In Canada, it is the Data Privacy Act and its impact on the Personal Information Protection and Electronic Documents Act (PIPEDA); in the United States, the regulations include the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), and the US Personal Data Notification and Protection Act; in Australia, it is the Privacy Amendment Act, while in the EU, it is the ePrivacy Directive. There are more regulations than those previously listed. In common with each is the growing requirement for privacy breach reporting, with breach assessment being a major part of that process. This includes identifying the location of the breach, the type of data that have been compromised and identifying exactly who could be compromised by the breach, since they would need to be individually notified in case of a breach of their sensitive data.
Now, large corporations, especially banks, but also insurers and financial securities organizations, have invested heavily in various forms of enterprise data management (EDM) tools and processes since the publication of the Basel Committee on Banking Supervision’s (BCBS) Principles for Effective Risk Data Aggregation and Risk Reporting (RDARR) in 2013. More recently, the data management implications of BCBS 265, fundamental review of trading book, are coming to light, with much in common with RDARR from a data aggregation perspective.
Cyber security practitioners are already familiar with data classification frameworks for the sensitivity of various enterprise data artifacts. However, the very EDM tools mentioned previously readily facilitate more classification detail, such as whether data constitute personally identifiable information (PII), payment card industry (PCI) data or personal health information (PHI), or, at a lower level, even whether the data are passport data, insurance numbers or credit card numbers.
By classifying more enterprise data, they become easier to locate, e.g., identify all data sources across the enterprise with passport numbers. Critically, it also becomes easier and faster to identify all the data classifications that are exposed at the point of breach. This drives the level of detail required in the breach report and the nature of the post-breach actions, all serving to simplify post-breach planning. Note that data classification is already happening, often implicitly, as part of many different enterprise data profiling activities within the EDM team.
From a cyberrisk mitigation perspective, data classification is an enterprisewide initiative, since a breach could happen anywhere. For those organizations with the foresight to implement true enterprisewide data management as a follow-on, e.g., from RDARR, it makes sense for the cyber security team to leverage these EDM investments and learnings for cyberrisk management purposes. This not only makes good sense to the chief financial officer, it also means a quicker time to deployment and quicker time to breach reporting, all of which is good news for compliance, and really good news for us, the public.
Read Guy Pearce’s recent Journal article:
“Boosting Cyber Security With Data Governance and Enterprise Data Management,” ISACA Journal, volume 3, 2017.