What Dangers and Opportunities are Hiding Inside Your Organizational Data?

DATA DISCOVERY

Managing Director and Western Region Leader

BDO Digital

SANGEET RAJANsrajan@bdo.com

Chief Innovation CounselActuate Law

JEFFREY SHARERjeffrey.sharer@actuatelaw.com

VP of Strategy & Solutions Sherpa Software

RICK WILSONrwilson@sherpasoftware.com

TODAY’S PRESENTERS:

VP of Strategy & Solutions Sherpa Software

RICK WILSON

• Established in 2000 and headquartered in Pittsburgh, PA • 3,500+ customers globally• Data discovery on data-at-rest across a variety of information repositories• Locate, classify, remediate, protect

Sherpa Software

Data discovery and governance software solutions that address data security risk mitigation and privacy compliance

Approximately how many consumer records were breached in 2018?

Poll Question #1

A.

B.

C.

100 million

1 billion

2.8 billion

• It is estimated that 2.8 billion consumer records were exposed, costing over $654 billion to U.S. organizations in 2018 alone

• Increased regulatory enforcement and stiffer fines

Source: 2019 Ponemon Cost of a Data Breach

The Real Costs of a Breach

Average total cost of a breach by number of records lostMeasured in US$ millions

Data Insecurity is Real

Insider threat actors responsible for 34% of breaches in 2019

• Storing files in forbidden locations

• Not knowing importance or sensitivity of files

• Maliciously emailing files to home accounts

• Maliciously saving/downloading sensitive data

• Accidentally sending files to wrong person —internally or externally

• Accidentally sending wrong files with sensitive data

• Consultants with confidential client data

Source: 2019 Verizon Data Breach Investigations Report

Does your organization have a process in place to find/delete sensitive and risky data?

Poll Question #2

A.

B.

C.

Yes

No

Not sure

Know Your Data to Protect It

Locate and remediate sensitive data: PII, PCI, PHI

Reduce accessibility to personal data

Proactive employee flight risk monitoring

Eliminate loss of intellectual property

Preemptive incident response classification

Speed incident response time by focusing on most critical data

Search and destroy missions

Threats resolved in hours/days versus weeks/ months

Data risk assessment/ mapping

Analyze risk-prone data locations

Internal investigations e-discovery, privacy compliance: CCPA/GDPR

Regulation adherence, reduction in lawsuits and speed to issue resolution

GOALS

Managing Director and Western Region LeaderBDO Digital

SANGEET RAJAN

Some of the BrandsWe Work With

Analytics, ML, AI, IoT, RPA, cloud, mobile, social and cyber are transforming behaviors and revolutionizing business as usual.

BDO Digital helps our clients with digital transformations —from the strategy to execution, while complying with laws and regulations such as the CCPA, LGPD and GDPR.

California Consumer Privacy Act (CCPA) compliance will costs less than $10 billion across all industries.

Poll Question #3

A.

B.

C.

True

False

Not sure

The CCPA

• Effective January 1, 2020

• Applies to CA residents• Rights to 12-month data lookback

• Private right of action• Per capita statutory fines of $100-$750

BACKGROUND

• The categories of personal information collected

• The categories of sources from whom the data was collected

• The categories of third parties with whom the business shares the data

• The business or commercial reasons for collection, disclosure or sale

DISCLOSURES

‘For profit’ businesses that:

• Have gross annual revenues > $25M; or• Make 50% annual revenues from sales of

personal information; or• Buy, sell, share PI of > 50,000 CA residents

APPLIES TO

• Right to Know

• Right to Say No or Opt-Out• Right to Access and Data Portability

• Right to Deletion• Right to Equal Service

• Affirmative Consent for 13 to 16 yrs.• Parental Consent for <13 yrs.

RIGHTS

Future Proofing Your Data Processing

Lawfulness, Fairness & Transparency of Processing

Ensure all processing is transparent, proportionate and based on lawful grounds.

Purpose Limitation

Ensure personal data is only collected and used for explicit and specified purposes.

Data Minimization

Data collected should be adequate, relevant, proportional and limited to only what is necessary for the purpose

Accuracy

Data must be accurate and kept up to date

Storage Limitation

Data must be retained only as long as necessary

Confidentiality & Integrity

Data must be protected from unauthorized access and tampering

Accountability

All controllers and processors shall demonstrate compliance to these principles

Does your organization currently have an up-to-date data inventory and map?

Poll Question #4

A.

B.

C.

Yes

No

Not sure

STEP 11.1.

Designate a driver.

1.2. Establish rules

of engagement (RACI).

Organization

STEP 22.1.

Inventory the data

2.2.

Maintain up-to-date data maps.

Data

STEP 33.1.

Establish easy-to-follow policies and procedures

that are built on privacy principles.

Controls

STEP 55.1.

Conduct human impact

assessments on new or enhanced products, services

or software.

Privacy by

Design

STEP 44.1.

Train to embed privacy responsibilities in operations.

Human Factors

STEP 66.1.

Monitor policy adherence.

6.2. Cure data and program risks.

Govern

Solving for CCPA, GDPR, LGPD and Other Laws

Chief Innovation CounselActuate LawCo-Founder and Chief Innovation ArchitectQuointec LLC

JEFFREY SHARER

• Founded in January 2018 by Big Law veterans; Chicago, IL

• Practices nationwide in commercial litigation, class action defense, data privacy and security, e-discovery, financial services, information governance, private client services/trusts & estates, and white-collar investigations and litigation

• Combines talent, technology, and entrepreneurialism to achieve ‘impossible triangle’ of better, faster, and less costly legal services for clients

Actuate Law and Quointec

QuointecActuate Law• Technology and advisory subsidiary of Actuate Law• Develops customized, tech-forward legal and

compliance solutions• Products empower clients to quickly and affordably

‘self-serve’ on straightforward issues and be guided to counsel for more complex matters

• Solutions combine subject-matter expertise and consultative guidance of lawyers with automation of AI and other technology to deliver best of all worlds for clients

Retention As It Should Be

For any document, only three possible raisons d’être:1. Business value

2. Legal and regulatory retention requirements, including litigation holds

3. Retention schedules, usually driven by (1) and (2)

As a rule, if it doesn’t fall into at least one of these categories, it can (and usually should) be deleted in the normal course of business.

Approximately how much of your organization’s data is both readily available and important to your business?

Poll Question #5

A.

B.

C.

15%

35%

85%

What Does ‘As It Should Be’ Look Like?

Business Critical: Legal, Regulatory or Business Value

16%

???84%

Source: Veritas, The Databerg Report: See What Others Don’t (Mar. 16, 2016), available at https://www.veritas.com/content/dam/Veritas/docs/reports/scd_veritas_strike_summary_a4-ls-usa_final.pdf.

‘As It Should Be:’ Understanding ‘The Databerg’

Three types of enterprise data:

1. Business Critical Data:Vital to ongoing operational success of organization

2. Redundant, Obsolete and Trivial (ROT) Data:Digital debris; duplicative and/or has little or no value to business

3. Dark Data:Value has not been identified; likely to include both business critical and ROT, consuming resources with no value generated.

Source: Veritas, The Databerg Report: See What Others Don’t (Mar. 16, 2016), available at https://www.veritas.com/content/dam/Veritas/docs/reports/scd_veritas_strike_summary_a4-ls-usa_final.pdf.

What Does ‘As It Should Be’ Look Like?

Source: Veritas, The Databerg Report: See What Others Don’t (Mar. 16, 2016), available at https://www.veritas.com/content/dam/Veritas/docs/reports/scd_veritas_strike_summary_a4-ls-usa_final.pdf.

Business Critical: Legal, Regulatory or Business Value

16%

???84%

What Does ‘As It Should Be’ Look Like?

Business Critical: Retain, Manage and Protect

16%

Source: Veritas, The Databerg Report: See What Others Don’t (Mar. 16, 2016), available at https://www.veritas.com/content/dam/Veritas/docs/reports/scd_veritas_strike_summary_a4-ls-usa_final.pdf.

What Does ‘As It Should Be’ Look Like?

Business Critical: Retain, Manage and Protect

16%

ROT: Delete on Regular Basis

30%

Source: Veritas, The Databerg Report: See What Others Don’t (Mar. 16, 2016), available at https://www.veritas.com/content/dam/Veritas/docs/reports/scd_veritas_strike_summary_a4-ls-usa_final.pdf.

Business Critical: Retain, Manage and Protect

16%Dark Data:

Explore and Assign54%

ROT: Delete on Regular Basis

30%

What Does ‘As It Should Be’ Look Like?

Source: Veritas, The Databerg Report: See What Others Don’t (Mar. 16, 2016), available at https://www.veritas.com/content/dam/Veritas/docs/reports/scd_veritas_strike_summary_a4-ls-usa_final.pdf.

Retention As It (Often) Is

Tongue in Cheek?

Source: The Mayo Clinic

“Hoarding is the excessive collection of items, along with the inability to discard them. Hoarding often creates such cramped living conditions that homes may be filled to capacity, with only narrow pathways winding through stacks of clutter.”

Tongue in Cheek? Not Really.

“Hoarding is the excessive collection of data, along with the inability to discard them. Hoarding often creates such cramped working conditions that networks may be filled to capacity, with only narrow pathways winding through stacks of clutter.”

Source: The Mayo Clinic

Rapidly evolving legal landscape, including:• EU General Data Protection Regulation

• California Consumer Privacy Act

• Many other jurisdictions considering GDPR- and CCPA-like legislation

Expanding rights of data subjects to control collection, use and disposition of their personal information require stronger controls around information governance:

• Right to be forgotten

• Data subject access requests

• Data disposition requirements upon expiration of purpose

• Restrictions on cross-border transfers of personal information

Over-Retention Risks: Privacy and Data Protection

Significant penalties for non-compliance• GDPR: Up to 4 percent of global revenue

• CCPA: $2,500-$7,500 per violation by attorney general; $100-$750 per violation for private right of action, or actual damages if greater

Risk of losing protected or sensitive information in data breach, potentially resulting in notification obligations, regulatory or civil exposure, damage to reputation and other harm

Existing legal and regulatory matters• Missed deadlines and sanctions for failures to

identify, preserve or collect relevant data completely and on time

• Cost-prohibitive e-discovery skews settlements

• Conflicts between U.S. discovery and foreign privacy laws

Other Risk Areas

Ongoing regulatory compliance• Compliance violations more difficult to detect

where offending data obscured by millions of other grains of sand

• Noise created by debris hinders performance of predictive analytics and other tools and processes that otherwise might detect violations

• Less-sensitive data potentially to land in insecure storage

Tactical Approach to Defensible Data Remediation

Scan and Index Data

Analyze Data

Identify Data Set(s)

Present and Collect End User Input (if needed)

Apply Deletion Decisions

2 31 4 5

Engaged by Fortune 100 organization in regulated industry to assist with legal and technology framework for reduction of greater than 1 PB of unstructured data

No data would be remediated without affirmative approval from end-user

Technology:• Sherpa Altitude on endpoints to index content

and execute approved deletions• Web-based form provided for each end user:• Descriptions, aging and other metadata for contents

• User-friendly controls to designate items to be retained or deleted

Actuate Law Case Study

Pilot Phase Achieved

OVER 50%Reduction

QUESTIONS

Managing Director and Western Region Leader

BDO Digital

SANGEET RAJANsrajan@bdo.com

Chief Innovation CounselActuate Law

JEFFREY SHARERjeffrey.sharer@actuatelaw.com

VP of Strategy & Solutions Sherpa Software

RICK WILSONrwilson@sherpasoftware.com

THANK YOU