The information economy has grown rapidly over the past decade—and for a while, with seemingly few controls. However, in recent years, organizations have been confronted with the IT version of Newton’s third law: for every (innovative) action, comes an equal and opposite reaction. In the case of information-driven business, that reaction is risk.
Data breaches, cyberattacks and other challenges to data privacy have increased dramatically. In the first half of 2018 alone, there were 945 data breaches that compromised 4.5 billion data records worldwide. In 2019, there have been 2.7 billion identity records posted online for sale already. These breaches – and their implications for data privacy – have infiltrated even high-profile companies for years.
This year, Capital One announced a data breach that impacted about 100 million U.S. consumers and 6 million Canadian consumers. The stolen data put at risk personal information collected in credit card applications, including applicants’ names, social security numbers, addresses, dates of birth and self-reported incomes. In this case, it was not clear how the hacker planned to exploit the personal information. However, in last year’s Facebook-Cambridge Analytica scandal – not strictly a breach but still the unauthorized collection and use of personal data – the motive was vividly clear. Cambridge Analytica, a political data firm, gained access to the personal information of more than 50 million Facebook users, which it used to model the personalities of American voters in order to attempt to influence their behavior. This case was recently reexamined in Netflix’s documentary, The Great Hack.
While these two incidents deal with different issues, they are similar in a surprising way: both were perpetrated by someone with inside knowledge of or access to the companies. In the case of Capital One, the hacker was a software engineer who used to work for the cloud hosting company Capital One was using. For Facebook-Cambridge Analytica, Cambridge Analytica shared a survey that gained consent from hundreds of thousands of consumers but also granted access – without consent – to several million more, which it knowingly harvested.
Again, these cases highlight different data privacy challenges, but they raise the same question: how can today’s data-driven businesses protect consumers’ personal information from risk, especially when coming from inside the organization? While important, a firewall doesn’t keep internal bad actors – even negligent data handlers – from mismanaging or abusing information.
Cybersecurity is not the silver bullet that keeps data safe from the internal and external werewolves seeking to misappropriate it. Organizations need to ensure internal stakeholders are held accountable. In fact, as the focus on data privacy heightens, so must the conversation about accountability and end-to-end transparency. The goal is not to make companies distrust their employees. Rather, they need to trust their data and how they manage it. The more organizations understand what personal information they have, where it is stored and who has access to it, the better they can ensure all data is properly used and secured and, thus, at reduced risk of theft. To gain this visibility, organizations need to implement new processes and technologies. Creating data intelligence helps organizations establish the necessary trust with the data and the data management they have in place.
Data intelligence isn’t always part of the cybersecurity conversation. However, as information management catches up to data-driven business, it deserves to be heard. Data governance and regulations such as the GDPR and CCPA can be motivators for good data behavior—but they also require an understanding of what data they have, what data needs protecting, how they can protect it, and, importantly, where it came from. Building an inventory of data assets answers these questions for organizations. In the case of a breach, it enables them to inform authorities and those affected while mitigating the impact as much as possible. Organizations can also leverage data lineage capabilities to trace data from its origin to its target – discovering where it came from, how systems processed it and how it’s been used – or abused. Traceable data is trusted data, creating confidence in decisions, encouraging internal adherence to governance policies and reducing internal risk.
“Cambridge Analytica claimed to have 5,000 data points on every American voter. But it was invisible. And so the question is, how do you make the invisible visible?” asked David Carroll, a Parsons professor who fought to get his own data back from Cambridge Analytica, in The Great Hack. While data visibility was certainly not the crux of the Facebook-Cambridge Analytica scandal, it can be a defining issue for the average company. Most organizations are hindered by a lack of visibility across data siloes and into today’s cloudy data lakes. Consequently, when auditors come knocking or consumers request their data be deleted, organizations aren’t able to comply – at least not quickly. Data intelligence gives organizations visibility into their full data ecosystem, so they can be agile, whether in the face of a privacy issue or pinpointing data for a business initiative.
Data intelligence isn’t a cybersecurity solution. It won’t prevent hackers from stealing personal information from companies’ data warehouses. However, if that worst-case scenario occurs, organizations will know exactly what (or whose) information was in the data warehouse, where it had been used and transformed and who had access to it. That way, instead of having to ask concerned consumers to check their accounts for suspicious activity – as Capital One did after its data breach – organizations can know who was impacted and be targeted in their responses. In this way, data intelligence can hold organizations accountable to the level of service that today’s consumers expect.
“Data is the most valuable asset on Earth,” said Cambridge Analytica’s Brittany Kaiser in The Great Hack. She’s right. Consequently, its safety, privacy and security are more important than ever. With new proposed regulations such as the Dashboard Act, which would quantify the idea of “data as an asset,” companies would be required to tell consumers how the business financially benefits from the data they or their partners collect. If this is enacted, consumers will have a full understanding of the value the collecting organization lost on their behalf in a data breach. In preparation for this future, organizations must revisit what it means for data to be safe – understanding that accountability, while separate, is complementary to security.
To survive in the information economy, today’s companies must run a transparent, trusted, data-driven business. Data intelligence and data governance show consumers that organizations care about their data—they know where it is, who has it and why. For years, information management was racing to catch up with innovation, and as a result, many of today’s organizations have found themselves in a fender bender. Instead of ignoring the laws of motion, they need to brace for the equal and opposite reaction, prepare for risk with the right insurance and learn how to drive innovation more responsibly to avoid unintended collisions and keep the passengers (and their personal information) safe.