This week, HSBC Holdings PLC reported that a former employee stole data on about 24,000 accounts in its Swiss private bank that wound up in the hands of French authorities. This is the latest case to highlight the complications that arise when stolen bank information ends up in the custody of governments eager to chase tax cheats. The HSBC situation involves a former IT employee who is alleged to have stolen the data in 2006 and 2007 and then attempted to sell it to several governments.
While most of the recent cases we hear about involve banks or financial services – this can occur in any industry. For example, the BBC just reported the medical records of 2,000 patients were lost at Haywood Hospital. The records are of 2,000 patients who had physiotherapy at Haywood Hospital in 2006 and have since been discharged and may have been destroyed in error, under what it calls "confidential conditions".
This is just one of the reasons why information governance is a top priority at most of organizations worldwide. An information governance program allows companies to implement the correct security controls, data privacy rules, proper encryption methodologies and audit facilities.
Security controls – Who needs access to what? What should the user be allowed to do once they have access to the information (i.e. download or print)? How is the security being enforced across all the information silos?
Data privacy rules – The legal protection of the right to privacy in general - and of data privacy in particular - varies greatly around the world. Who in your organization is monitoring these laws? How are these laws being implemented and enforced in your records management and electronic content management system? Does any information in the document (such as social security number) need to be redacted?
Encryption methodologies – There are dozens of different encryption methods and programs available. I am not an expert on encryption but do know some are good, some are not. What’s important is that when information gets archived, your organization utilizes the proper encryption tool so if data does leak out, it’s unreadable. We all remember the Bank of America incident a few years back.
Audit facilities – Most applications create an audit trail. Often times, these audit trails do not get analyzed or shared with the compliance team or auditors. Companies must keep track of who, what, when, where, and how. Who accessed what? When did they access it? Where did they access it from? How did they access it (internal application versus CRM system)?
Bottom line, information within the organization must be treated as an asset but also as a liability. So the next time you open a bank account and provide a significant amount of personal data to a total stranger – just hope they have a well defined information governance program in place.
{picture courtesy of rpongsaj from Flickr}