Managing the digital risk
15 May 2000
Health plan pays for failing to erase data on leased equipment: two takeaways for companies handling electronic PHI
21 August 2013
30 August 2013
15 July 2013
19 February 2014
28 May 2013
Despite the benefits of going high-tech, there are serious risks involved, especially when filing important documents. Richard Stevens reports on what firms have to look out for.
If you visit the headquarters of any large corporation, access will be restricted. Visit its corporate website and there will be barriers designed to prevent access to the parts of its computer networks that it would rather you did not reach. Look within the organisation and you will probably find commercially sensitive data, widely disseminated, just waiting to be misused.
Today, data is created, disseminated and stored electronically without thought as to the consequences of its creation or retention.
Look back at an old-fashioned organisation not heavily dependent on IT. Here you will find comprehensive filing systems which prevent the mingling of data of different types. You will also find a data destruction policy which specifies how long the paper files are to be retained. The policy will be flexible enough to enable some data types to be retained longer than others. Because documents could not be copied at the push of a button at a recipient's desk, fewer copies were made. The author of a document had a reasonable, but not perfect, idea as to how many copies of a document were likely to be made.
Look around that same office today, now heavily dependent on IT. There is much less filing. More paper is used than before but thrown away at the end of the day replete with sensitive material. The systems are backed up so the perceived need to keep paper copies is reduced.
How long are back-up discs retained? They may contain information retained for a long period such as accounting or taxation data. They will also contain much transitory information which used to be consigned to the dustbin of history. It is too difficult to strip that material out from the disc. Anyway, the disc does not take up much space. But as many have found to their cost, such material can be very embarrassing when discovered in the course of legal proceedings.
Even searching for the material that may be responsive to a proper demand for information can place very serious burdens on an organisation.
The first task is probably to find the hardware and software of several years ago and to persuade it to work. Then you are faced with the serried ranks of discs that all look the same as each other. They contain mingled, unclassified data, invisible to the human eye. Add to this task the probability that the data has been copied many times over and may have been slightly changed in the process. The traditional approach of identifying the usual suspects who might hold the responsive data may not work.
The very ability to copy data so quickly and cheaply, which has become the norm of commercial life, poses a serious threat to the property of an organisation.
Thieves can steal the secrets of an organisation and have them leave the building electronically well before they themselves leave. This is assuming that they need to be in the building in the first place. Usually they will leave a trail behind, but it may require considerable skill and knowledge to track down.
Equally, today's organisations can take some simple steps to protect themselves against such a state of affairs arising. These steps require a combination of tools both procedural and electronic. Proper digital risk management should assist organisations in preventing the theft of intellectual assets, retaining only what is essential, and mitigating the considerable costs in searching for electronic data when compelled to do so.
Richard Stevens is a partner at PricewaterhouseCoopers.