Sorry, we lost your data

I can still picture the stack of paper sitting on the table. There had to be at least eight reams worth of printed data, a fraction of what was lost. It was a startling visual, seeing so much data presented in physical form. It belonged to my organization, and that huge stack and so much more still in digital form was simply gone. The data stolen during a massive breach that lasted for months, an attack that seemingly survived at least one cleanup attempt, and an attack that would have a dramatic impact on the organizational security team.

Not at my company, and not on my team, but for the organization that lost our data.

No matter how we secure our own environments, many of us will experience the effects of a breach that occurs when a trusted partner or third party loses our data. Perhaps this happens because our own defenses prove too challenging, or hackers know about a business relationship and the partner’s defenses are weak, or maybe the third party is a large data aggregator and offers a target-rich environment too tempting to resist.

I have had to call my peers in other organizations to inform them that someone in their mailroom sent records containing visible PII in a clear FedEx envelope, or that someone sent vast amounts of sensitive data unencrypted by email. I have had to counsel people within my organizations over the years for similar behavior, trying to convey how serious the ramifications can be for everyone involved when someone violates security policies and protocol.

Breaches and data loss continue to make headlines despite a surge in governance, standards and regulatory requirements.

Well known within industry, the second or third party risk is part of the rationale behind indemnity and liability clauses in contracts. Agreements may include insurance policies to mitigate some of the risk, and standards like SSAE-16/18 result in SOC reports intended to characterize a service organization’s level of risk and operational maturity. Frameworks developed by ISO, NIST, PCI, and so many others help organizations implement security controls. These measures are proposed to ensure solutions are safer, data is more secure, and partners can be trusted, but failures continue to pile up despite who controls the data or resources.

These examples of third party data loss are not isolated issues, as recent disclosures from Equifax, Domino’s Pizza, and South Africa all illustrate. Data loss is becoming so routine that one could be justified in believing that future protections may be pointless. The truth is far from it. For scientific advances, business success and consumer confidence to grow, partnerships, contracts, business associations and third-party agreements need to incorporate stronger terms, language and penalties for data loss and breach.

Can market forces correct security behavior?

Loss and compromise will remain a risk for as long as we need to access and use data. The key to changing the pattern of failure is through accountability. Individuals and industry alike need to punish negligent failures with a loss of future trust and business, and reward those with a record of responsible care and diligence with a vote of confidence and more business. When the consequences of a breach become significant enough, it will force changes to our behavior and the conduct of those entrusted with our data.

Instead of treating financial and technology threats as business vs IT problems, we need to see them holistically. Data is the currency of modern business, and mitigating threats that compromise its value is a business risk, not a technology issue for IT to solve. Once security is as integrated into business practices and solutions as any other risk, I suspect we will see far fewer news headlines about data compromises. Until that day, we need to do a better job of educating others about these issues as business risks and be mindful of who we entrust with our data.