Companies today are maximizing the value and usability of information like never before. Unfortunately, so are cybercriminals. During the first half of 2018, more than 3.3 billion records were compromised, with malicious outsiders being a major cause.[1]
In the fight against cyber breaches, companies are at a steep disadvantage for many reasons. First, the internet was not designed with security in mind. It grew out of an experiment to send messages between researchers’ computers over a network. And its users grew so fast that the network, established on a foundation of collaboration and trust, remained a platform where its users are largely on their own to defend against cyber-attacks.
Second, cybercrime is a low cost, high reward endeavor. Cybercriminals can operate from anywhere, and with impunity in many countries that tolerate and even encourage attacks against the West. Cybercrime is a profitable enterprise with a thriving marketplace for selling exploits (vulnerabilities that allow cyber criminals’ access to connected systems) as well as stolen personal information and trade secrets. To top it all off, well-funded, government-sponsored actors have been blamed for several high profile hacks.
Third, cybersecurity is expensive, constantly evolving, and complex, especially for established companies relying on antiquated technology. Industry researchers are in a race to identify and patch vulnerabilities before cyber criminals can exploit them. In the fight against cyber breaches, every employee and connected device is a potential access point.
Legislative Response – Sanctions
Legislators around the world have addressed the increased frequency of cyber breaches, often by slapping fines on companies they deem to have done too little to prevent them. Under Europe’s General Data Protection Regulation (GDPR), the UK regulator just proposed a fine of £99 million against Marriott in response to a cyber breach it reported in November 2018. [2] The UK regulator also proposed a fine of £183.39 million against British Airways in response to a cyber breach it reported in September 2018.[3] Proposed new state privacy laws in the United States would, if passed, also increase the cost of incurring a cyber breach.
Cyber Security Efforts and the Value of Information Governance (IG)
As companies move to upgrade their systems to add levels of security to company information, their efforts will be diminished if they retain that information too long or if employees save copies of that information to unofficial locations. Cybercriminals that trick an employee into clicking on a phishing email may have an easier time accessing and removing company information from an employee’s unencrypted device than from an encrypted server. And if the cybercriminal successfully uses that employee’s credentials to access the encrypted server, the loss may be much greater if the company did not routinely dispose of unneeded information.
One tenant of good cybersecurity is good Information Governance (IG). Companies with good IG practices understand what data they have and are empowered to (1) destroy what they don’t need and (2) to protect and maximize the value of the information they do need. By identifying and destroying unneeded information (or information being kept without a legal or operational justification), companies reduce the amount of information that can be compromised. These actions also save companies money on storage and legal discovery costs and reduce legal exposure.
Good IG practices involve:
- establishing internal policies for managing what information is kept, where and how it is kept, and for how long;
- implementing the right technology to track, manage, and dispose of records effectively;
- establishing clearly defined roles for anyone creating, storing, sharing, or disposing of information; and
- establishing procedures that allow companies to meet legal and regulatory compliance by dictating how information should be managed, stored, shared, and disposed of.
Establishing and adhering to good IG practices is not easy, but it is increasing vital to the health and productivity of organizations in the age of the cyber breach.
[1] Data Breach Level Index, Gemalto (Last accessed July 16, 2019), https://breachlevelindex.com/.
[2] Statement: Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach, Information Commissioner’s Office (Last accessed July 16, 2019), https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/statement-intention-to-fine-marriott-international-inc-more-than-99-million-under-gdpr-for-data-breach/.
[3] Intention to fine British Airways £183.39m under GDPR for data breach, Information Commissioner’s Office (Last accessed July 16, 2019), https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-announces-intention-to-fine-british-airways/.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.