During a long and diverse career in the data industry, I've seen the unpleasant after-effects on people and organizations when things go badly wrong with data. It is a horrible experience to be responsible for losing data, but even worse for being responsible for a data breach. The repercussions linger for years within the organization, and the people whose data is breached can suffer greatly too. Litigation is likely to continue, on and on, even for those who have subsequently left the organization, or the industry. Even when you are entirely innocent, there is nothing in IT so wearying and demoralizing as having to deal with this.
If you are in the data industry, you are at increasing risk of prosecution. Is this far-fetched? Not at all. If you are skeptical, just see how many healthcare organizations in the US have had to report data breaches in the past two years that have affected 500 or more people (it is 690). All these organizations are under investigation by the Office for Civil Rights. In the UK, in the past two years, 59 organizations have been fined, or suffered enforcement action, for the misuse of data.
Let's assume that you and your organization have put in place every conceivable device, procedure, and system to prevent data breaches, and you maintain it conscientiously. You've reduced the risk considerably, but it is still there. How can you minimize the possibility of prosecution if a breach happens? Basically, you must prove that you practiced good data governance at the time of the breach.
When you're faced by an investigation team, it is no use putting on your 'Mr. Sincerity' face and making vague statements whilst waving your hands. These people are hard-boiled souls and can't be hypnotized. They want documented facts. 'What facts?', I hear you ask. Take a look at the guidelines for the federal prosecutors of companies that have failed to keep data secure, issued by the US Department of Justice Criminal Division in the US. This outlines how they decide whether an organization should be prosecuted. Obviously, they look at the quality of the design of the compliance program, how well it is being applied, resourced, and supported by the organization, and how well it works in practice.
These three checks must be done by people who need proof that all this was in place at the time of the breach. They are looking for documented policies and procedures, for consultation processes, for evidence that the organization identified and monitored areas of risk and implemented security steps. Were they generally understood, and were members of the organization given training?
This sensible document should concentrate the minds of even the most care-free data managers. In fact, it might provide them with twenty pages of terror. In an editorial, I can't spell out in detail how this translates to good advice for all of us with responsibility for data, but I heartily recommend it for every data professional, but particularly anyone with responsibility for data governance.