former equifax CEO richard smith looking unhappy

Richard Smith, former CEO of Equifax, was called to testify before the Digital Commerce and Consumer Protection Subcommittee in Washington, D.C., in October. Smith stepped down as CEO last year after the credit reporting agency was involved in a massive data breach. (Chip Somodevilla/Getty Images)

World | Fraud

Firms face regulatory penalties, criminal charges and loss of trust with data breaches

Unfortunately, the best practice of collecting the minimum amount of data required for a given purpose is often ignored

A Facebook IconFacebook A Twitter IconTwitter A Linkedin IconLinkedin An Email IconEmail

In the light of the Equifax data breach, and the subsequent successful lawsuits, it’s become increasingly obvious that companies need to pay better attention to the critical issue of data governance.

“The reality is these days any organization that holds personal information is a potential target for bad actors,” said Susan Fisher, CPA, SVP Finance and HR at SecureKey Technologies. “Organizations need to be as proactive as they possibly can in their security efforts and invest in and employ a mix of technologies and expertise to try to mitigate potential issues before they happen.”

Mitigation, however, doesn’t start when the data is collected—it begins well before then, when the decision is made about what to collect. The best practice of collecting the minimum amount of data required for a given purpose is often ignored, with companies opting to gather as much information as they can persuade people to part with. They often have no idea what they’re going to do with it, operating under the vague assumption that it will be good for something at some point.

It’s a pervasive problem both online and offline, noted Fisher, who pointed out that the requirement to show your driver’s licence to purchase a bottle of wine not only provides the necessary information—your photo and verification that you’re of legal age—but also reveals personal information like your name and address.

“From a data governance perspective, organizations need to evaluate what information they truly need to collect in order to deliver a service to a customer,” she said, “and what information they need to keep records of in order to meet future needs of that same customer or other stakeholders.”

According to the Data Governance Institute—which provides vendor-neutral best practices and guidance—data governance is “a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.” It covers the entire lifecycle, from data acquisition until its destruction or deletion.

Poor data governance, coupled with inadequate security, can be a recipe for disaster. After a data breach, lawsuits may be the least of the victim’s worries. It may also face regulatory penalties (especially after GDPR comes into effect on May 25), criminal charges if it is shown to be negligent, loss of trust from the business community, partners, and customers, and major impacts to its brand and executive reputation. A public company could suffer a decline in stock price and potentially significant decline in market capitalization.

“Most often,” Fisher said, “an organization’s ability to effectively mitigate a breach is directly tied to the organization’s pre-breach preparation.” A company with a proper, well-tested plan to deal with a breach fares better than one that has failed to plan for the worst.

Technical solutions like improved cyber security, blockchain and encryption alone won’t solve the problem, added David Rea, CPA, CFO at Security Compass. “[Security] needs to be considered at a holistic or programmatic level, and a security culture and posture for the organization must be established,” he said. “In the CPA’s risk management role, it is imperative to understand this.”