The Dark Side of Big Data
Michael Josephs, CIO, Xerox Insurance and WC Solutions
Shawn Diehl, Vice President of Information Systems and Support, StrataCare, LLC, a Xerox Company
John Zavoli, Senior Vice President & Senior Corporate Counsel, StrataCare, LLC, a Xerox Company
As presented at the Global Events CIO Event, Chicago, IL, October, 2014
Business thought leaders who wave high the banner for big data tend to focus almost exclusively on the targeted outcomes for exploiting data and analytic capabilities. There is no question that the power of large data sets, when mined correctly, can be a game changer. Among the many benefits to accumulating large data sets are accelerated and more intelligent decision-making, improved service delivery, and new revenue streams as the result of new product or service offerings or expanded sales opportunities. In their quest to achieve these benefits, however, business leaders all too often overlook the custodial obligations and associated risks in the white water world of big data, including: infrastructure and information security costs for protecting and managing the various replicated data assets; costs of staying ahead of or keeping pace with the fluid state and federal laws and regulations covering data privacy and security and the growing number of associated audits; accommodating increasing (and divergent) customer contract requirements related to big data protection and overall data retention; the risks and obligations that come from utilizing third-party value providers; and, finally, the cost and effort of compliance with eDiscovery mandates.
Infrastructure and Information Security Costs
The enormous amount of data being captured to fuel big data applications has obviously increased storage costs. Many standard data sets now include five or more replications of data that must be protected and managed. Accompanying each of these data replications is the need to create and maintain technical and procedural approaches for managing, protecting and perpetuating them.
Beyond where the data is housed and managed internally, separate— equally stringent— technical and procedural approaches are needed. When managing data transmissions among multiple vendor partners, all elements of the service provider ecosystem must be considered. It is critical to remember that your value chain – as well as your data security and privacy controls and procedures - are only as strong as their weakest link.
Growing Focus on Information Security and Privacy
Based on the increasing levels of financial and brand-related risks associated with managing and protecting large data sets that contain sensitive, customer or protected personal information, executives are becoming more risk averse, and understandably so. Industry, regulatory and legal standards for determining what constitutes acceptable risk levels for protecting and managing sensitive data are changing rapidly. Owners of these data assets are continually re-examining their data security standards and related programs, thereby placing ever increasing demands for data protection on their vendors. Consequently, we see a shifting of emphasis from innovation to risk reduction in IT budgets.
Other signs of the times include:
Increased demand (and cost) for experienced information security staff has made hiring and retaining professionals with requisite skills more difficult.
Increased targeting of standard management frameworks, such as ISO 27001:2, for data hosting and security programs aimed at data protection for audit credibility for, and acceptance by, customers and third-party value chains.
Increased investment in data masking and obfuscation as a foundation for any data custodianship platform to provide protection for both testing activities and leveraging third-party (onshore/offshore) resources.
But the key challenge for a data custodian remains establishing a comprehensive data security program that can robustly address “al la carte” data security and privacy requirements from customers.
When evaluating opportunities connected to big data analytics, it is essential to include a complete view of the related life cycle technology and the procedural costs associated with it. Likewise, it is prudent to assess whether your existing information risk management processes and support functions can keep pace or will require augmenting to remain viable.
Navigating Regulatory Compliance
While there are a range of expanding laws and regulations that cover information privacy, these laws are by and large without harmonization. Federal regulatory frameworks exist and are emerging (Federal Trade Commission, White House directives, etc.), and the complexity of complying with them increases significantly when considering similar data privacy and security laws and regulations of the many U.S. states and international laws and regulations in the EU, Canada, Australia, Asia and Latin America. And while many vendors targeting services for the healthcare industry will point to HIPPA standardization or accreditation, HIPAA alone may be inadequate to meet the standards and requirements that may be demanded or required in this business segment. Consider too that 47 states have adopted data privacy and security laws that, in many cases, are far more restrictive regarding data protection and data breach notification than the HIPAA or HITECH standards.
The key here is to truly understand what laws and regulations apply to your (and your customers’) business. Monitoring emerging state data breach laws is critical in order to stay ahead, and to have your data security organization comply with them as part of standard process enhancement initiative rather than “hair on fire” updates to process controls and documentation. Furthermore, there is no substitution for prioritization of compliance tracking activities, meaning that it is critical that compliance executives have the appropriate organizational stature and authority to focus resources accordingly.
Third Party Ecosystem
All of the partners and subcontractors that you bring to bear in the provision of services to your customers are, or will most likely, need to be contractually bound to the same contractual standards or service level agreements (SLA’s) that you have committed to those customers. In essence, this means your data security program is only as strong as your partner/subcontractor’s weakest data security program in this regard. Many niche service providers and subcontractors are not able to meet fundamental, state-of-the-practice information security standards (indeed sometimes even statutory or regulatory standards), which often makes these vendors ineligible under your customers’ contracts to be your vendor providing services to those customers. As a result, it is becoming increasingly important to take a comprehensive, no-concession approach to assessing and auditing your vendors to ensure that they can align themselves with the data security standards that you will undoubtedly have to commit to your customers. Likewise, customer data and information should be shared with these partners only after they have demonstrated compliance with those standards. This process may slow down the flow of business (and not be popular with all stakeholders), but it could prevent a serious compromise of your commitment.
With the emergence of risk management quantification standards, such as those being established by 3PAS, the process of assessing and onboarding new business partners should accelerate, with associated peace of mind.
Data Retention Policies & eDiscovery
While many organizations have a default practice of keeping all data forever (often because they have no data retention policy in the first place), it is now a topic central to many service contracts and is now a fairly standard negotiated contract provision. Organizations are re-thinking their stance on data retention policies because of the importance of such policies and their impact on vendor contracts; evolving regulatory requirements such as those from the SEC, IRS and FTC; and the costs associated with eDiscovery and litigation holds. In fact, from an eDiscovery perspective, if you have your customer’s data or information, you may have to produce and preserve it in the event of litigation even if you are not a litigant or if your organization becomes subject of a government investigation. Sanctions and penalties for non-production can be substantive (monetary sanctions or, possibly worse yet, being held in contempt).
Therefore it becomes critical to:
Ensure all involved departments have a common understanding of associated policies (record retention, data destruction, litigation hold, etc.) and that there are appropriate procedures and operational controls to make certain they are followed.
Continuously evaluate and balance the benefit (actual or perceived) of retaining various data sets against the costs and risks of protecting and managing them.
Ensure suitable technology is in place to support eDiscovery needs, or contract for these services in order to avoid penalties for delinquency for information surrender mandates.
The analysis of Big Data collections and the consumption of results of that analysis will undoubtedly accelerate sweeping transformational change. However, when a technology practice has a national buzz about it, sometimes the rigor of business cases that promote them can get lax. In the case of the Big Data, being lax about assessing both the obvious and more discrete risks of managing the associated growing data assets could become crippling, both financially and with respect to the sacred brand.