Information Governance Roadmap

Transcription

1 Information Governance Roadmap Mitigating Privacy Risks, Reducing Costs And Meeting Obligations

2 Speakers Heather Buchta Quarles & Brady Partner Rebecca Perry Jordan Lawrence CIPP/US/G Director of Professional Services

3 Over Retention Is Costly and Dangerous 3

4 Defensible Deletion Solves the Problems 4

5 What is Information Governance? 5

6 Gartner s Definition: The specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals. 6

7 Multi-Faceted Information security Data science Electronic discovery Business management Compliance Business intelligence Analytics Records management Finance Audit Privacy Risk Management IT and Infrastructure Management - Information Governance Initiative 7

8

9 ABC Company s Retention Schedule DOOM 9

10 Start With a Solid Foundation MEDIA DATA SUBJECTS SENSITIVITY PRIVACY RECORD TYPE DNA STORAGE REGULATORY USAGE & RETENTION 10

11 What Do You Have? Accident/Incident Records Advertising Records Benefit Records Budget Records Contracts & Agreements Coupon Records Credit Approvals Customer Information Customer Orders Employee Medical Files Gift Card Functions Payment Records Sales Receipts 11

12 Where Is It?

13 What Are the Requirements? BUSINESS NEEDS SENSITIVITY REQUIREMENTS Cardholder Data Corporate Sensitive Government IDs Intellectual Property PII Bio Metric Patient Health Info. DOL FSMA GLB HIPAA OSHA SEC State Privacy Laws 13

14 14

15 15

16 16

17 17

18 Actionable Retention Schedule 18

19 Retention For All Information Valid Business Records LEGITIMATE RETENTION REQUIREMENTS Litigation Holds Reference Value RETENTION VARIES Most Information HAS LITTLE RETENTION VALUE 19

20 Deletion Strategy for INBOX = 180 DAYS NON-ESSENTIAL COMMUNICATION SENT ITEMS = 180 DAYS DELETED ITEMS = 2 DAYS BUSINESS NEED COMMUNICATIONS 18 MONTH RETENTION (ALL DEPARTMENTS) DEPARTMENTAL EXCEPTIONS 6 YEAR RETENTION HR 7 YEAR RETENTION LEGAL 7 YEAR RETENTION TAX 20 DISABILITY RECORDS 6 YEARS

21 Leverage Technology RECORDS NON-RECORDS 6 Years 3 Years 18 Months

22 Eliminate Obsolete Paper Records 44% Of Boxes Eligible for Immediate Destruction Remaining Boxes 56% Destroyed Boxes 44% 22

23 Training ABC Company s Records Management Training 23

24 Build Your Audit Trail Require Regular Policy Attestation Records Retention Policy 24

25 Mitigating Privacy Risks Assessing Privacy Risks and Steps to Risk Reduction 25

26 Privacy Assessment Privacy Audit Due Diligence INTERVIEWS INVESTIGATION Identify Who? What? When? Where? Why? DATA CONSUMER OR BUSINESS? SOURCE ONLINE OR OFFLINE? GEOGRAPHY US OR FOREIGN? CONTEXT PURCHASES OR SWEEPSTAKES? STORAGE ONSITE OR OFFSITE? USAGE SHARED OR USED INTERNALLY? 26

27 Categorize your Data Create a data map Is your data sensitive? PERSONALLY IDENTIFIABLE? FINANCIAL? HEALTH RELATED? EMPLOYEE RELATED? Resulting risk profile and potential exposure 27

28 Regulatory Review UNITED STATES PERSONAL INFORMATION HEALTH INFORMATION FINANCIAL INFORMATION EMPLOYEE INFORMATION FEDERAL FTC Act COPPA CAN-SPAM TCPA FERPA STATE Breach Notification Point of Sale Collection State Consumer Protection Security Obligations FEDERAL HIPAA HITECH Health Breach Notification Rule GINA STATE HIPAA-like FEDERAL GLB FCRA FACTA STATE GLB-like FEDERAL ERISA FMLA Whistleblower Protection Act STATE Contract law 28

29 Industry Review CREDIT CARD DATA PCI DSS V.3 NEVADA 603A.215 MINNESOTA 325E.64 ONLINE TRACKING DIGITAL ADVERTISING ALLIANCE OBA AND RETARGETING NATIONAL INSTITUTE OF STANDARDS & TECHNOLOGY (NIST) MEDIA SANITATION CYBERSECURITY FRAMEWORK NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION (NERC) 29

30 Self-Imposed Obligations Contractual VENDORS CUSTOMERS Privacy Policies and Privacy Notices 30

31 Security Appropriate and Reasonable Security audit SYSTEMATIC, MEASURABLE TECHNICAL ASSESSMENT OF HOW THE ORGANIZATION'S SECURITY POLICY IS EMPLOYED AT A SPECIFIC SITE (SYMANTEC 2003) What is involved? PERSONAL INTERVIEWS VULNERABILITY SCANS (PEN-TESTING) EXAMINATIONS OF OPERATING SYSTEM SETTINGS ANALYSES OF NETWORK SHARES AND OTHER DATA 31

32 When, Not If WISP Consider Insurance Options Identify Key Team Members KEY EXECUTIVES COMPLIANCE CISO? LEGAL MARKETING/HR PR IT/FORENSICS INCIDENT RESPONSE VENDOR? Incident Response Plan Tabletop Exercises 32

33 Next Steps.. 1. Internal Privacy Program 2. Data Retention Schedule 3. Regularly Review 4. Continuing process. 33

34

35 Heather Buchta Partner Quarles & Brady Rebecca Perry CIPP/US Director of Professional Services Jordan Lawrence 35