A CISO's introduction to enterprise data governance strategy

Commit to better communicate with management

Adequate security is key to preservation and protection of a company's IP assets, trade secrets and databases of personal information. Spectacular security breaches in the past 12 months provided painful evidence that too many companies still fail to give proper attention to information security. In several of the security incidents, such as the massive data breaches at Target Corp. or Sony Pictures Entertainment, it was reported that company management had been alerted of significant security deficiencies, but ignored these warnings or failed to take them seriously.

Studies conducted in 2008, 2010 and 2012 by Carnegie Mellon University have consistently concluded that corporate boards of directors are not actively addressing cyber risk management. According to the most recent research, although 91% of the respondents indicated that risk management was being actively addressed by their company's board, critical related issues such as IT operations (29%), computer and information security (33%) and vendor management (13%) were among those that received the least attention.

Company management must be better informed. Consider more frequent and more effective communications with management about the level of security needed within the company. According to a 2014 report from the Ponemon Institute, only 20% of the IT experts participating in the study stated that they have regular communications with senior leadership.

Ensure the CEO, CFO and board of directors sufficiently appreciate the importance of security and are aware of the most recent security incidents. Also make sure they understand the need for significant financial and other resources to improve information security throughout the company.

Commit to improving incident preparedness

Another recurring lesson in 2014 came from watching the poor performance of certain companies when responding to a breach of security. Many companies do not have an appropriate incident response plan in place to help in the event of a security breach. A recent report found that more than 75% of the companies polled did not have an incident response plan. Another survey showed that only half of the respondents that had an incident response plan had actually tested it.

Incident response plans are required by many regulations, such as those under HIPAA /HITECH Act or the Gramm-Leach-Bliley Act, or standards, such as PCI DSS. Even if a company is not regulated, incident response plans are part of best practices and an important tool for managing risk. In addition to helping companies identify and respond faster to a security incident, they are essential in ensuring proper communication with or among the affected parties. They are also crucial in managing the company's reputation.

If your company does not have an incident response plan, find the budget and the time to create one. If it already has one, make sure it does not gather dust and is regularly updated. In all cases, make sure employees and contractors are aware of it, understand it and know what their respective role is. Organize practice drills and keep testing it.

Commit to keeping up with new laws

Appropriate data governance also requires complying with applicable laws. Are you aware of the recent changes in applicable laws, and do you understand their effect on your company? How will you stay informed?

If you operate in the United States, you should be aware of California's new "Right of Erasure" law. As of Jan. 1, 2015, the Privacy Rights for California Minors in the Digital World Act, codified as Business & Professions Code §22581, creates a "right of erasure" which has numerous similarities with the "right to be forgotten" or "right of erasure" that is written into the proposed EU Data Protection Regulation and that is being discussed among EU data protection authorities.

The world of information security and data governance is more exciting and more complex than ever. It is also increasingly fragile and vulnerable.

California is now allowing minors to obtain the removal of material that they posted on a site. The California Right of Erasure law requires an operator of an Internet website, online service, online or mobile application (Web service) who has actual knowledge of minors using its service to permit a minor who is a registered user of that Web service to request and obtain the removal of content or information posted on the Web service by that user.

The Web service must inform its users of this right to remove or obtain the removal of content or information, and must provide clear instructions on how a user may remove, or request and obtain the removal of, such content or information.

The law only applies to content or information that the user has posted on the Web service. It does not address content or information posted by a third party. Further, only content posted by users themselves can be removed.

Also keep tabs on the initiatives of the White House with respect to cybersecurity, and the renewed push for a national data breach reporting law. These areas are likely to be of increased interest to the new Congress.

If your company operates globally, keep an eye on developments in Europe and elsewhere. For the past few years, the European Union has been working on changes to its basic data protection structure with the view to adopt a General Data Protection Regulation. 2015 should be a key year in the finalization of the document. Based on what we already know of the draft, the final document should significantly increase companies' compliance requirements.

Outside the European Union, countries are adopting new data protection laws, or amending existing ones, at a rapid pace. For example, Mexico's recently adopted data protection law contains a security breach reporting requirement, with requirements similar to those in effect in the United States. Make it a point to stay informed on these developments if your company operates in these parts of world.

Conclusion

The world of information security and data governance is more exciting and more complex than ever. It is also increasingly fragile and vulnerable. To keep this delicate structure operational, organizations need to take many precautions. As your company establishes its strategy for the months to come, keep in mind that the agility expected from its products and services can exist and thrive only if the proper structures are in place.

About the author:
Francoise Gilbert, JD, CIPP/US, CIPM, is the managing attorney of the IT Law Group, and she serves as the general counsel of the Cloud Security Alliance. She focuses her legal practice on information privacy and security, cloud computing, big data and data governance. Francoise was named Best Lawyers' "2014 San Francisco Lawyer of the Year" in the area of information technology. For the past few years, she has been repeatedly identified by Chambers and Best Lawyers as a leading lawyer in the field of information privacy and security. Gilbert is the author and editor of the two-volume, 3,000-page treatise Global Privacy & Security Law, which provides an in-depth analysis of the data protection laws of 67 countries on all continents. Her blog focuses on domestic and international data privacy and security issues. Gilbert can be reached at [email protected].