What Dangers and Opportunities are Hiding Inside Your Organizational Data?
DATA DISCOVERY
Managing Director and Western Region Leader
BDO Digital
SANGEET [email protected]
Chief Innovation CounselActuate Law
JEFFREY [email protected]
VP of Strategy & Solutions Sherpa Software
RICK [email protected]
TODAY’S PRESENTERS:
VP of Strategy & Solutions Sherpa Software
RICK WILSON
• Established in 2000 and headquartered in Pittsburgh, PA • 3,500+ customers globally• Data discovery on data-at-rest across a variety of information repositories• Locate, classify, remediate, protect
Sherpa Software
Data discovery and governance software solutions that address data security risk mitigation and privacy compliance
Approximately how many consumer records were breached in 2018?
Poll Question #1
A.
B.
C.
100 million
1 billion
2.8 billion
• It is estimated that 2.8 billion consumer records were exposed, costing over $654 billion to U.S. organizations in 2018 alone
• Increased regulatory enforcement and stiffer fines
Source: 2019 Ponemon Cost of a Data Breach
The Real Costs of a Breach
Average total cost of a breach by number of records lostMeasured in US$ millions
Data Insecurity is Real
Insider threat actors responsible for 34% of breaches in 2019
• Storing files in forbidden locations
• Not knowing importance or sensitivity of files
• Maliciously emailing files to home accounts
• Maliciously saving/downloading sensitive data
• Accidentally sending files to wrong person —internally or externally
• Accidentally sending wrong files with sensitive data
• Consultants with confidential client data
Source: 2019 Verizon Data Breach Investigations Report
Does your organization have a process in place to find/delete sensitive and risky data?
Poll Question #2
A.
B.
C.
Yes
No
Not sure
Know Your Data to Protect It
Locate and remediate sensitive data: PII, PCI, PHI
Reduce accessibility to personal data
Proactive employee flight risk monitoring
Eliminate loss of intellectual property
Preemptive incident response classification
Speed incident response time by focusing on most critical data
Search and destroy missions
Threats resolved in hours/days versus weeks/ months
Data risk assessment/ mapping
Analyze risk-prone data locations
Internal investigations e-discovery, privacy compliance: CCPA/GDPR
Regulation adherence, reduction in lawsuits and speed to issue resolution
GOALS
Managing Director and Western Region LeaderBDO Digital
SANGEET RAJAN
Some of the BrandsWe Work With
Analytics, ML, AI, IoT, RPA, cloud, mobile, social and cyber are transforming behaviors and revolutionizing business as usual.
BDO Digital helps our clients with digital transformations —from the strategy to execution, while complying with laws and regulations such as the CCPA, LGPD and GDPR.
California Consumer Privacy Act (CCPA) compliance will costs less than $10 billion across all industries.
Poll Question #3
A.
B.
C.
True
False
Not sure
The CCPA
• Effective January 1, 2020
• Applies to CA residents• Rights to 12-month data lookback
• Private right of action• Per capita statutory fines of $100-$750
BACKGROUND
• The categories of personal information collected
• The categories of sources from whom the data was collected
• The categories of third parties with whom the business shares the data
• The business or commercial reasons for collection, disclosure or sale
DISCLOSURES
‘For profit’ businesses that:
• Have gross annual revenues > $25M; or• Make 50% annual revenues from sales of
personal information; or• Buy, sell, share PI of > 50,000 CA residents
APPLIES TO
• Right to Know
• Right to Say No or Opt-Out• Right to Access and Data Portability
• Right to Deletion• Right to Equal Service
• Affirmative Consent for 13 to 16 yrs.• Parental Consent for <13 yrs.
RIGHTS
Future Proofing Your Data Processing
Lawfulness, Fairness & Transparency of Processing
Ensure all processing is transparent, proportionate and based on lawful grounds.
Purpose Limitation
Ensure personal data is only collected and used for explicit and specified purposes.
Data Minimization
Data collected should be adequate, relevant, proportional and limited to only what is necessary for the purpose
Accuracy
Data must be accurate and kept up to date
Storage Limitation
Data must be retained only as long as necessary
Confidentiality & Integrity
Data must be protected from unauthorized access and tampering
Accountability
All controllers and processors shall demonstrate compliance to these principles
Does your organization currently have an up-to-date data inventory and map?
Poll Question #4
A.
B.
C.
Yes
No
Not sure
STEP 11.1.
Designate a driver.
1.2. Establish rules
of engagement (RACI).
Organization
STEP 22.1.
Inventory the data
2.2.
Maintain up-to-date data maps.
Data
STEP 33.1.
Establish easy-to-follow policies and procedures
that are built on privacy principles.
Controls
STEP 55.1.
Conduct human impact
assessments on new or enhanced products, services
or software.
Privacy by
Design
STEP 44.1.
Train to embed privacy responsibilities in operations.
Human Factors
STEP 66.1.
Monitor policy adherence.
6.2. Cure data and program risks.
Govern
Solving for CCPA, GDPR, LGPD and Other Laws
Chief Innovation CounselActuate LawCo-Founder and Chief Innovation ArchitectQuointec LLC
JEFFREY SHARER
• Founded in January 2018 by Big Law veterans; Chicago, IL
• Practices nationwide in commercial litigation, class action defense, data privacy and security, e-discovery, financial services, information governance, private client services/trusts & estates, and white-collar investigations and litigation
• Combines talent, technology, and entrepreneurialism to achieve ‘impossible triangle’ of better, faster, and less costly legal services for clients
Actuate Law and Quointec
QuointecActuate Law• Technology and advisory subsidiary of Actuate Law• Develops customized, tech-forward legal and
compliance solutions• Products empower clients to quickly and affordably
‘self-serve’ on straightforward issues and be guided to counsel for more complex matters
• Solutions combine subject-matter expertise and consultative guidance of lawyers with automation of AI and other technology to deliver best of all worlds for clients
Retention As It Should Be
For any document, only three possible raisons d’être:1. Business value
2. Legal and regulatory retention requirements, including litigation holds
3. Retention schedules, usually driven by (1) and (2)
As a rule, if it doesn’t fall into at least one of these categories, it can (and usually should) be deleted in the normal course of business.
Approximately how much of your organization’s data is both readily available and important to your business?
Poll Question #5
A.
B.
C.
15%
35%
85%
What Does ‘As It Should Be’ Look Like?
Business Critical: Legal, Regulatory or Business Value
16%
???84%
Source: Veritas, The Databerg Report: See What Others Don’t (Mar. 16, 2016), available at https://www.veritas.com/content/dam/Veritas/docs/reports/scd_veritas_strike_summary_a4-ls-usa_final.pdf.
‘As It Should Be:’ Understanding ‘The Databerg’
Three types of enterprise data:
1. Business Critical Data:Vital to ongoing operational success of organization
2. Redundant, Obsolete and Trivial (ROT) Data:Digital debris; duplicative and/or has little or no value to business
3. Dark Data:Value has not been identified; likely to include both business critical and ROT, consuming resources with no value generated.
Source: Veritas, The Databerg Report: See What Others Don’t (Mar. 16, 2016), available at https://www.veritas.com/content/dam/Veritas/docs/reports/scd_veritas_strike_summary_a4-ls-usa_final.pdf.
What Does ‘As It Should Be’ Look Like?
Source: Veritas, The Databerg Report: See What Others Don’t (Mar. 16, 2016), available at https://www.veritas.com/content/dam/Veritas/docs/reports/scd_veritas_strike_summary_a4-ls-usa_final.pdf.
Business Critical: Legal, Regulatory or Business Value
16%
???84%
What Does ‘As It Should Be’ Look Like?
Business Critical: Retain, Manage and Protect
16%
Source: Veritas, The Databerg Report: See What Others Don’t (Mar. 16, 2016), available at https://www.veritas.com/content/dam/Veritas/docs/reports/scd_veritas_strike_summary_a4-ls-usa_final.pdf.
What Does ‘As It Should Be’ Look Like?
Business Critical: Retain, Manage and Protect
16%
ROT: Delete on Regular Basis
30%
Source: Veritas, The Databerg Report: See What Others Don’t (Mar. 16, 2016), available at https://www.veritas.com/content/dam/Veritas/docs/reports/scd_veritas_strike_summary_a4-ls-usa_final.pdf.
Business Critical: Retain, Manage and Protect
16%Dark Data:
Explore and Assign54%
ROT: Delete on Regular Basis
30%
What Does ‘As It Should Be’ Look Like?
Source: Veritas, The Databerg Report: See What Others Don’t (Mar. 16, 2016), available at https://www.veritas.com/content/dam/Veritas/docs/reports/scd_veritas_strike_summary_a4-ls-usa_final.pdf.
Retention As It (Often) Is
Tongue in Cheek?
Source: The Mayo Clinic
“Hoarding is the excessive collection of items, along with the inability to discard them. Hoarding often creates such cramped living conditions that homes may be filled to capacity, with only narrow pathways winding through stacks of clutter.”
Tongue in Cheek? Not Really.
“Hoarding is the excessive collection of data, along with the inability to discard them. Hoarding often creates such cramped working conditions that networks may be filled to capacity, with only narrow pathways winding through stacks of clutter.”
Source: The Mayo Clinic
Rapidly evolving legal landscape, including:• EU General Data Protection Regulation
• California Consumer Privacy Act
• Many other jurisdictions considering GDPR- and CCPA-like legislation
Expanding rights of data subjects to control collection, use and disposition of their personal information require stronger controls around information governance:
• Right to be forgotten
• Data subject access requests
• Data disposition requirements upon expiration of purpose
• Restrictions on cross-border transfers of personal information
Over-Retention Risks: Privacy and Data Protection
Significant penalties for non-compliance• GDPR: Up to 4 percent of global revenue
• CCPA: $2,500-$7,500 per violation by attorney general; $100-$750 per violation for private right of action, or actual damages if greater
Risk of losing protected or sensitive information in data breach, potentially resulting in notification obligations, regulatory or civil exposure, damage to reputation and other harm
Existing legal and regulatory matters• Missed deadlines and sanctions for failures to
identify, preserve or collect relevant data completely and on time
• Cost-prohibitive e-discovery skews settlements
• Conflicts between U.S. discovery and foreign privacy laws
Other Risk Areas
Ongoing regulatory compliance• Compliance violations more difficult to detect
where offending data obscured by millions of other grains of sand
• Noise created by debris hinders performance of predictive analytics and other tools and processes that otherwise might detect violations
• Less-sensitive data potentially to land in insecure storage
Tactical Approach to Defensible Data Remediation
Scan and Index Data
Analyze Data
Identify Data Set(s)
Present and Collect End User Input (if needed)
Apply Deletion Decisions
2 31 4 5
Engaged by Fortune 100 organization in regulated industry to assist with legal and technology framework for reduction of greater than 1 PB of unstructured data
No data would be remediated without affirmative approval from end-user
Technology:• Sherpa Altitude on endpoints to index content
and execute approved deletions• Web-based form provided for each end user:• Descriptions, aging and other metadata for contents
• User-friendly controls to designate items to be retained or deleted
Actuate Law Case Study
Pilot Phase Achieved
OVER 50%Reduction
QUESTIONS
Managing Director and Western Region Leader
BDO Digital
SANGEET [email protected]
Chief Innovation CounselActuate Law
JEFFREY [email protected]
VP of Strategy & Solutions Sherpa Software
RICK [email protected]
THANK YOU