By: John Mancini on September 8th, 2017
Equifax and a Sense That I’ve Seen This Movie Before
Information Governance | Information Security
As Yogi would say, it’s like déjà vu all over again. 143 Million customers with compromised personal information. Let that number sink in for a moment. And in the irony of ironies, from the very company that many of us are directed to go to when our identities are compromised.
I wondered if I was one of them. Yup.
Somehow, we’ve become anesthetized to this type of thing. And as Ars Technica points out, the successive string of previous mind-numbing breaches perhaps leads us to underestimate the impact of this particular breach.
“The breach Equifax reported Thursday, however, very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be. The theft, by criminals who exploited a security flaw on the Equifax website, opens the troubling prospect the data is now in the hands of hostile governments, criminal gangs, or both and will remain so indefinitely.
Hacks hitting Yahoo and other sites, by contrast, may have breached more accounts, but the severity of the personal data was generally more limited. And, in most cases, the damage could be contained by changing a password or getting a new credit card number.”
The Equifax release comes at the very time I was looking at our most recent Privacy and Governance Industry Watch research -- Governance and Compliance in 2017: A Real World View. Consider the following:
- 48% would rate the maturity of their company’s information governance (IG) policies as “poor” or “very poor.”
- 24% describe their file management as “chaotic.”
- 64% agree – “Our biggest problem is not creating IG policies; it’s enforcing them.”
- 58% agree – “Our lack of effective information governance leaves our organization wide open and vulnerable to litigation and/or data privacy issues.”
The three biggest issues in creating an information governance policy? 1) Getting anybody to be interested; 2) Getting senior management endorsement; 3) Having the right people at the table.
Ding, ding, ding. C-Level – are you paying attention?
Here’s the self-evaluation of 200 companies of their information privacy and security capabilities. And consider that these are companies in the AIIM database – date for companies in the wild would be much worse. Yikes.
How would you describe your company in… |
“Below average” |
Preventing data losses, privacy breaches, and confidentiality issues |
9% |
Compliance with legal, audit, and regulators’ rules |
9% |
Supporting or defending litigation or disputes |
15% |
Reducing storage space/defensible deletion |
40% |
Securing intellectual proprietary, competitive, or sensitive information |
16% |
Ability to respond to requests, e.g., Freedom of Information, personal data, etc. |
19% |
Creating searchable knowledge for future reference |
37% |
Defining staff responsibilities for desk, home, and mobile security |
20% |
Including SaaS systems in the information governance strategy |
38% |
Using existing information for Business Intelligence/Business Strategy |
28% |
Lest I sound too heavy-handed with regards to C-Suite accountability, I think there is also some responsibility that rests with all of us in the records management community. We have to acknowledge that many of ourapproaches to records management are largely still steeped in manual and paper-based policies and strategies.
In an era in which the problems are created by ubiquitous connectivity, bad – and national – players, and exploding volumes of digital information, the problem with the preceding sentence is not the words records management. It’s the words manual and paper-based policies and strategies. Of course, there are many awesome exceptions to this over-generalization. Of course. But I think all of us who claim to be information professionals need to own a bit of accountability for failing to steer the profession and our focus much more rapidly in the direction of automated processing and machine learning.
The light at the end of the tunnel – admittedly a way off for many companies, is that 70% agree with this statement – “Automation is the only way to keep up with the volumes coming at us.”
And yet…and yet…
Do you have automated tools to do any of the following? |
Response Percent |
Detect security risks and misallocated access or confidentiality |
30% |
Detect duplicate files |
27% |
Monitor unusual user activity, and non-compliance with appropriate use (Attempted access, insider trading, anti-competition, bribery, etc.) |
27% |
Flag for deletion, based on application of retention rules |
22% |
Detect PII (personally identifiable information) |
20% |
Monitor performance and resilience of EFSS/ECM/ERM system |
19% |
Tag, add, or enhance metadata based on rules |
16% |
Data selection or metadata mapping in advance of migration |
15% |
Measure access frequency for hierarchical storage |
14% |
Detect/partition/delete trivial or non-important content |
8% |
Monitor Audio/Video for compliance purposes |
7% |
Other |
4% |
None of the above |
32% |
We've all got a lot of work to do. Let's not waste these unfortunate "opportunities" for education. We all know that however much we want to point the finger at Equifax, truth be told, there but for the grace of God...
About John Mancini
John Mancini is the President of Content Results, LLC and the Past President of AIIM. He is a well-known author, speaker, and advisor on information management, digital transformation and intelligent automation. John is a frequent keynote speaker and author of more than 30 eBooks on a variety of topics. He can be found on Twitter, LinkedIn and Facebook as jmancini77. Recent keynote topics include: The Stairway to Digital Transformation Navigating Disruptive Waters — 4 Things You Need to Know to Build Your Digital Transformation Strategy Getting Ahead of the Digital Transformation Curve Viewing Information Management Through a New Lens Digital Disruption: 6 Strategies to Avoid Being “Blockbustered” Specialties: Keynote speaker and writer on AI, RPA, intelligent Information Management, Intelligent Automation and Digital Transformation. Consensus-building with Boards to create strategic focus, action, and accountability. Extensive public speaking and public relations work Conversant and experienced in major technology issues and trends. Expert on inbound and content marketing, particularly in an association environment and on the Hubspot platform. John is a Phi Beta Kappa graduate of the College of William and Mary, and holds an M.A. in Public Policy from the Woodrow Wilson School at Princeton University.