Another day, another breach, another theft of sensitive data.
Many will talk about Anthem’s missing database encryption. Some will argue that a new technology would mitigate this type of breach, including advances in hardware-based encryption or storage systems. Others will argue for better data segmentation, improved intrusion detection systems, or more stringent governance.
With each breach, we want to believe that only a single mistake has been made, and if we are able to prevent that one mistake, then our most sensitive data is safe. But even though it’s true that it takes only a single mistake to cause a disastrous data leakage event, this thinking is incorrect.
Even if Anthem had encrypted its databases on disk, the backups could have been stored unencrypted. It’s also possible that an update to a data transformation process for a big data initiative neglected to anonymize social security numbers. It even could have been as simple as a developer’s laptop containing sample data being stolen.
There will always be something, and looking to prevent a particular mistake is a fool’s errand.
The explosion of big data initiatives and the desire for data-driven decisions have dramatically changed the way organizations value digital assets. However, organizations that want to prevent data leakage events need to dramatically change their approach to managing digital risk.
First, an organization should establish a digital risk task force dedicated to ensuring that digital risk is adequately managed across the enterprise. It should be focused on both the value of digital assets as well as the liabilities associated with storing, retrieving, and maintaining digital assets. Its membership needs to span all management domains, as digital assets and liabilities can originate from anywhere within the organization. The digital chain is only as strong as its weakest link.
The task force should perform an assessment of the value and the liability of data across the organization. This exercise helps unify the task force around what is important – the high value digital assets and their related liabilities.
In Anthem’s case, the economic value of the leaked data was likely very low – mostly basic profile information about its customers.
The liabilities associated with the leaked data, however, are extremely large. There are three primary drivers of exposure: the liability for fraud committed as result of identity theft, the loss of brand value as a result of damaged customer perception, and the regulatory exposure related to non-compliance with HIPAA requirements.
It’s widely estimated that a personal medical record is worth upwards of $50 on the black market. And, considering that more than 80 million records were compromised in the Anthem breach, fraud perpetrators stand to profit handsomely. The scope of the liability extends from direct losses associated with stolen goods and services to identity theft to the blow to brand equity to exposure to HIPAA non-compliance penalties and fines for failure to adequately protect personal health information.
At this point, it’s impossible to fully quantify the damage. It will, however, likely land in the billions. Unfortunately companies that store this type of data typically underestimate the liabilities by 100 to 1,000 times. They have no idea that’s they’re sitting on such a catastrophic land mine. As Gartner’s Vice President of Research, Jack Santos, put it, “By all reports, the Anthem records certainly contain personal information; they MAY contain Protected Health Information – if so they would be covered by HIPAA and HHS regulations. Time will tell. Were that true, it could be the single largest healthcare breach ever.”
What can health care providers do to protect themselves from falling prey to Anthem’s fate?
Practically speaking, the digital risk assessment can serve as a catalyst for change, as the task force now has sufficient evidence that digital risk a major liability for the organization. In most cases, the liability will exceed the insurance policy limits on cybersecurity by 100 times.
It’s worth mentioning that digital assets presenting liabilities that far exceed their economic value should be considered good candidates for destruction. At a minimum, data segmentation and data quarantining techniques can be used to create several classes of data in which economic value and liability are more closely balanced.
The last step to prevent data leakage events is to establish an operational digital risk program. This cross-functional team should comprise all components of digital risk, including security, data loss prevention, data leakage prevention, availability, and governance. This ensures that there is no opportunity to miss or cover up problems. The team must have the authority to examine every aspect of the organization without hindrances, because digital risk can originate anywhere. The team must function as an independent task force and not be centered in any single management domain. From there, continuous monitoring of activities and findings must be completely transparent in real time to executive management for the measures to be effective.
Put simply, it’s imperative that the digital risk management team be independent of any individual functional unit. The digital risk team needs the clear mandate to follow the data through the organization. Otherwise, unanticipated liability will certainly grow.
The digital risk team should monitor the entire life cycle of data. It should serve as a steward for onboarding new sources of data, a guardian of data during change, and a verifier of destruction upon deletion. In many organizations, this can be implemented by including the digital risk team as part of the business change management process. Organizations that do not currently implement change management should use this opportunity to improve their operational standards.
The digital risk team should be particularly concerned about the hand-off of digital assets from one group to another. Most breakdowns in digital risk happen between functional groups, as operational standards and requirements often differ among groups.
The adoption of big data has the potential to dramatically improve the operations, revenue, and profitably for an organization. But, the potential liabilities of the data also must be considered. Only through thoughtful digital risk management will organizations derive the value promised by big data.
Michael McQuinn is co-founder and CTO of Criterion Advisory.
Subscribe to Data Informed for the latest information and news on big data and analytics for the enterprise.