September 21, 2016

Avoid Compliance Risk with a Practical Information Governance Plan

2 minute read

Data is hacked and stolen every day, causing a compliance risk nightmare. The Ponomen Institute estimates that data breaches cost companies an average of $174 per record. On top of the initial financial impact, organizations are often held liable and subject to legal and regulatory penalties.

As more information moves to the cloud, companies must be increasingly vigilant as their data isn't always under their control. As data storage has become more affordable, many businesses have kept redundant, obsolete and trivial (ROT) data "just in case". Unfortunately, there is significant inherent compliance risk in this strategy, as illustrated in the chart below.

Picture1.png

As you can see, the longer the ROT data is held onto, the more the compliance risk of managing it increases. Despite advancements in security and new processes, hackers create new and sophisticated ways to breach company data. By implementing a solid information governance plan, an organization can prevent compliance risk in the case of a hack or accidental data leak.

Now let's tackle the key components of an information governance program to help mitigate the damage of a potential data breach.

1. Clearly establish ownership of compliance and data privacy

 

2. Assess the process for any information shared outside the organization

 

3. Identify any Personally Identifiable Information (PII) and create appropriate business processes that include IT, legal and the records management team

 

4. Ensure policies are in place to meet federal, state, local and industry regulations

 

5. PII must be limited not only by user but by location

 

6. Clean up ROT data based on an approved retention schedule

 

7. Use encryption techniques whenever possible

 

8. The ability to have audit trails, logging and monitoring is essential to defensible disposition

 

Compliance risk via a data breach can be a crippling situation for a company if the proper programs and procedures aren't in place. The time to get started is now, before a serious incident occurs. 

Receive News Updates As Soon As They Happen