Home : Strategy : News

Watch out for dangerous data

Unless businesses know where their data is, they are at risk

By Stephen Pritchard, 21 May 2010 at 10:54

This week, reports emerged that Google is being investigated in the US and Germany for its data collection policies.

Google is certainly not the only large business to find its data privacy arrangements under scrutiny. Facebook, for example, has come in for repeated criticism over its security and privacy settings, and the amount of information it collects on users.

But data privacy is just one, albeit very visible, challenge facing businesses that need to store information electronically (that will be most of them, then). Electronic data is a valuable asset, but also one that poses dangers.

This week, an industry group was launched to highlight another area where businesses need to tread warily: e-disclosure.

According to the group, businesses need to do more than simply ensure private data remains private. They also need to keep that data in a way that allows them to find information, if a court or regulator requires it.

E-disclosure is potentially a massive problem for businesses involved in legal probes, as a court – or the other side’s lawyers – can ask for any information that is held in electronic form. Court, and regulators such as the Financial Services Authority, take a dim view on companies that cannot produce their files in a timely manner.

The problem, according to Simon Price, European director of enterprise search company Recommind and one of the people steering the project, is that too many businesses lack an overall approach to information risk.

As well as e-disclosure, the group is looking at compliance, cloud computing, insider fraud, information barriers and confidentiality management, although the focus is less on conventional, perimeter security and more focused on how businesses organise their information internally, and whether that information is a potential risk to the organisation.

The real issue, Price says, is that businesses look at storing, classifying and retrieving data from a purely technical standpoint. If IT makes decisions on which information to store, or even how it is stored, without reference to the legal department, finance or compliance, a company can be storing up trouble for the future. Ideally, a business should have a company-wide policy on information management, especially for commercially or legally sensitive data, or for anything that affects customers’ privacy.

To support this, the group has brought together IT, compliance and legal experts, and has launched a website – Info Risk Awareness - to highlight some of the issues businesses face, and to provide advice. The plan is to run annual information risk awareness weeks, Price says, to keep the issue on the agenda.

As Recommind’s Price points out, organisations are gathering more and more information every year.

Putting in place policies to govern that data is always going to cost less than paying the lawyers to sort it out later.