As Yogi would say, it’s like déjà vu all over again. 143 Million customers with compromised personal information. Let that number sink in for a moment. And in the irony of ironies, from the very company that many of us are directed to go to when our identities are compromised.
I wondered if I was one of them. Yup.
Somehow, we’ve become anesthetized to this type of thing. And as Ars Technica points out, the successive string of previous mind-numbing breaches perhaps leads us to underestimate the impact of this particular breach.
“The breach Equifax reported Thursday, however, very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be. The theft, by criminals who exploited a security flaw on the Equifax website, opens the troubling prospect the data is now in the hands of hostile governments, criminal gangs, or both and will remain so indefinitely.
Hacks hitting Yahoo and other sites, by contrast, may have breached more accounts, but the severity of the personal data was generally more limited. And, in most cases, the damage could be contained by changing a password or getting a new credit card number.”
The Equifax release comes at the very time I was looking at our most recent Privacy and Governance Industry Watch research -- Governance and Compliance in 2017: A Real World View. Consider the following:
The three biggest issues in creating an information governance policy? 1) Getting anybody to be interested; 2) Getting senior management endorsement; 3) Having the right people at the table.
Ding, ding, ding. C-Level – are you paying attention?
Here’s the self-evaluation of 200 companies of their information privacy and security capabilities. And consider that these are companies in the AIIM database – date for companies in the wild would be much worse. Yikes.
|
How would you describe your company in… |
“Below average” |
|
Preventing data losses, privacy breaches, and confidentiality issues |
9% |
|
Compliance with legal, audit, and regulators’ rules |
9% |
|
Supporting or defending litigation or disputes |
15% |
|
Reducing storage space/defensible deletion |
40% |
|
Securing intellectual proprietary, competitive, or sensitive information |
16% |
|
Ability to respond to requests, e.g., Freedom of Information, personal data, etc. |
19% |
|
Creating searchable knowledge for future reference |
37% |
|
Defining staff responsibilities for desk, home, and mobile security |
20% |
|
Including SaaS systems in the information governance strategy |
38% |
|
Using existing information for Business Intelligence/Business Strategy |
28% |
Lest I sound too heavy-handed with regards to C-Suite accountability, I think there is also some responsibility that rests with all of us in the records management community. We have to acknowledge that many of ourapproaches to records management are largely still steeped in manual and paper-based policies and strategies.
In an era in which the problems are created by ubiquitous connectivity, bad – and national – players, and exploding volumes of digital information, the problem with the preceding sentence is not the words records management. It’s the words manual and paper-based policies and strategies. Of course, there are many awesome exceptions to this over-generalization. Of course. But I think all of us who claim to be information professionals need to own a bit of accountability for failing to steer the profession and our focus much more rapidly in the direction of automated processing and machine learning.
The light at the end of the tunnel – admittedly a way off for many companies, is that 70% agree with this statement – “Automation is the only way to keep up with the volumes coming at us.”
And yet…and yet…
|
Do you have automated tools to do any of the following? |
Response Percent |
|
Detect security risks and misallocated access or confidentiality |
30% |
|
Detect duplicate files |
27% |
|
Monitor unusual user activity, and non-compliance with appropriate use (Attempted access, insider trading, anti-competition, bribery, etc.) |
27% |
|
Flag for deletion, based on application of retention rules |
22% |
|
Detect PII (personally identifiable information) |
20% |
|
Monitor performance and resilience of EFSS/ECM/ERM system |
19% |
|
Tag, add, or enhance metadata based on rules |
16% |
|
Data selection or metadata mapping in advance of migration |
15% |
|
Measure access frequency for hierarchical storage |
14% |
|
Detect/partition/delete trivial or non-important content |
8% |
|
Monitor Audio/Video for compliance purposes |
7% |
|
Other |
4% |
|
None of the above |
32% |
We've all got a lot of work to do. Let's not waste these unfortunate "opportunities" for education. We all know that however much we want to point the finger at Equifax, truth be told, there but for the grace of God...