Data Privacy and the Fellow with the Sore Noseby Fred F. Farkel, Friday, April 6th, 2012
Submitted by David Schlesinger CISSP
There is a story about a fellow who goes to a Doctor because of head pain. The General Practitioner sends him to see a specialist. The next day the fellow sees a specialist. The specialist tells him that he has a problem in his nose.
“Can you help me?” the fellow asks, and she says, “No, I only specialize in ears and throat. You need to go to a nose specialist.
So the next day the fellow goes to a nose specialist. The nose specialist looks at him and says, “You clearly have confabulation of the left nostril.” The fellow asks what can be done to treat it and the Doctor replies, “I don’t know, I’m a right nostril specialist myself.”
Sometimes I feel the same way when I see a presentation by the Data Privacy specialist in a company, or the Sarbanes-Oxley specialist, or the PCI specialist. The list goes on. They all seem unaware of each other.
Now, don’t get me wrong, this knowledge and these people are valuable, what drives me buggy is each working in isolation as if their issue was the only one that needed governance. All these regulations require attention in a balanced manner.
Consider the following possible example:
Let’s say I was in a traffic accident and the Emergency Room Paramedic can’t get access to my drug allergies because of overprotective privacy access restrictions. If I’m unconscious, all I care about is that my allergies be available. Privacy is a low priority for me at that time.
Worse, what if my records have been altered by some disgruntled person: in that case, what I care about includes data integrity! So, who in your company is in charge of data integrity? Most probably your data security people and your data quality people manage data integrity. Are they both part of the Data Privacy team?
Regulatory compliance likewise includes the good folks governing Insider Information (SEC Regs.), and other folks making sure data processes have appropriate Separation of Duties (GAAP), the group managing the confidentiality of NDA business information, and others overseeing the GLB laws, and don’t forget the guys in the basement doing backup so the data can be available even after the server dies and is replaced. Often, all these people operate separately. They report to different budget areas, and are rewarded for separate achievements.
Privacy is not an island. SOX and PCI are not nearby islands. The Data Quality effort you no doubt also have, possibly works isolated from information security. Lack of data governance integration is one root cause why millions of personal and sensitive records are lost or stolen each year. (http://datalossdb.org/statistics)
In an integrated system, all the specialists are part of one practice, and they rapidly review a case while consulting together. Splintering data management into myriad isolated interest groups, (often competing for budget), is a cause of corporate inconsistency as well as regulatory confusion. Separating these solutions slows down business response. We often don’t see it because of an incorrect belief that information can somehow take care of itself. Back when we could trust a carbon copy of a purchase order on a clipboard things were different. Now, the failure of your web system to reflect an inventory update by only an hour can lose thousands of online sales.
When the Information Management and Protection Team contains all the various specialists, and they develop an integrated approach to control and protect information, we’ll see less data loss and better regulatory compliance, as well as greater data accuracy. This increases corporate agility, because having trust in accurate, clearly defined, timely and secure information is a requirement for fast corporate decisions ( i.e. agility).