Is customer-facing breach notification and response a part of your incident response plan? If should be! This is the part where you notify people that their information has been compromised, communicate to employees and the public about what happened and set the tone for recovery. It's more art than science, with different factors that influence what and how you do the notification and response. Unfortunately, many firms treat breach notification as an afterthought or only as a compliance obligation, missing out on an opportunity to reassure and make things right with their customers at a critical time when a breach has damaged customer trust.
At RSA Conference last week, I moderated a panel discussion with three industry experts (Bo Holland of AllClear ID, Lisa Sotto of Hunton & Williams, and Matt Prevost of Chubb) who offered their insights into the what to do, how to do it, and how to pay for it and offset the risk as it relates to breach notification and response. Highlights from the discussion:
Defining your data via data discovery and classification is the foundation for data security strategy. The idea that you must understand what data you have, where it is, and if it is sensitive data or not is one that makes sense at a conceptual level. The challenge, as usual, is with execution. Too often, data classification is reduced to an academic exercise rather than a practical implementation. The basics aren’t necessarily simple, and the existing tools and capabilities for data classification continue to evolve.* Still, there are several best practices that can help to put you on the road to success:
Keep labels simple. At a high level, stick to no more than 3 or 4 levels of classification. This reduces ambiguity about what each classification label means. Lots of classification labels increases confusion and the chance for opportunistic data classification (where users may default to classifying data at a lower level for ease of access and use).
Recognize that there are two types of data classification projects: new data and legacy data. This will help to focus the scope of your efforts. Commit to tackling new data first for maximum visibility and impact for your classification initiative.
Identify roles and responsibilities for data classification. Consider data creators, owners, users, auditors (like privacy officers, or a risk and compliance manager), champions (who’s leading the classification initiative?). Data is a living thing and all employees have a role in classification. Classification levels may change over time as data progresses through its lifecycle or as regulatory requirements evolve.
When evaluating the top 10 critical success factors that will determine who wins and loses in the Age of the Customer in 2016, it comes as no surprise that privacy is one of them. In fact, privacy considerations and strategy augments all of the 10 critical factors to drive business success in the next 12 months.
So, what does this mean for businesses moving forward?
In 2015, 26% of global security decision makers consider privacy as a competitive differentiator for their organization.* But what does that even mean? And how would an organization achieve this?
Last week I was out in Las Vegas for Privacy. Security. Risk. and moderated a panel on this topic. Panelists included Michael McCullough (CPO, VP, Enterprise Information Management and Privacy, Macy's), Nathan Taylor (Partner, Morrison & Foerster), and Jamie May (VP of Operations, AllClear ID). Two things were clear:
The ability and desire to use privacy as a competitive differentiator heavily depends on the nature of the business. For example, a cloud provider would approach this differently vs a company that sells gasoline.
Treating privacy as a competitive differentiator vs marketing/selling with it are separate concepts. Some organizations may choose to embrace both. Treating privacy as a competitive differentiator has more to do with corporate culture, privacy practices, and your privacy team. The notion of responsible information management came up several times during the panel session. There is also risk involved with marketing/selling with privacy as a competitive differentiator; if you make a promise, you must be able to fulfill it.
Upcoming changes to privacy regulation in the EU as well as rising business awareness that effective data privacy means competitive differentiation in the market makes privacy a business priority today. And this is not only relevant for tech giants: protecting both customer and employee privacy is a business priority for companies of all sizes and across industries.
But where do you start? Many companies start by hiring a chief privacy officer. Some have built brand-new privacy teams that manage privacy for the whole firm, while others prefer a decentralized model where responsibilities are shared across teams. What are the pros and cons of each approach? Which organizational structure would better meet the needs of your firm?
And when your privacy organization is in place, how do you establish smooth collaboration with other teams like marketing and digital, for example? Too often we hear that privacy teams do not have the visibility that they need into the data-driven initiatives happening within the company. When this happens, privacy organizations are less effective and the business risks failing its customers, undermining their expectation for privacy.
S&R pros, is there a Chief Data Officer (CDO) in your organization? Do you work with them? Previously, John and I wrote about the CDO role and how we believe that CDOs will help to drive security policy in the future because they can 1) directly tie business value to data assets, 2) have a deep understanding of data identity and purpose, and 3) possess a great incentive to protect the company’s data (it’s a strategic business asset after all!). Colleagues like Gene have also written about the CDO and the importance of the CDO in data management.
The emergence of this role now brings about more questions than answers, and we’d like to provide more in-depth analysis and clarity around this topic. What is a CDO, and what do they do exactly? Is this a temporary role, or a critical C-level position that is here to stay? Why should we even care about this CDO role? These and other questions are ones that a team of analysts from Forrester are exploring in upcoming joint research, and we’d love to hear from you if you are a CDO, currently work with one, or don’t feel there is a need for a CDO because there are other roles in your organization are responsible for data strategy. Some of the key themes we are looking into include:
The responsibilities of the CDO role
Where CDOs reside in firms’ organizational structure
How CDOs help their firms win, retain, and serve their customers
Did I pack socks? Check. Toothbrush? Check. Business cards, phone charger, passport? Check, check, and check. Do I know what I need to do and what not to do to protect myself, my devices and the company’s data while I’m on the road and traveling for work? [awkward silence, crickets chirping]
S&R pros, how would employees and executives at your firm answer that last question? It’s an increasingly important one. Items like socks and toothbrushes can be replaced if lost or forgotten; the same can’t be said for your company’s intellectual property and sensitive information. As employees travel around the world for business and traverse through hostile countries (this includes the USA!), they present an additional point of vulnerability for your organization. Devices can be lost, stolen, or physically compromised. Employees can unwittingly connect to hostile networks, be subject to eavesdropping or wandering eyes in public areas. Employees can be targeted because they are an employee of your organization, or simply because they are a foreign business traveler.
So what to do? Rick Holland and I are conducting research now to produce a guide to security while traveling abroad. It’s going to provide guidance for S&R pros to better prepare your executives and employees for travel, including actions to take before, during, and after a trip. We’ll be looking at considerations for things like:
OPSEC. How to determine if employees are being targeted, the pros/cons of using burner equipment, the use of privacy screens on laptops, etc.
We are in a golden age of data breaches - just this week, the United States Post Office was the latest casualty - and consumer attitudes about data security and privacy are evolving accordingly. If your data security and privacy programs exist just to ensure you meet compliance, you’re going to be in trouble. Data (and the resulting insights) is power. Data can also be the downfall for an organization when improperly handled or lost.
In 2015, Forrester predicts that privacy will be a competitive differentiator. There is a maze of conflicting global privacy laws to address and business partner requirements to meet in today’s data economy. There’s also a fine line between cool and creepy, and often it’s blurred. Companies, such as Apple, are sensitive to this and adjusting their strategies and messaging accordingly. Meanwhile, customers — both consumers and businesses — vote with their wallets.
The mobile mind shift: what is it? Forrester defines the mobile mind shift as the expectation that any desired information or service is available, on any appropriate device, in context, at a person's moment of need. It’s the reality that your customers (and employees!) live in today, where mobility isn’t just about devices or apps anymore but more about a change in attitude (e.g., individuals don’t just expect the availability of information/services, they demand it). With this mind shift comes a few other attitude shifts, notably around privacy and security of personal information and devices. In our 2013 surveys, Forrester saw that:
Given a choice of how to address security concerns on the devices they use for work, 38% of North American and European information workers prefer to do it themselves, while 20% would take action based on guidance from their employer.
When doing things online, 59% of US consumers are concerned about identity theft, 33% do not want their information permanently recorded and accessible to others, and 22% are concerned that their data will be sold to another company.
Business needs and requirements demand expertise and coordination for privacy programs and practices. As a result, chief privacy officers, data protection officers, and other designated privacy professionals like privacy analysts are a fast growing presence within the enterprise today. The International Association of Privacy Professionals (IAPP) is 16,000 members strong today (compared to 7,500 back in 2010) and growing!
In many organizations, a dedicated privacy professional (e.g., a full-time employee who focuses on privacy and not someone who has privacy responsibilities attached to another role) is a new role. Privacy professionals come from a variety of backgrounds from legal to IT, and the details of their role and focus can vary depending on the organization and the size of the privacy team. Yet they all have one thing in common: they must work together with multiple privacy stakeholders – IT, security, legal, HR, marketing, and more! – across the enterprise. And honestly, it’s not always easy. Like any relationship, there are ups and downs.