Who owns your data?

In a highly collaborative workplace, with individuals co-operating across corporate and personal boundaries, it is becoming increasingly difficult to manage data ownership.

In the event of information loss, arguments about who owns the data, in whole or in part, are in effect pointless – and certainly will be dismissed by bodies such as the Information Commissioners Office. The result will be large fines and/or extensive negative publicity and loss of corporate confidence.

Organisations need to demonstrate a commitment to minimising the risk of data exposure. It is only by reducing incidence of data breach by employing effective tools such as data encryption that organisations can step aside from this debate, remove the risk of expensive fines and, critically, safeguard both customer and employee data at all times.

Data loss

In an increasingly joined-up world, real-time data sharing has become a fundamental tenet of effective business practice. Yet despite a growing raft of regulations designed to safeguard information – from the Data Protection Act (DPA) onwards – information breaches, through mistake or criminal intent, continue.

The Information Commissioner’s Office (ICO) reports 305 NHS data breaches, 288 private sector breaches, 132 local government breaches and 18 in central government since 2007; whilst the Privacy Rights Clearinghouse (PRC) states that, in 2010, there was a 240% increase in reported data breaches from the previous year.

The implications of this data loss are significant – and expensive, with research by the Ponemon1 Institute estimating the cost of a lost laptop at about $50,000 per machine, $5000 for replacing the equipment and $45,000 associated with the cost of the data breach and intellectual property loss.

If a stolen laptop is protected with full disk encryption, then the cost of the loss drops from $50,000 to $5000. Given that around 3.33% of all corporate machines are lost or stolen each year; this is a significant saving in cost and risk for most businesses.

Taking control

A key consideration in addressing data loss and understanding the associated risk is data ownership. In most cases the data originator is the designated data owner – although this can become difficult to manage in any situation where multiple individuals from diverse organisations are collaborating on a single project.

Organisations working together must ensure partners are complying with required regulations or security standards, such as the Payment Card Industry Data Security Standard or BS 77992 (ISO 27002). Furthermore, if a customer or citizen provides data to an organisation that data remains, in effect, under the control of that individual: it has been provided for a specific purpose and the organisation should attain permission to use that data for any other means.

Given the risks associated with data breach and the compromise of sensitive information, and the challenges associated with managing data ownership, organisations need to put in place information policies that reflect this highly integrated business environment. It is also important to create the right information culture.

Every individual must take responsibility for corporate security – from always adhering to physical security requirements to complying with data security polices, such as never removing data from the building.

To be effective and maximise compliance, these policies must make sense: organisations need to ensure that every member of staff understands the implications of data ownership – especially as it relates to customer/citizen data and the rights the organisation has to use and share that data.

Furthermore, organisations need to facilitate compliance by enforcing these policies with adequate penalties for data misuse whilst also facilitating effective yet secure data usage.

And this is key: with the right security solutions, most notably data encryption, the argument about data ownership becomes irrelevant in the event of a breach, because the data cannot be compromised. Encryption demonstrates to regulatory bodies and auditors that the company has taken reasonable steps to safeguard information, while also providing customers and business partners with confidence in the quality and security of operations.

Low maintenance

Organisations need also to be pragmatic, balancing policy and enforcement with control and ensuring productivity is not compromised by security solutions. Traditionally, it has been extremely tough to address data confidentiality and data usage without investing in technology solutions that have a massive and untenable maintenance overhead.

However, the latest generation of disk encryption technologies utilising network recourses for pre-boot authentication has overcome the maintenance problem, no longer requiring dedicated resources to undertake cryptographic password resets, for example. This shift transforms the cost of ownership of disk encryption, making the technology far more affordable for the vast majority of companies.

Taking this approach, organisations can address data confidentiality and the protection of intellectual property by ensuring the data on any machine that is compromised – from PC being repurposed at end of life to a stolen laptop or PDA – is secure.

Furthermore, once encryption is used to impose control over data confidentiality, organisations that can begin to fine tune data ownership issues, considering not only data protection but also enforcing appropriate usage. Who should have access to data; and when and where should it be used?

For example, should a large financial services organisation that encompasses both mortgage provision and insurance services be permitted to analyse customer mortgage payments – a factor with a proven link to the likelihood of making a car insurance claim – to determine the insurance quote?

Data Leakage Protection (DLP) technologies offer companies the chance to impose both content and context sensitive data usage policies, reinforcing compliance and flagging up the risk of users breaking corporate guidelines by, for example, downloading data to a USB stick. Again, however, these technologies are today maintenance heavy, creating a cost of ownership that prohibits widespread adoption for the time being.

Conclusion

The data ownership debate will become ever more heated as the supply chain complexity increases and organisations embark upon ever more extended working partnerships. Add in the issue of customer/citizen data ownership and the organisation’s right to use that data and organisations cannot afford to incur the levels of data loss and breach currently endemic.

Organisations must create a culture that reflects the importance of data ownership and impose control with both robust response and effective tools. By leveraging the latest generation of disk encryption technologies, organisations can eliminate the data ownership argument in the event of compromise or breach and remove the risk of compromise. With this critical layer in place, organisations will have the chance to build new policies and processes that impose context and content level control over data usage, creating a new era of data usage security.

Garry McCracken has more than 25 years of experience in data communications and information security. He has been responsible for the development of WinMagic's full-disk encryption solutions for desktops, laptops, and PDAs. Prior to working at WinMagic, McCracken was vice President at Kasten Chase, a publicly traded technology company, where he played a key role in assuring the company's compliance with strict security standards imposed by the Canadian and International Industrial Security Directorate. Garry holds an Honours, Co-op, Bachelor of Mathematics degree in Computer Science from the University of Waterloo. He furthered his education by successfully completing CATA's Certified Advanced Technology Manager program, writing the BS 7799-2 Information Security Management System Auditor exam, and obtaining the Certified Information Systems Security Professional (CISSP) designation from (ISC)2.