Michael Josephs

The Dark Side of Big Data……………………………………………...

CIO, StrataCare, A Xerox Company

Michael Josephs

© 2014 StrataCare, A Xerox CompanyAll Rights Reserved.

Big Data

2

Maslow’s Hierarchy of NeedsCirca, 2014


Big Data

3

It’s a Gold Mine

Growth in Data Production

– 2.5 quintillion bytes estimated to be generated from sources such as online or mobile financial transactions, social media traffic, and GPS coordinates (1)

– 450 billion transactions per day by 2020 on the internet (B2B and B2C) has been estimated by IDC.

– 44 fold increase in overall data production 2020 over 2009 predicted (2)

Replicated Costs & Risks: Many captured transactions are replicated 5 times (or more)

Employee BYOD: Cisco survey found 89% of companies already have employee BYOD for work.(1) World Economic Forum Big Data, Big Impact: New possibilities for international development(2) CSC – Big Data Universe

What Can You Do With It?

$ Accelerate More Intelligent decisions: Large data sets allow for more accurate instrumentation of processes for improved business results

$ Improve Services: Optimize distribution methods, better evaluate and allocate risk and detect fraud

$ Target Sales: More granularly segment customers and potential customers for more efficient business development

$ Create New Revenue Streams: Establish derived products and services

We Breathe Data


Big Data

Big Data Has a Dark Side

4

It’s a Gold Mine

What Can You Do With It?

$ Accelerate More Intelligent decisions: Large data sets allow for more accurate instrumentation of processes for improved business results

$ Improve Services: Optimize distribution methods, better evaluate and allocate risk and detect fraud

$ Target Sales: More granularly segment customers and potential customers for more efficient business development

$ Create New Revenue Streams: Establish derived products and services

Cost and Risk Continuum

Security

Regulatory

Compliance

Liability

Litigation and Discovery

Infrastructure


Big Data

Most Significant Risks and Costs Aren’t Always Clearly Visible

5

Emerging Statutory Compliance & Audits

Contractual Nuance and Stipulations

Existing Infrastructure and Security

eDiscovery Obligations

Evolving the Infrastructure & Security Approach

Establish Service Level Agreements

Refine Data Retention Policies/Procedures

Privacy by Design


Big Data – Existing Infrastructure and Information Security

6

Data Segments Are Often Replicated Up To 5X

TransactionalDB

Mirror EDW

Replicated Costs ++

– Standard data topologies often include 5 or more replications of data that must be protected

– Technical and procedural approaches must be established and maintained for all of them

– Separate (yet equally stringent) technical and procedural approaches are often needed for the business ecosystem

Third Party Ecosystem

DR/BC


Big Data – Existing Infrastructure and Information Security

7

What is Going On Where is it Going

– Executives are becoming more risk averse than ever before

– At the same time, Big Data initiatives sometimes get a hall pass from complete business case rigor

– Evolving Standards

• Standards for what constitutes acceptable risk for sensitive data protection is changing rapidly

• As a result, owners of sensitive data are continually reexamining their data security standards and security programs

– Third party vendors and data custodians are under increasing pressure (& scrutiny to reduce risk levels)

– IT Budgets are shifting emphasis from innovation to risk reduction

Challenge is operating one comprehensive data security program (while adhering to customers “a la carte” data security demands)

– Experienced InfoSec staff are in great demand, making hiring and retention increasing difficult

– More targeting of standard management frameworks (ISO 27001:2, etc.) for data hosting and the security programs aimed at its protection

– Data custodians retaining unlimited liability for data breach (no caps) and for ensuring subcontractors meet the same data security SLA’s

– Increasing investment in data masking is becoming foundational to any data custodianship platform


Big Data – Regulatory Compliance

8

What is Emerging Responding

– Expanding Laws and Regulations: Expansion but without harmonization

• Government Frameworks (FTC; The White House)

• Complex international laws and regulations (EU, Canada, Australia, Asia, Latin America)

– State Data Security and Privacy/Data Breach Laws: now 47 states have adopted laws that in many respects are far more rigorous than HIPPA/HITECH)

– Know which laws and regulations apply to your (and your customer’s) business

– Maintain compliance, and documented third party verification, for legally required practice standards (HIPAA, PCI, GLB, etc.)

– Monitor emerging state data breach laws

• Notification to affected individuals

• Notice to state AGs (FL, MA, CA)

• Government consent decrees (FTC)

Organizational Design: Ensure executive compliance oversight has appropriate organizational stature and authority


Big Data – Contractually Speaking

9

Trending…. Some Protective Steps

– Hot Topic: Data security is one of (if not) the most hotly negotiated Terms and Conditions in data custodianship related contracts

– Expanding SLA Coverage: Customers are now demanding that contract SLAs cover: Any and all federal and state laws and industry standards

will apply to SLAs (even those that don’t apply)

Data custodian retains unlimited liability for data breach (no caps)

Data custodian remains liable for ensuring subcontractors meet all customer data security SLAs

Data Custodian is responsible for breach notification

Customers have audit rights

Return/destruction of data (Data ownership remains a gray area?)

Minimize the custom nature of provisions and align limitation of liability with insurance caps

– Fully understand the cost of augmenting existing, or implementing and maintain new, security practices before contractual agreement (including the cost of ongoing audits)

– Use of standards increasing as customers tend to be more accepting of industry adopted management frameworks (ISO 27001:2, NIST, etc.), possibly reducing audit participation efforts

– Maintain compliance, and documented third party verification, for legally required practice standards (HIPAA, PCI, etc.)

– Blind Data/Feedback Licenses

– Separate the cost of breach (vendor) notification from actual notification (customer)


Big Data – Contractually Speaking (Third Party Ecosystem)

10

Realities Dealing

– The Weak Link:

• Your data security program is as strong as your weakest subcontractor/provider

• Many niche service providers are not able to meet fundamental state of the practice information security standards

– Data Custodians Have Two Key Duties:

• Duty to Protect: Covers appropriate and reasonable measures to protect data against a breach

• Duty to Disclose: Notification of breaches to affected parties and regulators; material risks for public companies

– Take a comprehensive, no-concession approach to vendor audits/assessments.

– Consider sharing data only AFTER a vendor is fully compliant with security and practice requirements

– Make access to your clients dependent on keeping pace with the state of the practice

– Engage with 3rd party credentialing services such as 3PAS

Ensure your 3rd party service provider contracts are as comprehensive as the ones you establish with your clients


Big Data – Data Retention

11

What is Going On Here Getting Out Ahead

– Establish a well vetted and documented data retention policy (a “default” scenario is rarely a good one)

– Standardize customer and 3rd party vendor contracts and maintain a centralized record for reference and compliance audits

– Implement secure data destruction mechanisms as part of the program

Data retention policies must balance the risks of having “it” with the rewards of leveraging “it”

– Responding to Risk: Organizations are radically re-thinking their data retention policies (where they exist)

– Key Drivers (for revised data retention policies) include:

• Customer contract T’s & C’s• Vendor record retention policies and procedures; • Litigation holds• Laws (SEC, IRS, FTC, etc.)• Industry standards• 360 degree cost of retention

– Heterogeneity: Managing client-specific data retention plans can be highly costly to administer


– Deploy technology for supporting eDiscovery needs OR contract for these services

– Use data masking (data de-identification) along with an effective Data Retention program to reduce data scope for eDiscovery needs

– Ensure close interaction of legal, IT, accounting and other organizations for common understanding of record retention, destruction, and litigation hold policies and procedures

Big Data – eDiscovery

12

Growing Costs Some Steps to Take

– Possession: If you have “it” (whether or not you should have it), you may have to produce and preserve it

• Party Litigant (via eDiscovery Demand)• Non-party witness• Subject of government investigations

– No Place to Hide: Cost or burden of production rarely matters (no excuse), especially for party litigants

• Discovery/production-related costs can be massive Consider whether forensic experts will be required

• Sanctions/penalties for non-production/spoliation could be worse (i.e., Contempt, monetary sanctions)

Continuously balance the benefit (actual or perceived) of retaining data against the costs and risks of protecting and managing it


Big Data

90% of an Iceberg’s Danger is Below the Visible Surface

13

This guy would know

Edwin J. SmithCaptain, RMS Titanic


Big Data

90% of Big Data’s Danger is Below the Visible Surface

14

These folks would know

© 2014 StrataCare, A Xerox Company All Rights Reserved.

Thank You

[email protected]

Business

Michael Josephs