The recent leak of the Panama Papers and the ensuing scandal has exposed a host of clandestine financial activities implicating people and companies around the globe.  Although the Panama Papers scandal represents the largest (11 million documents, 2.6 terabytes) and most geopolitically disruptive data leak to date, it is highly unlikely that it will be the last such mega-leak.

The Panama Papers scandal underscores the resources and dedication required to secure sensitive data from accidental or intentional exposure.  Companies can take concrete steps to significantly reduce the risks of a data breach internally or with its partners and third party vendors. Recommended actions include:

Know your vendors and partners. When entrusting your data to a third party, perform careful due diligence. Understand the steps being taken to safeguard your informational assets. What policies and oversight systems do they have in place to reduce the risk of accidental or intentional data breach? Do they have a retention schedule that systematizes the destruction of old and obsolete data, or will they retain your data for an indefinite period? Have they appointed an Information Security Officer and implemented internal audit controls to ensure that information policies are actually followed? In the event of a breach, how will you be notified – by prompt confidential communication, or by reading about it in the newspaper?  Will you be indemnified? Carefully vetting your business partners is more important now than ever.

Assess your digital exposure. Identify your sensitive and confidential information, and then take steps to protect it. Stress-test your own internal security and that of your partners by hiring friendly hackers to attempt a breach. By layering your digital architecture so that the most sensitive information is not stored within a single location, drive, or third party, but rather subdivided and compartmentalized, the compromise of one information asset need not mean a mega-leak of all your information assets.

Sharpen information governance practices. By adopting a retention schedule to systematize the data lifecycle and continuously purge old information, enterprises can dramatically limit risks by shrinking their universe of sensitive documents that could fall into the wrong hands. Firms should appoint an Information Security Officer or Chief Information Officer who is responsible for the development of policies and oversight systems that control the storage of and access to sensitive and critical records.  Ongoing revision and enhancement to information governance and digital security measures cannot completely eliminate risks, but it may allow your company to succeed in staying one step ahead.

Place an emphasis on the human factor. Even after taking precaution against internal and external vulnerabilities, the human element will remain a significant security weakness. Internally, security protocols limiting access to sensitive data, servers, and premises can limit an employee’s ability to mishandle sensitive information or can help slow the spread of malware. Limit network permissions for installations and downloads at employee workstations – many breaches begin their life cycle by masquerading as innocent software updates or email attachments.  Implement training programs that foster a culture of information security, and procedures that allow whistleblowers to report policy violations without fear of retaliation.

Enterprises and their employees, clients, and stakeholders must remain constantly circumspect and attentive in their oversight of external partners and vendors with whom they share data, and they must also diligently maintain internal policies and security measures – or else fall victim to damaging leaks in the future like the Panama Papers. Although the costs and inconveniences of such practices are not insignificant, they are small in comparison to the financial and reputational crisis that can follow from the leak of private data. If your company is ready to invest in RIM and IG, connect with a Zasio professional today by requesting a free assessment.

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Author: Frank Fazzio, IGP, CRM

Author: Frank Fazzio, IGP, CRM

Analyst / Licensed Attorney