commissioner on how they will monitor their systems more vigorously in the future. The organization was also mandated to implement data leakage protection solutions to maintain compliance. The finding stated that should the organization have made the investment to ensure compliance, they would have avoided the data leakage and saved millions of dollars.
Privacy laws require organizations to implement data leakage protection in the form of physical measures, organizational measures (administrative) and technological measures. Most organizations have implemented policies and procedures to protect personal information and they have trained their staff on privacy, but not all organizations have taken adequate measures to ensure they have implemented administrative, physical and technological data leakage programs as defined by the organization's policies.
With expected forthcoming data breach notification requirements, an organization's investment in data leakage protection will be under increased scrutiny after reporting a material breach to the Privacy Commissioner (one of the expected requirements).
Privacy Review: Deloitte's Data Leakage Protection Services
Compliance with privacy laws and privacy breach elimination is one of the key benefits of Deloitte's Data Leakage Protection Services. Typically, organizations respond to privacy laws with policies, procedures and technology. This approach provides the organization a false sense of compliance as it lacks a governance structure which results in disconnects. The “disconnect” is between corporate policies, actual operational practices and the setup of technology infrastructure. Most often, non-compliance and data breaches result from these disconnects. Even organizations with mature privacy management frameworks find themselves with unacceptable levels of privacy risk and need a better approach to compliance due to disconnects. Deloitte's Data Leakage Protection Services are designed to eliminate these disconnects and thus eliminate privacy breaches. |
 |
Deloitte's Data Leakage Protection Services also recognize that data proliferation across the organization and beyond results in operational privacy inefficiencies. These inefficiencies impact storage, archiving and backup, knowledge and record management, business continuity, development and testing time and compliance monitoring and reporting. Deloitte's Data Leakage Protection Services ensure adequate data protection across the enterprise by:
- Discovering data and applying the appropriate security controls to it;
- Classifying data, to understand the importance and sensitivity of the data;
- Controlling data, to restrict access to data, prevent misuse of it, and secure it at rest and in transit;
- Auditing data and its usage, to enforce the security controls.
Deloitte's Data Leakage Protection Services address data leakage with a Data Protection Framework. Data Protection is a combination of people, processes and technologies and developing a strategy for moving away from reliance on perimeter security, towards a risk-based and data-centric view. The focus is on how the business uses data, identifies data flows across boundaries (geographic, organizational, process, system), inventories sensitive data and assesses data leakage risks. Given the data growth problem (70% annually) it does not make sense to apply a blanket information protection strategy. A functional view provides the next level of refinement.
Deloitte's Data Leakage Protection Services develop a model for how sensitive data is acquired, created, stored, used, shared, archived and disposed. The model relates the data lifecycle to supported business processes and the underlying infrastructure environments. The model also foresees the implementation of environment-specific controls in order to reduce the likelihood and impact of data transfer from an intended to unintended state. Deloitte's Data Leakage Protection Services help ensure privacy compliance as it demonstrates how organization has implemented adequate safeguards by applying reasonable security arrangements and these services significantly reduce the probability of a data breach and the resulting Privacy Commissioner's investigation.
|
Deloitte's Privacy ROI
Data can be managed like any other enterprise asset, subject to the same net business value calculations balancing value, risk, and total cost of ownership. To calculate the privacy return on investment (Privacy ROI) of Deloitte's Data Leakage Protection Services, an organization needs to consider cost of a data breach. Forester Research Survey of April 2007 calculated that a:
- Low-profile breach in a non-regulated industry cost $90 per record;
- Low-profile breach in a regulated industry cost $155 per record; and
- High-profile breach in a highly regulated industry cost $305 per record.
In Canada, it could be argued that organizations subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) and other private-sector and public-sector privacy laws would be in a regulated industry and thus a breach would cost on average of $155 per record. Organizations subject to Ontario's Personal Health Information Protection Act (PHIPA) could be considered a highly regulated industry due to PHIPA mandatory breach notification requirements, plus the Commissioner's past orders mandating encryption and could calculate a privacy breach at $305 per record.
For organizations subject to PIPEDA and the provincial private-sector privacy laws in British Columbia and Alberta, we are likely to see the cost of a breach sky rocket as these laws are expected to be amended to include some form of mandatory breach notifications.
Once the cost of a breach is calculated, often based on the different clarifications of the personal information, an organization would need to calculate the probability of a breach over a three to five year period (depending on how you account for the cost of Deloitte's Data Leakage Protection Services). Once you have the cost and likelihood the Privacy ROI can be calculated.
Ultimately the decision comes to an organization's tolerance of privacy risk. But privacy ROI is only one factor when calculating the total ROI of Deloitte's Data Leakage Protection Services. The total ROI would factor in the non-privacy ROI, for example, the elimination of the leakages of other corporate data. Deloitte's Data Leakage Services go beyond personal information as the focus on all organizational data assets, and personal information is considered to be one of the these assets. These services also provide data governance, which includes privacy. |
|
Case Study: A Major Canadian Retailer - 8 Week Engagement
Business Problem
- Increasing reliance on email for handling business transactions
- Email and PST files morphed into a storage for important business documentation
- Employees had emails that were more than 6 years old and mixed with business, transient, and personal emails
- Compliance with business record retention periods and e-discovery complications and cost
Approach Summary
- Creating a strategy and roadmap consisting of policy, training & awareness, technology
- A clear policy for storage of business record and use of email for business and personal communication
- Providing a technology tool integrated with exchange to identify and flag aged emails. The solution directed the user to either flag an email as a business record or a personal or transient record
- Business records were stored in the permanent storage environment with adequate backup and archiving solution
- Personal records and aged transient business records are deleted after 6 months and after a month of grace period
- Allowing the user to save time, increase productivity, legal and regulatory compliance
Lessons Learned - Users are receptive to change that make them more productive and helps the company
- Engaging all stakeholders from store owners to legal, IT, audit, privacy, record management, etc.
- Must have support from upper management, business owners and implement effective training and awareness programs
|
|
Next Steps
Learn more by downloading Deloitte's Data Leakage Protection Services Datasheet and review Deloitte's Data Leakage Protection Webinar.