AIIM - The Global Community of Information Professionals

Equifax and a sense that I've seen this movie before

Sep 8, 2017 1:56:04 PM by John Mancini

As Yogi would say, it’s like déjà vu all over again.

143 Million customers with compromised personal information. Let that number sink in for a moment. And in the irony of ironies, from the very company that many of us are directed to go to when our identities are compromised.

I wondered if I was one of them (you can check your own status HERE just for fun). Yup.

Screenshot 2017-09-08 13.11.15.png

Somehow, we’ve become anesthetized to this type of thing. And as Ars Technica points out, the successive string of previous mind-numbing breaches perhaps leads us to underestimate the impact of this particular breach.

“The breach Equifax reported Thursday, however, very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be. The theft, by criminals who exploited a security flaw on the Equifax website, opens the troubling prospect the data is now in the hands of hostile governments, criminal gangs, or both and will remain so indefinitely.

Hacks hitting Yahoo and other sites, by contrast, may have breached more accounts, but the severity of the personal data was generally more limited. And in most cases the damage could be contained by changing a password or getting a new credit card number.”

The Equifax release comes at the very time I was looking at our most recent Privacy and Governance Industry Watch research -- Governance and Compliance in 2017: A Real World View. Consider the following:

  • 48% would rate the maturity of their company’s information governance (IG) policies as “poor” or “very poor.”
  • 24% describe their file management as “chaotic.”
  • 64% agree – “Our biggest problem is not creating IG policies, it’s enforcing them.”
  • 58% agree – “Our lack of effective information governance leaves our organization wide open and vulnerable to litigation and/or data privacy issues.”
Goodness I feel like I’ve seen this movie before. Kind of like the 107 times that I've watched the Shawshank Redemption every time it comes across my television.

The three biggest issues in creating an information governance policy? 1) Getting anybody to be interested; 2) Getting senior management endorsement; 3) Having the right people at the table. 

Ding, ding, ding. C-Level – are you paying attention?

Here’s the self-evaluation of 200 companies of their information privacy and security capabilities. And consider that these are companies in the AIIM database – date for companies in wild would be much worseYikes.  

How would you describe your company in…

“Below average”

Preventing data losses, privacy breaches and confidentiality issues

9%

Compliance with legal, audit and regulators’ rules

9%

Supporting or defending litigation or disputes

15%

Reducing storage space/defensible deletion

40%

Securing intellectual proprietary, competitive or sensitive information

16%

Ability to respond to requests, e.g. Freedom of Information, personal data, etc.

19%

Creating searchable knowledge for future reference

37%

Defining staff responsibilities for desk, home and mobile security

20%

Including SaaS systems in the information governance strategy

38%

Using existing information for Business Intelligence/Business Strategy

28%

 

Lest I sound too heavy handed with regards to C-Suite accountability, I think there is also some responsibility that rests with all of us in the records management community. We have to acknowledge that many of our approaches to records management are largely still steeped in manual and paper-based policies and strategies

In an era in which the problems are created by ubiquitous connectivity, bad – and national – players, and exploding volumes of digital information, the problem with the preceding sentence is not the words records management.  It’s the words manual and paper-based policies and strategies. Of course there are many awesome exceptions to this over-generalization. Of course. But I think all of us who claim to be information professionals need to own a bit of accountability for failing to steer the profession and our focus much more rapidly in the direction of automated processing and machine learning.

The light at the end of the tunnel – admittedly a way off for many companies, is that 70% agree with this statement – “Automation is the only way to keep up with the volumes coming at us.”

And yet…and yet…

Do you have automated tools to do any of the following?

Response Percent

Detect security risks and misallocated access or confidentiality

30%

Detect duplicate files

27%

Monitor unusual user activity, and non-compliance with appropriate use (Attempted access, insider trading, anti-competition, bribery, etc.)

27%

Flag for deletion based on application of retention rules

22%

Detect PII (personally identifiable information)

20%

Monitor performance and resilience of EFSS/ECM/ERM system

19%

Tag, add or enhance metadata based on rules

16%

Data selection or metadata mapping in advance of migration

15%

Measure access frequency for hierarchical storage

14%

Detect/partition/delete trivial or non-important content

8%

Monitor Audio/Video for compliance purposes

7%

Other

4%

None of the above

32%

We've all got a lot of work to do. Let's not waste these unfortunate "opportunities" for education.

We all know that however much we want to point the finger at Equifax, truth be told, there but for the grace of God....

You can get a free executive summary of the Governance and Compliance in 2017: A Real World View survey HERE.

New Call-to-action

Topics: information governance, electronic records management, security, information security, equifax

Like what you see? Subscribe to get updates delivered straight to your inbox.

Back to Blog

About AIIM

AIIM provides market research, expert advice, and skills development to an empowered community of leaders committed to information-driven innovation.

Click to Download 'Improving Business Operations in 2017 Capturing Vital Content'

Subscribe to Email Updates

Recent Posts