The Path Less Traveled: Knowing Who Exactly Owns the Data and Acting Responsibly.
When a business does not take ownership of its data, IT and cybersecurity end up having to pick up the tab on it. This is not a proper way for businesses to own data. They must have some form of governance so that IT and cyber know what they consider important and why, how they curate it and keep it healthy, and how they maintain the data’s quality.
Business repositories then get formed, consisting of -the data catalogs, business glossaries, and metadata enrichment. These business repositories and quality tests may be executed by IT individuals, but they’re mainly business-driven operations and functions. When we have that ownership properly placed on the business, data governance propels into its maximum action, and this is when we get to see it excel. The business enterprise, project domains, and technical stores will know at any point in time how the data should be treated, for which purpose, and the extent of its health.
Breach notification laws are privacy-based; they only apply to personally identifiable information. Our privacy laws say that if a company is holding data that applies to another, and that party performs an authorized breach of their data, they must let the data subjects (owners) know. This is the essence of our breach notification laws. The problem comes in when there are multiple parties in a business relationship. A lot of organizations believe that if they’re trusting a third party with their data, then they, the data subject, are no longer responsible for its protection, which is untrue. Organizations add risk by adding third parties. Therefore, it’s important to ensure that you are doing business with trusted vendors, that you’re auditing them, and that you’re maintaining some level of control.
Responsibility of ownership is really what gives fuel to the data governance program and activities, and such a program helps foster that ownership and accountability successfully on a part of the business.
Ransomware Interview: Part 3 & 4
Tips of the Trade: Negotiating with Extortionists
When it comes to data-driven people, there is this growing ethical trend where people informed in this area are no longer just going along with the mindset of “well if we have this data, we can use it. If it doesn’t hurt them so what.” There’s this growth of understanding that when it comes to data, we are talking about something very intimate about a person. Once privacy is burst, you don’t get it back. There’s very little to be done to fix it, once it happens, you can’t get people back what was taken from them. However, many, many times extortionists are claiming that they have data that they may not necessarily have.
Having a data governance program in place, as well as running a proper asset inventory and curation of the data enables an organization to have a better idea of what data may or may not have been touched. This guides a company on what to look for in terms of what could have been extorted. If that program is not in place, then they’re at the mercy of having to guess if what the extortionists are saying is true. Throwing in the towel without knowing what backups are in place and what has been taken results in the data subject falling prey to what the extortionists are asking for. This in turn results in a huge loss of money or assets that otherwise could have been prevented.