Data Security And Compliance How Far Would You Go?

How should companies go about ensuring that their compliance set-up and security

are adequate as far as their own and customers’ confidential and business data and involvement of third parties is concerned.

Cloud will increasingly be the default

option for software deployment. The

same is true for custom software,

which is increasingly being designed

for some variation of public or private cloud.

Are you aware that 90% of top companies face

or have faced data theft in some way or the

other and that also involves public sector and

defense set-ups. To add to the figures, at least

75% of small and medium-sized companies

know that their confidential data is at risk.

However, do they have proper measures to

control it? The other factor is almost 92% of

the companies are involved with cloud and

almost all data is stored as SaaS (Software

as a Service) wherein companies are finding

it difficult to manage the contractual risk

involved? How has the practice changed

in industries over the past decade or so?

Advances in technology mean that data can

be transferred quickly and stored indefinitely,

including potential third parties accessing

your system. The whole digitalization, in

addition to bringing business efficiencies

and convenience for users, however, changes

to global data flows have also elevated the

risks to privacy and confidentiality. The cost

to the company can be enormous for such

data theft going into millions of $s and then

the penalties associated for non-compliance,

including those of the regulators.

Cyber security, IP theft, breaches of network

and computers, are huge concerns of all

companies. There are two kinds of companies;

ones that have had a cyber security problem

and ones that have a problem but don’t know

of its existence. The cost to company can be

enormous - the study done by PWC, the order

of millions as cost to company due to cyber

theft.

Which are the departments to be involved

or communicated with on such security

issues - this is not just an IT problem, and

most companies get the IT specialist to get

the firewall tightened up, enable encryption,

change the password, but if you talk about

valuable information of your company

including valuable technical information,

products and services, business know-how,

customer information, finances, HR, IT and

physical security, etc.

Why the threat of breaches

Information goes digital and sits on various

kinds of platforms with access available to

all kinds of people. The workforce becomes

more mobile with business partners all over

the world, so the possibility of data theft

increases. Who is trying to steal information?

• Hackers appointed by special states for information on country secrets, confidential nation data, etc;
  
• Competitors who try to gain vital inside

  information on how the business

  of similar companies is conducted,

  including business know-how and

  financial details;
  

• Employees who for their own gain would

  give information to fellow colleagues,

  or may be due to grudges, or in case

  of changing job, will take sensitive

  information with them;
  

• Know beneficiaries like people whom you think are

  the security wall; however, in real terms, they are the

  breakers and transferors.

70% of breaches that have occurred, have taken place

through someone you know, an employee, hacker, or

someone who does not know what to share or not share

on social media, or someone leaving the company without

a proper handover or what information is to be disclosed to

a third party. A very common live example happened in an

IT company where the company had appointed a third party

to do a CSR survey for all employees annually. The virus

entered when one of the employees did not use the secure

system to do the survey and this virus spread to all target

computers, where hackers stole vital employee details like

PII etc. In a scenario when your supplier has access to your

system (through invoices, e-bills, etc.), it makes much sense

to have a policy and regulation for the supplier as well and

this should be documented in the contract.

Steps taken by govt. for data security

Statutory and regulatory compliance, for example PCIDSS standards.

Management system

Enterprise risk management should be implemented

which includes anti-bribery, regulatory compliance, and

other protections. The need for cyber security must be

communicated to employees. Risk involved to protect

data

What should be the system in place to control

• Screening and correct management
  
• Policies and procedures at par for employees and third

  parties, including contractors
  

• Inter-department alignment
  
• Risk assessment and governance – risk involved, ratings

  of low, medium and high risk and remediation of those

  risks
  

• Third party exposure – monitoring them through regular

  due diligence, both pre- and post-contract

Audits and regular training such as sending phishing emails

to employees and making sure they do not fall prey to such

emails; in the event they do, regular training needs to be

imparted. Changes in technology, updates and upgrades –

Keeping up with new technology and improving internal

systems to keep up to speed with changes

How do companies deal with data protection in their contracts?

Traditionally, we say that a contract is where we make

sure all is covered and if something goes wrong, we fix the

contract, but what about due diligence, risk management

• NDA and confidentiality right at the RFP stage;
• Privacy Policy;
• Test the cloud first – Checklist (Infrastructure/Data/Regulatory Requirement)
• Negotiate with the provider on LOL, Indemnity, and Confidentiality
• Right to Audit
• Due diligence
• Risk management identify {prioritize what you want to protect - (public, internal, restricted, secret), access

  (reputational risk, what is the cost to the company, business loss) and manage (steps to manage – contract clauses, policies, trainings)} – reputational risk

• Corporate policies you want your third party to comply with including supplier’s supplier (sub-contracting)
• Various ways of how to disclose company information including restricted and strictly confidential information

  as compared to that which is public information

• Contractual handover to operational team (training and post contractual risks)

In today’s competitive age, data-driven decision-making is

both vital and often misunderstood. Business leaders are

keen to improve the use of data and analytics technology

to truly drive transformation and disruption throughout

their organization, but there is still a great deal to learn

about how to do so efficiently and effectively. Executives

and their teams need the right data, the right data strategy,

and a means of translating that into effective decisions

and, ultimately, stakeholder influence.

Summary

• Address data security and trade secrets/IP protection rights up at the negotiation stage and captured in the contract
• Approach should be holistic, not just as a one-time project, fixes and updated should be recurring based on

  changes in law and regulatory requirements

• Have a core Risk Center of Excellence (COE) team for any data breach and its remediation for breaches - both

  internal and for third parties

• Comply with local laws and requirements in sync with company polices and sharing of data especially by employees on social networking sites (not everyone is a designated spokesperson of the company)
• Integrate cross functional departments for improved turnaround time and knowledge sharing

Disclaimer

– The views expressed in this article are the personal views of the author and are purely informative in nature.