A PLAN FOR CEOS
By Suzanne Barber, Ph.D.
It’s hard to turn on the news these days without hearing of some kind of data breach. As lawmakers and the media’s attention to security grows, so does the impact of data breaches on those at the leadership level of businesses. The 277 CEOs whose companies experienced a data breach in 2013, a growing number of CEOs in 2014, and former Target CEO Gregg Steinhafel can all attest to this trend.
The New Year is a good time to take a holistic look at the types of personal data a business collects. From intake windows to online web forms, each piece of information collected about a customer becomes a piece of personal data a business must store – and ultimately protect – from criminals and hackers who can use it for fraud and financial gain.
Take time now to decide how much personally identifiable information (PII) to collect, how to protect it, and how to deal with a potential breach. The following steps can help make this process a rational one now, rather than a big headache later when customers file suit and ask why the business did not protect their PII.
Make Conscious Decisions About PII
Big data is hot right now. Marketers, advertisers, and business leaders are hungry for the metrics that can be extracted from how customers interact online with any given business. It’s led to a “let’s collect it all!” mentality that may be putting businesses at risk.
PII data isn’t just a data set, it’s connected to people’s lives; their financial lives, their reputations, and sometimes even their physical safety. PII carries both a value and a risk to any organization. Whether it’s a hospital collecting information from patients at check-in or a retail company tracking user data from the online shopping cart, those PII assets are just that – assets. And if exposed, what damages will the PII owner expect to collect? Companies must shift their thinking from “It’s just another box on a form” to, “this may be a potential liability that my company is choosing to take on.”
These are the kind of decisions that should come from a CEO, with a clear vision for how it affects the business, and its bottom line. Is the information collected from customers, and even from employees, necessary? Does it bring an easily identified value to the bottom line? If not, then consider the liability that data holds if it’s exposed. Look into the impact of not collecting that data, collecting other data or using alternative methods and technology to increase security.
Do a PII Audit
What kind of data does the organization hold now, where is it coming from, and where is it stored? What kind of regulations, both at the federal and state levels, dictate action if that data is compromised? It’s a big task but well worth the effort if a business is able to avoid headaches down the line. It’s the CEO’s business to know which employees are in charge of the intake of data and who makes sure it’s safe and secured. In almost every organization, this is a mixed set of people. Understand the processes already in place for how personal data is collected and held.
Get To Know the IT Department
Who in the organization is in charge of protecting the data infrastructure from threats? If a CEO has never really had a conversation with the folks on the IT team – whether they’re internal or an outside party – now is the time. If they are external vendors, the business is only as secure as the weakest link in the supply chain.
Make sure business drives the IT decisions, and make sure the IT professionals understand the business. Who does that translation in the organization? Are the CPO, CISO, and CSO at the executive table? Determine who helps to relate how IT and privacy issues impact business and vice versa.
Once that relationship is established, make sure the information security teams are also well acquainted with the legal department. While there may be a learning curve on both sides as two teams and two sets of terminology come together, these are the two phone numbers for that 2:00 a.m. call, should the worst happen. Make sure everyone develops trust now . . . not in the middle of a data breach.
Establish a Culture of PII Protection Throughout Your Organization
This is really the most important step. Employees are a businesses’ first defense or the first point of failure – just look to the latest stats on how many data breaches can be traced back to internal threats. The CEO is the one who establishes the culture of the organization. Make protecting personal data an integral part of that culture.
Make employee training to protect PII mandatory. Communicate to the employees that protecting PII is a top priority and a key part of how their performance is measured. Simple things like choosing separate passwords for work and personal accounts can go miles toward protecting the organization. Best practices should be pervasive throughout every level of the business. Make sure everyone knows that the CEO takes it seriously, and the employees will take it seriously too.
One of the best ways to do this is to enforce the idea that PII is valuable. In the wrong hands, it has very real world consequences. Just ask a victim of identity theft whose nest egg is gone or whose reputation is ruined by a leak of personal data. Unfortunately, threats to PII aren’t going away any time soon. Help employees see that protecting personal data is just another step in providing and caring for customers and each other.
Ultimately, organizations are always judged on how well they take care of people and that always comes back to its leaders. Now that we – both individuals and businesses – have decided to conduct much our lives online, part of protecting people comes down to protecting their personal data. By making sure the entire business approaches personal data as an asset just like any other financial asset, a CEO can make huge steps toward to protecting against the worst effects of a data breach.
Dr. Suzanne Barber is the director of the Center for Identity and the AT&T-endowed professor in electrical and computer engineering at The University of Texas at Austin. The Center for Identity provides resources for small businesses and consumers to better understand identity and privacy protection. Follow the link to learn more about upcoming executive short courses for business leaders: