Where’s My Data, and Who’s Protecting It?
As technology advances, many businesses are increasing their use of third-party platforms rather than investing in creating technology and building internal systems. Use of third-party data warehousing in particular has become more common as a third-party provider often delivers a more cost-efficient, secure and reliable option for storing information.
The COVID-19 pandemic, as with other types of business disruption, cast a light on protocols and practices involving the use of third party service providers. During disruption events, organizations must evaluate all facets of their operations to identify what has been impacted and what hasn’t. With data management, this becomes complicated given the increasing use of cloud architecture for data storage because data could be hosted in any number of places that may or may not be immediately known to the organization to which that data belongs. Knowing where your data is stored and how it’s managed can help your organization ensure it has adequate protection for its sensitive information and safeguards in place to mitigate the potential financial damage if data were to be compromised.
Power of Personal Data
One of the reasons that security of data is so important to monitor is the growing understanding of the power of personal data. Even casual consumer products like social media applications have been called into question as users and governments ask what is being done with the giant caches of information that a user willingly submits.
Personal data can be catastrophic in the wrong hands. One of the most significant breaches in recent memory was the Equifax hack, in which cyber actors leaked names, addresses, dates of birth, Social Security numbers and credit data on numerous Americans. The breach led to identity theft and the creation of fraudulent financial accounts, among other consequences from the users’ whose data was compromised. The incident also came with steep consequences for Equifax, which was estimated to have spent $1.4 billion improving its information security structure after the incident.
Trends in Privacy Laws and Protections
Concerns around what data is being collected, where it’s being stored, and what’s being done with it will make transparency and data governance a more significant issue for organizations moving forward. More laws may be created in effort to bring more regulation to the nebulous concept of data privacy at the state, federal and international levels. For example, the General Data Protection Regulation is a legal framework adopted by the European Union that creates standards for privacy and the collection of data by companies on its citizens. Another example, the California Consumer Privacy Act is aimed at giving consumers more control of information that is collected from vendors.
Blockchain and Emerging Record Keeping Technology
Another emerging trend for data protection is the use of blockchain technology. Blockchain refers to a cryptographically linked set of data records, commonly called blocks. A distributed set of ledgers often numbering in the thousands monitor these blocks making them resistant to corruption and almost impervious to alteration. Because the information on the chain is coded (generally using an Advanced Encryption Standard (AES) with 128, 192, or 256 bit encryption), personal information is near impossible to crack. Medical practices, financial institutions and government offices are migrating their systems to (or at least starting to run in parallel) blockchain-based systems. It is likely that other sectors will give this technology a closer look because of their security, immutable data records and fast data transfer times.
What Organizations Can Do to Manage Risk
Disruption and the possibility of further oversight make it critical that your organization look at its data infrastructure holistically and align safety mechanisms based on potential risk of exposure and financial impact. Consider building in contingency plans for if another physical location closure occurs. Often oversight of information security protocol requires a physical presence, and if 2020 has shown us anything, it’s that physical presence in a location may not always be possible.
If using third parties for data storage or transmission, ensure vendors’ protocol aligns with the standards your organization sets. Understand how your vendors’ breach communication works and how soon after an information security incident is detected that your organization is notified. Regardless of where the data is and who is responsible for physical protection, your organization has the ultimate responsibility for its oversight and would need to invest in information security upgrades should an incident occur.
It is a new world for data, and it’s important not to be caught off guard with questions around data security. Understanding the flow of information and how it could be comprised is something all organizations should have a better understanding of as we continually become integrated with various platforms to conduct business.
For more information about data protection, please contact Paul Wolff or a member of our team.
Copyright © 2020, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).