Uploaded bydaveGBE
331 views

Michael Josephs

The document discusses the risks associated with big data, including increased data production leading to higher costs of replication and storage, evolving privacy and security regulations, and growing litigation and discovery obligations. It notes that most of the significant risks and costs of big data are not clearly visible and addresses challenges in areas like existing infrastructure, regulatory compliance, contracting, data retention, and eDiscovery.

Embed presentation

Download to read offline
The Dark Side of Big Data ……………………………………………... CIO, StrataCare, A Xerox Company Michael Josephs
© 2014 StrataCare, A Xerox Company All Rights Reserved. Big Data 2 Maslow’s Hierarchy of Needs Circa, 2014
© 2014 StrataCare, A Xerox Company All Rights Reserved. Big Data 3 It’s a Gold Mine Growth in Data Production –2.5 quintillion bytes estimated to be generated from sources such as online or mobile financial transactions, social media traffic, and GPS coordinates (1) –450 billion transactions per day by 2020 on the internet (B2B and B2C) has been estimated by IDC. –44 fold increase in overall data production 2020 over 2009 predicted (2) Replicated Costs & Risks: Many captured transactions are replicated 5 times (or more) Employee BYOD: Cisco survey found 89% of companies already have employee BYOD for work. (1)World Economic Forum Big Data, Big Impact: New possibilities for international development (2)CSC –Big Data Universe What Can You Do With It? $Accelerate More Intelligent decisions: Large data sets allow for more accurate instrumentation of processes for improved business results $Improve Services: Optimize distribution methods, better evaluate and allocate risk and detect fraud $Target Sales: More granularly segment customers and potential customers for more efficient business development $Create New Revenue Streams: Establish derived products and services We Breathe Data
© 2014 StrataCare, A Xerox Company All Rights Reserved. Big Data Big Data Has a Dark Side 4 It’s a Gold Mine What Can You Do With It? $Accelerate More Intelligent decisions: Large data sets allow for more accurate instrumentation of processes for improved business results $Improve Services: Optimize distribution methods, better evaluate and allocate risk and detect fraud $Target Sales: More granularly segment customers and potential customers for more efficient business development $Create New Revenue Streams: Establish derived products and services Cost and Risk Continuum Security Regulatory Compliance Liability Litigation and Discovery Infrastructure
© 2014 StrataCare, A Xerox Company All Rights Reserved. Big Data Most Significant Risks and Costs Aren’t Always Clearly Visible 5 Emerging Statutory Compliance & AuditsContractual Nuance and StipulationsExisting Infrastructure and SecurityeDiscovery ObligationsEvolving the Infrastructure & Security ApproachEstablish Service Level AgreementsRefine Data Retention Policies/ProceduresPrivacy by Design
© 2014 StrataCare, A Xerox Company All Rights Reserved. Big Data –Existing Infrastructure and Information Security 6 Data Segments Are Often Replicated Up To 5XTransactionalDB Mirror EDW Replicated Costs ++ –Standard data topologies often include 5 or more replications of data that must be protected –Technical and procedural approaches must be established and maintained for all of them –Separate (yet equally stringent) technical and procedural approaches are often needed for the business ecosystemThird Party Ecosystem DR/BC
© 2014 StrataCare, A Xerox Company All Rights Reserved. Big Data –Existing Infrastructure and Information Security 7 What is Going On Where is it Going –Executives are becoming more risk averse than ever before –At the same time, Big Data initiatives sometimes get a hall pass from complete business case rigor –Evolving Standards •Standards for what constitutes acceptable risk for sensitive data protection is changing rapidly •As a result, owners of sensitive data are continually reexamining their data security standards and security programs –Third party vendors and data custodians are under increasing pressure (& scrutiny to reduce risk levels) –IT Budgets are shifting emphasis from innovation to risk reduction Challenge is operating one comprehensive data security program (while adhering to customers “a la carte” data security demands) –Experienced InfoSec staff are in great demand, making hiring and retention increasing difficult –More targeting of standard management frameworks (ISO 27001:2, etc.) for data hosting and the security programs aimed at its protection –Data custodians retaining unlimited liability for data breach (no caps) and for ensuring subcontractors meet the same data security SLA’s –Increasing investment in data masking is becoming foundational to any data custodianship platform
© 2014 StrataCare, A Xerox Company All Rights Reserved. Big Data –Regulatory Compliance 8 What is Emerging Responding –Expanding Laws and Regulations: Expansion but without harmonization •Government Frameworks (FTC; The White House) •Complex international laws and regulations (EU, Canada, Australia, Asia, Latin America) –State Data Security and Privacy/Data Breach Laws: now 47 states have adopted laws that in many respects are far more rigorous than HIPPA/HITECH) –Know which laws and regulations apply to your (and your customer’s) business –Maintain compliance, and documented third party verification, for legally required practice standards (HIPAA, PCI, GLB, etc.) –Monitor emerging state data breach laws •Notification to affected individuals •Notice to state AGs (FL, MA, CA) •Government consent decrees (FTC) Organizational Design: Ensure executive compliance oversight has appropriate organizational stature and authority
© 2014 StrataCare, A Xerox Company All Rights Reserved. Big Data –Contractually Speaking 9 Trending…. Some Protective Steps –Hot Topic: Data security is one of (if not) the most hotly negotiated Terms and Conditions in data custodianship related contracts –Expanding SLA Coverage: Customers are now demanding that contract SLAs cover: Any and all federal and state laws and industry standards will apply to SLAs (even those that don’t apply) Data custodian retains unlimited liability for data breach (no caps) Data custodian remains liable for ensuring subcontractors meet all customer data security SLAs Data Custodian is responsible for breach notification Customers have audit rights Return/destruction of data (Data ownership remains a gray area?) Minimize the custom nature of provisions and align limitation of liability with insurance caps –Fully understand the cost of augmenting existing, or implementing and maintain new, security practices before contractual agreement (including the cost of ongoing audits) –Use of standards increasing as customers tend to bemore accepting of industry adopted management frameworks (ISO 27001:2, NIST, etc.), possibly reducing audit participation efforts –Maintain compliance, and documented third party verification, for legally required practice standards (HIPAA, PCI, etc.) –Blind Data/Feedback Licenses –Separate the cost of breach (vendor) notification from actual notification (customer)
© 2014 StrataCare, A Xerox Company All Rights Reserved. Big Data –Contractually Speaking (Third Party Ecosystem) 10 Realities Dealing –The Weak Link: •Your data security program is as strong as your weakest subcontractor/provider •Many niche service providers are not able to meet fundamental state of the practice information security standards –Data Custodians Have Two Key Duties: •Duty to Protect: Covers appropriate and reasonable measures to protect data against a breach •Duty to Disclose: Notification of breaches to affected parties and regulators; material risks for public companies –Take a comprehensive, no-concession approach to vendor audits/assessments. –Consider sharing data only AFTER a vendor is fully compliant with security and practice requirements –Make access to your clients dependent on keeping pace with the state of the practice –Engage with 3rdparty credentialing services such as 3PAS Ensure your 3rdparty service provider contracts are as comprehensive as the ones you establish with your clients
© 2014 StrataCare, A Xerox Company All Rights Reserved. Big Data –Data Retention 11 What is Going On Here Getting Out Ahead –Establish a well vetted and documented data retention policy (a “default” scenario is rarely a good one) –Standardize customer and 3rd party vendor contracts and maintain a centralized record for reference and compliance audits –Implement secure data destruction mechanisms as part of the program Data retention policies must balance the risks of having “it” with the rewards of leveraging “it” –Responding to Risk: Organizations are radically re-thinking their data retention policies (where they exist) –Key Drivers (for revised data retention policies) include: •Customer contract T’s & C’s •Vendor record retention policies and procedures; •Litigation holds •Laws (SEC, IRS, FTC, etc.) •Industry standards •360 degree cost of retention –Heterogeneity: Managing client-specific data retention plans can be highly costly to administer
© 2014 StrataCare, A Xerox Company All Rights Reserved. –Deploy technology for supporting eDiscovery needs OR contract for these services –Use data masking (data de-identification) along with an effective Data Retention program to reduce data scope for eDiscovery needs –Ensure close interaction of legal, IT, accounting and other organizations for common understanding of record retention, destruction, and litigation hold policies and procedures Big Data –eDiscovery 12 Growing Costs Some Steps to Take –Possession: If you have “it” (whether or not you should have it), you may have to produce and preserve it •Party Litigant (via eDiscovery Demand) •Non-party witness •Subject of government investigations –No Place to Hide: Cost or burden of production rarely matters (no excuse), especially for party litigants •Discovery/production-related costs can be massive Consider whether forensic experts will be required •Sanctions/penalties for non-production/spoliation could be worse (i.e., Contempt, monetary sanctions) Continuously balance the benefit (actual or perceived) of retaining data against the costs and risks of protecting and managing it
© 2014 StrataCare, A Xerox Company All Rights Reserved. Big Data 90% of an Iceberg’s Danger is Below the Visible Surface 13 This guy would know Edwin J. Smith Captain, RMS Titanic
© 2014 StrataCare, A Xerox Company All Rights Reserved. Big Data 90% of Big Data’s Danger is Below the Visible Surface 14 These folks would know
© 2014 StrataCare, A Xerox Company All Rights Reserved. Thank You mjosephs@stratacare.com

More Related Content

PDF
California Consumer Privacy Act (CCPA)
byHappiest Minds Technologies
 
PDF
Data security and privacy
byrajab ssemwogerere
 
PDF
The Art of Cloud Auditing - ISACA ID
byEryk Budi Pratama
 
PDF
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
byEryk Budi Pratama
 
PDF
Big Data: Beyond the Hype - Why Big Data Matters to You
byDATAVERSITY
 
PDF
Opteamix_whitepaper_Data Masking Strategy.pdf
byOpteamix LLC
 
PDF
Data_Protection_WP - Jon Toigo
byEd Ahl
 
PDF
Responding to a Data Breach, Communications Guidelines for Merchants
by- Mark - Fullbright
 
California Consumer Privacy Act (CCPA)
byHappiest Minds Technologies
 
Data security and privacy
byrajab ssemwogerere
 
The Art of Cloud Auditing - ISACA ID
byEryk Budi Pratama
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
byEryk Budi Pratama
 
Big Data: Beyond the Hype - Why Big Data Matters to You
byDATAVERSITY
 
Opteamix_whitepaper_Data Masking Strategy.pdf
byOpteamix LLC
 
Data_Protection_WP - Jon Toigo
byEd Ahl
 
Responding to a Data Breach, Communications Guidelines for Merchants
by- Mark - Fullbright
 

What's hot

DOCX
Data privacy and security in uae
byRishalHalid1
 
PPT
Database auditing essentials
byCraig Mullins
 
PPTX
Solving the Data Management Challenge for Healthcare
byDelphix
 
PDF
The Rise of Data Ethics and Security - AIDI Webinar
byEryk Budi Pratama
 
PDF
Cybersecurity in Oil & Gas Company
byEryk Budi Pratama
 
PDF
Threat Ready Data: Protect Data from the Inside and the Outside
byDLT Solutions
 
PDF
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
byEryk Budi Pratama
 
PDF
Common Practice in Data Privacy Program Management
byEryk Budi Pratama
 
PPT
The impact of regulatory compliance on DBA(latest)
byCraig Mullins
 
PPTX
Defensible cybersecurity-jan-25th-
byIT Strategy Group
 
PPTX
William A. Tanenbaum Association of Benefit Administrators April 2015
byWilliam Tanenbaum
 
PDF
Internal Audit
byNigel Robinson
 
PDF
Cross border - off-shoring and outsourcing privacy sensitive data
byUlf Mattsson
 
PDF
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
byIRJET Journal
 
PPT
Boards' Eye View of Digital Risk & GDPR v2
byGraham Mann
 
PPTX
iKnow Solutions Laura Eisenhardt
byBigDataExpo
 
PPTX
Data Governance Overview - Doreen Christian
byDoreen Christian
 
PPT
Getting Your House in Order: Cost-effective Litigation Readiness
byIron Mountain
 
PDF
Looking Forward - Regulators and Data Incidents
byResilient Systems
 
PDF
Cyber Resilience - Welcoming New Normal - Eryk
byEryk Budi Pratama
 
Data privacy and security in uae
byRishalHalid1
 
Database auditing essentials
byCraig Mullins
 
Solving the Data Management Challenge for Healthcare
byDelphix
 
The Rise of Data Ethics and Security - AIDI Webinar
byEryk Budi Pratama
 
Cybersecurity in Oil & Gas Company
byEryk Budi Pratama
 
Threat Ready Data: Protect Data from the Inside and the Outside
byDLT Solutions
 
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
byEryk Budi Pratama
 
Common Practice in Data Privacy Program Management
byEryk Budi Pratama
 
The impact of regulatory compliance on DBA(latest)
byCraig Mullins
 
Defensible cybersecurity-jan-25th-
byIT Strategy Group
 
William A. Tanenbaum Association of Benefit Administrators April 2015
byWilliam Tanenbaum
 
Internal Audit
byNigel Robinson
 
Cross border - off-shoring and outsourcing privacy sensitive data
byUlf Mattsson
 
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
byIRJET Journal
 
Boards' Eye View of Digital Risk & GDPR v2
byGraham Mann
 
iKnow Solutions Laura Eisenhardt
byBigDataExpo
 
Data Governance Overview - Doreen Christian
byDoreen Christian
 
Getting Your House in Order: Cost-effective Litigation Readiness
byIron Mountain
 
Looking Forward - Regulators and Data Incidents
byResilient Systems
 
Cyber Resilience - Welcoming New Normal - Eryk
byEryk Budi Pratama
 

Similar to Michael Josephs

PDF
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
byAIIM International
 
PDF
Data Privacy: A runbook for engineers 1st Edition Nishant Bhajaria
bycaxajdoisehm
 
PDF
Data Governance and Stewardship Roundtable
bySumma
 
PDF
Data Innovation Summit: Data Integrity Trends
byPrecisely
 
PDF
Data Integrity Trends
byPrecisely
 
PDF
How to Build a Privacy Program
bysecratic
 
PDF
White Paper: The Age of Data
byKim Cook
 
PDF
The Most Wonderful Time of the Year for Health-IT...NOT
byCompliancy Group
 
DOCX
Big data security
byAnne ndolo
 
DOCX
Big data security
byAnne ndolo
 
PDF
Looking Beyond GDPR Compliance Deadline
byaccenture
 
PDF
The value of big data analytics
byMarc Vael
 
PDF
3 guiding priciples to improve data security
byKeith Braswell
 
PPTX
Your data is your business: Secure it or Lose it!
byPerformance Tuning Corporation
 
PPTX
Perspectives on Ethical Big Data Governance
byCloudera, Inc.
 
PDF
Five_Big_Data_Security_Pitfalls
byLaris Orman
 
PPTX
Data Governance in the age of Social Media
byExperian
 
PDF
Maturing Your Organization's Information Risk Management Strategy
byPrivacera
 
PPTX
2013 Data Protection Maturity Trends: How Do You Compare?
byLumension
 
PPTX
BI: How Can Your High-Performance BI System Meet Expectations When You Feed I...
byRay Mcglew
 
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
byAIIM International
 
Data Privacy: A runbook for engineers 1st Edition Nishant Bhajaria
bycaxajdoisehm
 
Data Governance and Stewardship Roundtable
bySumma
 
Data Innovation Summit: Data Integrity Trends
byPrecisely
 
Data Integrity Trends
byPrecisely
 
How to Build a Privacy Program
bysecratic
 
White Paper: The Age of Data
byKim Cook
 
The Most Wonderful Time of the Year for Health-IT...NOT
byCompliancy Group
 
Big data security
byAnne ndolo
 
Big data security
byAnne ndolo
 
Looking Beyond GDPR Compliance Deadline
byaccenture
 
The value of big data analytics
byMarc Vael
 
3 guiding priciples to improve data security
byKeith Braswell
 
Your data is your business: Secure it or Lose it!
byPerformance Tuning Corporation
 
Perspectives on Ethical Big Data Governance
byCloudera, Inc.
 
Five_Big_Data_Security_Pitfalls
byLaris Orman
 
Data Governance in the age of Social Media
byExperian
 
Maturing Your Organization's Information Risk Management Strategy
byPrivacera
 
2013 Data Protection Maturity Trends: How Do You Compare?
byLumension
 
BI: How Can Your High-Performance BI System Meet Expectations When You Feed I...
byRay Mcglew
 

More from daveGBE

PDF
Jay Ferro
bydaveGBE
 
PDF
J Schwan
bydaveGBE
 
PDF
Suren Gupta
bydaveGBE
 
PDF
Douglas Briggs
bydaveGBE
 
PDF
Scott Strickland
bydaveGBE
 
PDF
Richard Rushing
bydaveGBE
 
PDF
Brian Mc callister
bydaveGBE
 
PDF
Emmet B. Keeffe iii
bydaveGBE
 
Jay Ferro
bydaveGBE
 
J Schwan
bydaveGBE
 
Suren Gupta
bydaveGBE
 
Douglas Briggs
bydaveGBE
 
Scott Strickland
bydaveGBE
 
Richard Rushing
bydaveGBE
 
Brian Mc callister
bydaveGBE
 
Emmet B. Keeffe iii
bydaveGBE
 

Recently uploaded

PDF
IT Solutions for Startups & Small to Mid-Sized Businesses
byDevout Tech Consultants
 
PDF
How to Buy Verified Redotpay Accounts_ A Step-by- ....pdf
by7zpjneju23g4b3ph3whf
 
PDF
Global Tokenization Landscape Updates 2025
byGarima Singh
 
PDF
FINANCIAL LITERACY Practices | Excellence Foundation for South Sudan
byExcellence Foundation for South Sudan
 
PDF
Stuart Frost - The Chief Executive Officer
byStuart Frost
 
PDF
One Of The Best Website To Buy Verified Venmo Accounts.pdf
by7zpjneju23g4b3ph3whf
 
PDF
How to purchase a safely verified Chime bank account ....pdf
byndsfcm3nubx18jc4s6f4
 
PDF
Top 10 Sites To Buy Verified Binance Accounts.pdf
byndsfcm3nubx18jc4s6f4
 
PDF
Top 7 Place to Buy Verified MoonPay Accounts.pdf
by2h6w4ottve01a8x2u23v
 
DOCX
How to Get a Verified Wise Account_ A Complete Buying 2026.docx
byDigital marketimg USA
 
PDF
How to Buy Verified Payoneer Accounts for Global Freelance Payments
byjames wode
 
DOCX
The Ultimate Guide to Bulk Purchasing Old Gmail Accounts.docx
byBuy Verified Cash App Accounts
 
DOCX
47 Best Places to Buy Old Gmail Accounts in the USA.docx
byTop Benefits of Buy Old Gmail Accounts
 
PDF
Comments on Dimi Design Intelligence Addendum2, All Parts.pdf
byBrij Consulting, LLC
 
DOCX
How to buy Yahoo accounts and Outlook accounts in 2026..docx
bygetsmmpro getsmmpro
 
DOCX
Tips for Successfully Buying Old Gmail Accounts in Bulk.docx
byBuy Verified Cash App Accounts
 
DOCX
Buying Telegram Accounts for Channels & Groups_ Old & New in the US.docx
byGoogle Business Site is usaallhub
 
PPTX
Compassionate Care for Families, Seniors, and Patients
byaidanbutler4355
 
PDF
How Do iPads Enhance Student Engagement in 2025?
byVRS Technologies LLC
 
DOCX
Why Choose buy TikTok Accounts Instead of New Ones.docx
bymarketing
 
IT Solutions for Startups & Small to Mid-Sized Businesses
byDevout Tech Consultants
 
How to Buy Verified Redotpay Accounts_ A Step-by- ....pdf
by7zpjneju23g4b3ph3whf
 
Global Tokenization Landscape Updates 2025
byGarima Singh
 
FINANCIAL LITERACY Practices | Excellence Foundation for South Sudan
byExcellence Foundation for South Sudan
 
Stuart Frost - The Chief Executive Officer
byStuart Frost
 
One Of The Best Website To Buy Verified Venmo Accounts.pdf
by7zpjneju23g4b3ph3whf
 
How to purchase a safely verified Chime bank account ....pdf
byndsfcm3nubx18jc4s6f4
 
Top 10 Sites To Buy Verified Binance Accounts.pdf
byndsfcm3nubx18jc4s6f4
 
Top 7 Place to Buy Verified MoonPay Accounts.pdf
by2h6w4ottve01a8x2u23v
 
How to Get a Verified Wise Account_ A Complete Buying 2026.docx
byDigital marketimg USA
 
How to Buy Verified Payoneer Accounts for Global Freelance Payments
byjames wode
 
The Ultimate Guide to Bulk Purchasing Old Gmail Accounts.docx
byBuy Verified Cash App Accounts
 
47 Best Places to Buy Old Gmail Accounts in the USA.docx
byTop Benefits of Buy Old Gmail Accounts
 
Comments on Dimi Design Intelligence Addendum2, All Parts.pdf
byBrij Consulting, LLC
 
How to buy Yahoo accounts and Outlook accounts in 2026..docx
bygetsmmpro getsmmpro
 
Tips for Successfully Buying Old Gmail Accounts in Bulk.docx
byBuy Verified Cash App Accounts
 
Buying Telegram Accounts for Channels & Groups_ Old & New in the US.docx
byGoogle Business Site is usaallhub
 
Compassionate Care for Families, Seniors, and Patients
byaidanbutler4355
 
How Do iPads Enhance Student Engagement in 2025?
byVRS Technologies LLC
 
Why Choose buy TikTok Accounts Instead of New Ones.docx
bymarketing
 

Michael Josephs

  • 1.
    The Dark Sideof Big Data ……………………………………………... CIO, StrataCare, A Xerox Company Michael Josephs
  • 2.
    © 2014 StrataCare,A Xerox Company All Rights Reserved. Big Data 2 Maslow’s Hierarchy of Needs Circa, 2014
  • 3.
    © 2014 StrataCare,A Xerox Company All Rights Reserved. Big Data 3 It’s a Gold Mine Growth in Data Production –2.5 quintillion bytes estimated to be generated from sources such as online or mobile financial transactions, social media traffic, and GPS coordinates (1) –450 billion transactions per day by 2020 on the internet (B2B and B2C) has been estimated by IDC. –44 fold increase in overall data production 2020 over 2009 predicted (2) Replicated Costs & Risks: Many captured transactions are replicated 5 times (or more) Employee BYOD: Cisco survey found 89% of companies already have employee BYOD for work. (1)World Economic Forum Big Data, Big Impact: New possibilities for international development (2)CSC –Big Data Universe What Can You Do With It? $Accelerate More Intelligent decisions: Large data sets allow for more accurate instrumentation of processes for improved business results $Improve Services: Optimize distribution methods, better evaluate and allocate risk and detect fraud $Target Sales: More granularly segment customers and potential customers for more efficient business development $Create New Revenue Streams: Establish derived products and services We Breathe Data
  • 4.
    © 2014 StrataCare,A Xerox Company All Rights Reserved. Big Data Big Data Has a Dark Side 4 It’s a Gold Mine What Can You Do With It? $Accelerate More Intelligent decisions: Large data sets allow for more accurate instrumentation of processes for improved business results $Improve Services: Optimize distribution methods, better evaluate and allocate risk and detect fraud $Target Sales: More granularly segment customers and potential customers for more efficient business development $Create New Revenue Streams: Establish derived products and services Cost and Risk Continuum Security Regulatory Compliance Liability Litigation and Discovery Infrastructure
  • 5.
    © 2014 StrataCare,A Xerox Company All Rights Reserved. Big Data Most Significant Risks and Costs Aren’t Always Clearly Visible 5 Emerging Statutory Compliance & AuditsContractual Nuance and StipulationsExisting Infrastructure and SecurityeDiscovery ObligationsEvolving the Infrastructure & Security ApproachEstablish Service Level AgreementsRefine Data Retention Policies/ProceduresPrivacy by Design
  • 6.
    © 2014 StrataCare,A Xerox Company All Rights Reserved. Big Data –Existing Infrastructure and Information Security 6 Data Segments Are Often Replicated Up To 5XTransactionalDB Mirror EDW Replicated Costs ++ –Standard data topologies often include 5 or more replications of data that must be protected –Technical and procedural approaches must be established and maintained for all of them –Separate (yet equally stringent) technical and procedural approaches are often needed for the business ecosystemThird Party Ecosystem DR/BC
  • 7.
    © 2014 StrataCare,A Xerox Company All Rights Reserved. Big Data –Existing Infrastructure and Information Security 7 What is Going On Where is it Going –Executives are becoming more risk averse than ever before –At the same time, Big Data initiatives sometimes get a hall pass from complete business case rigor –Evolving Standards •Standards for what constitutes acceptable risk for sensitive data protection is changing rapidly •As a result, owners of sensitive data are continually reexamining their data security standards and security programs –Third party vendors and data custodians are under increasing pressure (& scrutiny to reduce risk levels) –IT Budgets are shifting emphasis from innovation to risk reduction Challenge is operating one comprehensive data security program (while adhering to customers “a la carte” data security demands) –Experienced InfoSec staff are in great demand, making hiring and retention increasing difficult –More targeting of standard management frameworks (ISO 27001:2, etc.) for data hosting and the security programs aimed at its protection –Data custodians retaining unlimited liability for data breach (no caps) and for ensuring subcontractors meet the same data security SLA’s –Increasing investment in data masking is becoming foundational to any data custodianship platform
  • 8.
    © 2014 StrataCare,A Xerox Company All Rights Reserved. Big Data –Regulatory Compliance 8 What is Emerging Responding –Expanding Laws and Regulations: Expansion but without harmonization •Government Frameworks (FTC; The White House) •Complex international laws and regulations (EU, Canada, Australia, Asia, Latin America) –State Data Security and Privacy/Data Breach Laws: now 47 states have adopted laws that in many respects are far more rigorous than HIPPA/HITECH) –Know which laws and regulations apply to your (and your customer’s) business –Maintain compliance, and documented third party verification, for legally required practice standards (HIPAA, PCI, GLB, etc.) –Monitor emerging state data breach laws •Notification to affected individuals •Notice to state AGs (FL, MA, CA) •Government consent decrees (FTC) Organizational Design: Ensure executive compliance oversight has appropriate organizational stature and authority
  • 9.
    © 2014 StrataCare,A Xerox Company All Rights Reserved. Big Data –Contractually Speaking 9 Trending…. Some Protective Steps –Hot Topic: Data security is one of (if not) the most hotly negotiated Terms and Conditions in data custodianship related contracts –Expanding SLA Coverage: Customers are now demanding that contract SLAs cover: Any and all federal and state laws and industry standards will apply to SLAs (even those that don’t apply) Data custodian retains unlimited liability for data breach (no caps) Data custodian remains liable for ensuring subcontractors meet all customer data security SLAs Data Custodian is responsible for breach notification Customers have audit rights Return/destruction of data (Data ownership remains a gray area?) Minimize the custom nature of provisions and align limitation of liability with insurance caps –Fully understand the cost of augmenting existing, or implementing and maintain new, security practices before contractual agreement (including the cost of ongoing audits) –Use of standards increasing as customers tend to bemore accepting of industry adopted management frameworks (ISO 27001:2, NIST, etc.), possibly reducing audit participation efforts –Maintain compliance, and documented third party verification, for legally required practice standards (HIPAA, PCI, etc.) –Blind Data/Feedback Licenses –Separate the cost of breach (vendor) notification from actual notification (customer)
  • 10.
    © 2014 StrataCare,A Xerox Company All Rights Reserved. Big Data –Contractually Speaking (Third Party Ecosystem) 10 Realities Dealing –The Weak Link: •Your data security program is as strong as your weakest subcontractor/provider •Many niche service providers are not able to meet fundamental state of the practice information security standards –Data Custodians Have Two Key Duties: •Duty to Protect: Covers appropriate and reasonable measures to protect data against a breach •Duty to Disclose: Notification of breaches to affected parties and regulators; material risks for public companies –Take a comprehensive, no-concession approach to vendor audits/assessments. –Consider sharing data only AFTER a vendor is fully compliant with security and practice requirements –Make access to your clients dependent on keeping pace with the state of the practice –Engage with 3rdparty credentialing services such as 3PAS Ensure your 3rdparty service provider contracts are as comprehensive as the ones you establish with your clients
  • 11.
    © 2014 StrataCare,A Xerox Company All Rights Reserved. Big Data –Data Retention 11 What is Going On Here Getting Out Ahead –Establish a well vetted and documented data retention policy (a “default” scenario is rarely a good one) –Standardize customer and 3rd party vendor contracts and maintain a centralized record for reference and compliance audits –Implement secure data destruction mechanisms as part of the program Data retention policies must balance the risks of having “it” with the rewards of leveraging “it” –Responding to Risk: Organizations are radically re-thinking their data retention policies (where they exist) –Key Drivers (for revised data retention policies) include: •Customer contract T’s & C’s •Vendor record retention policies and procedures; •Litigation holds •Laws (SEC, IRS, FTC, etc.) •Industry standards •360 degree cost of retention –Heterogeneity: Managing client-specific data retention plans can be highly costly to administer
  • 12.
    © 2014 StrataCare,A Xerox Company All Rights Reserved. –Deploy technology for supporting eDiscovery needs OR contract for these services –Use data masking (data de-identification) along with an effective Data Retention program to reduce data scope for eDiscovery needs –Ensure close interaction of legal, IT, accounting and other organizations for common understanding of record retention, destruction, and litigation hold policies and procedures Big Data –eDiscovery 12 Growing Costs Some Steps to Take –Possession: If you have “it” (whether or not you should have it), you may have to produce and preserve it •Party Litigant (via eDiscovery Demand) •Non-party witness •Subject of government investigations –No Place to Hide: Cost or burden of production rarely matters (no excuse), especially for party litigants •Discovery/production-related costs can be massive Consider whether forensic experts will be required •Sanctions/penalties for non-production/spoliation could be worse (i.e., Contempt, monetary sanctions) Continuously balance the benefit (actual or perceived) of retaining data against the costs and risks of protecting and managing it
  • 13.
    © 2014 StrataCare,A Xerox Company All Rights Reserved. Big Data 90% of an Iceberg’s Danger is Below the Visible Surface 13 This guy would know Edwin J. Smith Captain, RMS Titanic
  • 14.
    © 2014 StrataCare,A Xerox Company All Rights Reserved. Big Data 90% of Big Data’s Danger is Below the Visible Surface 14 These folks would know
  • 15.
    © 2014 StrataCare,A Xerox Company All Rights Reserved. Thank You mjosephs@stratacare.com