(3) Data, Data, wherefore art thou, Data!?

Cybersecurity, Compliance and Consent. All words to live by in the data rich world we live in. Data is the new Oil just as Oil was the new black gold. Most data breaches are looking for Personally identifiable information (PII)** even before Financial Data. In some of the largest recent data breaches financial data was ignored because it had no 'shelf life'. Credit card numbers can be changed but your date of birth might be a bit harder.

**Note: Since this article was written, GDPR came into full effect bringing with it the expanded definition of 'personal information' that went beyond PII.

“means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; ”

Have you ever asked yourself;

• Do we know where our data is?
• Are we compliant?
• Did we get the appropriate consent to use that data?
• Who has access to the data?

The IT department will usually answer, 'Yes, it's in the cloud, yes, we assume we are compliant or the legal and compliance people would have said something and we use the data the way the business wants us to'. The Legal and Compliance departments mirror that comment with assumptions that IT would have made sure it was safe, secure and compliant. Does this sound familiar?

• 'We used a well known system/service provider with lots of security'
• 'We made sure our data was in our own domain'.
• 'We did a full Privacy Impact Assessment'.
• 'We have full control of all our data.'
• 'XYZ Company/City is already using the same system.'
• We have an open policy so data location and access is not that important.
• Our customer gave us the data so we can use it however we want.

But do you know where your data, records and email are? Do you know if you are compliant? Do you know what you can do with this data? How secure is that data?

The following outlines a Canadian viewpoint but can equally be applied to the EU (GDPR, NISD) or US (Patriot Act, Privacy Shield, EO 13768, Cloud Act and more).

Government bodies advise against using data centers outside of Canada for private/sensitive data but often the reasons cannot be articulated. 'They didn't say I can't use Amazon, Google or Microsoft's Cloud' is often stated with less confidence than you would expect. It seems companies have a gut feeling that there is an issue but can't really put their finger on it. With no-one holding up a sign outlining the specific section in FOIP, PIPA, PIPEDA, CGSB, ATIP, CASL etc. that prohibits it, companies just move ahead blindly into a compliance quagmire. Did you know that having a compliant approach to handling data is an important step to showing due diligence in the event of a breach?

Finally, we may have reached an area of thinking where the human mind and experience can compete or even think beyond the linear focus of AI and into the big picture world of Global Business Architecture. You could look all day through those individual pieces of legislation and not find anything to prohibit or even discourage international hosting of data, records or email. To find the reason, you have to look beyond the local legislation. The answer lies in the legislation, practices and policies local to where and who with the data resides and the constraints it imposes.

The nebulous nature of electronic data and records makes it hard for people to comprehend the challenges. To most 'in the cloud' just means stored 'elsewhere' and accessible locally from anywhere (laptop, phone, tablet, web browser). The reality is all you really have is a digital photocopy to view.

Imagine if your Canadian master paper records were stored in a warehouse somewhere in the US, or Europe. Each file folder could be stored with millions of other customer records. These file folders could be distributed throughout dozens of warehouses. This would enable your company records to be more easily indexed and accessed. Maybe all the records 'a-c' are in one warehouse and 'd-f' are in another. These could be stored along with similar records from many other individuals and companies. This would be to make the recovery of those records easier for the 'service provider'.

Now when you request a record you get a photocopy mailed to you. At each stop en route, there could be other 'temporary' photocopies made and held for a period of time. If you need to make a change, you send a modified photocopy to the 'service provider', using the same process, with the assumption that it replaces the old original record and no unauthorized copies or versions exist. This is only a hope as the custody care and control is now shared. The local authorities can access that information at anytime under the local legal powers but you won't always know it has happened. As a result, you can't let your customer know who has accessed that file. You have been assured that 'your' files are secure though but the service provider can't identify exactly which warehouse each file is in as the whole system is a 'black box'. I think I just heard a privacy and compliance officer weep! This would be bad enough even if you assume that none of these warehouses have been compromised and records removed, destroyed or changed. What company would even consider such a scenario for their mail-room or records department?

So, back to the cloud and the world of electronic data, records and communications. At each point in managing personal data (including things as simple as an email address) you should know some of the following;

• Where is my customer (in a global market you may have global customers)?
• How and where was the data collected and under what authority?
• What can I use it for?
• What do I use it for?
• How must I manage it (security, privacy, audit, retention, accuracy and more)?
• Where is it stored (and where are the copies, if any)?
• When I access the data, does it go anywhere else or are there 'temporary' copies made (store and forward)?

Now look at each of these questions specifically from the geographical legislation it falls under. Imagine that the data is stored in an EU data-center (you think, although it could be distributed over US and EU data centers). Your customer is a US citizen and you are a Canadian company. You discover a privacy breach, or worse, your customer informs you of a privacy breach they have been made aware of. Do you know the impacts to your business?

It is also important to remember that not all data breaches are brute force hacking from the internet. Sometimes your data can leave with an employee or consultant (either willfully or otherwise i.e. Edward Snowden a fired employee or a lost phone). Some of the largest data breaches in recent history have relied on the human factor to bypass Cybersecurity solutions from the inside. These could be willful removal of files to email attacks such was Wannacry or the John Podesta phishing email. Do you know;

• Who has access to the data (employees, consultants, third parties)?
• Can you manage or remove access to data at a moments notice? This has been standard with tools such as Good, Citrix or Microsoft security policies.
• Can you control the data when it leaves your environment? Did you know Microsoft has a solution that can control document access outside of your environment?
• Do you have a responsible data security policy and system for BYOD? Can you control which devices have access to data and what they can do with it?

Allowing employees to access and download email on a personal phone, tablet or home PC that doesn't have even a rudimentary password policy can leave your organisation exposed. It was bad practice before the cloud became so popular, what would make people think it was OK now?

What can you use that data for? In a world of AI, Big Data and Machine learning it is so easy to reuse that large store of data you have been collecting for new and exciting purposes. However, if that data was collected for a specific purpose you may have to get new explicit consent from the owner of the information. Just because you have the ability to crunch data technically, does not mean you can legally. You might have a list of email addresses but CASL has something to say about spamming even your existing customers.

Don't wait to discover you are not compliant, safe and secure. This is an area where the law in all geographical areas is quite unforgiving and 'ignorance is no excuse'. It could cost you more than you think.

It's never to late to address the problem but it may be too late after you discover a breach or fail an audit. In the world of the cloud, like real estate, you should always remember, location, location, location.

For an example of how this impacts the view of information you may have and how the unconnected can become connected. Einstein Puzzle REBOOTED.

• (1) The First Digital Evolution
• (2) Real World Turing Test. Would You Pass?
• (3) Data, Data, wherefore art thou, Data!"
• (4) Sometimes the Destination is more important than the Journey.
• (5) Cyber-security, Compliance and Consent.
• (6) The First Digital Evolution.
• (7) Social Media or Social Engineering.
• (8) Is it time for the Scarecrow to visit the Wizard again?
• (9) The Einstein Puzzle REBOOTED.
• (10) BlockChain. An open discussion.
• (11) Are we the new Digital Soylent Green?
• (12) Trust without Verify - I Think Not!

David Dickson is a Consulting C.E.O. and owner at DKS DATA
(www.dksdata.com). Our Services
Remember to eat your Soylent Greens.