What Is A Data Map?

Inaugural webcast of Tomorrow’s Jobs Today: Wisdom and Career Advice From Thought Leaders in AI, big data, The Internet of Things, Privacy, and more.

Host Rafael Moscatel picks the brains of business leaders throughout the world who are pioneering emerging technologies and leadership concepts across a variety of industries in both the public and private sectors to better understand the future of work and the incredible tools being developed to perform that work. In today’s episode Priya Keshav of Meru Data discusses the question, “What Is A Data Map?”

Full transcript below:

Rafael Moscatel:

Priya, we’re going to talk a lot about data maps today, and you have a lot to show us there. But before you treat us to kind of the bells and whistles on your product, I do want to talk briefly about why you decided to start this business. You had an excellent position for one of the big four accounting firms, and you were doing some amazing work over there for them. So tell me: Why did you take this leap?

Priya Keshav:

Data is going to be one of the biggest risks for every enterprise in the next decade or so, and that’s broader than just cybersecurity risk. And most gender councils acknowledge this and are looking to build programs in-house to manage this proactively. I felt that most of the programs so far are consultant-driven, and there was a lack of products that supported these programs in a holistic manner. And I felt that there was a gap that perhaps we could address, so we founded Maru, and it’s been an excellent journey so far.

Rafael Moscatel:

So Priya, for some of our viewers that are very new to IT infrastructure and data maps, can you give us a basic definition of what a data map is?

Priya Keshav:

Yeah, it is a bird’s-eye view of all the data within the organization. For somebody who is trying to manage the risk around the data at a very high level, it provides all the details, in terms of the number of systems, where the data originated, how it flows. And you’re able to look at which systems are riskier, versus not. You’re able to understand the security controls that you have in place. So you can bring all of the information into one single place and take a look at it for various decision-making purposes, and that’s what the data map gives you.

Rafael Moscatel:

Now that you’ve told us exactly what a data map is, can you tell us a little bit more about why it’s important in today’s climate, with all of the privacy compliance exercises that companies need to undertake?

Priya Keshav:

The best way to explain this is with an elephant story that actually one of my mentors first told me. A bunch of blind men, who had never seen an elephant before, encountered an elephant. And they were experiencing this elephant in various ways, right? So somebody touched … One person touched the trunk. Somebody else was looking at the tail and obviously had a completely different description of what the elephant was. And somebody else was touching the body and had a very different description of the elephant. That’s true in most organizations. We are siloed.

We have a very good understanding of what we are doing with the data that we see and how we are using the data that we have, but it lacks perspective, and that’s what happens in most organizations. So you have perspectives. None of them are wrong, but the perspectives are limited, from a certain viewpoint. And what data map helps in cross-functional. So it brings collaboration. It helps in establishing true trust in data because now you have a true understanding of what is going on with your data. And it’s not just for compliance, though obviously, it gives you better control over compliance efforts. But it gives you, also, better visibility into your data.

So you can’t secure what you don’t know. If your perspective is that the elephant is just the trunk, then you’re going to secure it based on that perspective. But as if you understand that it’s a whole elephant, you have a completely different vision of how your security program would be. Data map, once it’s done right and being used and adopted by an organization, can serve in so many ways that it can open up a lot of opportunities for your data within the organization.

Rafael Moscatel:

Priya, can you tell me a little bit more about how tools like yours classify sensitive data within the data map?

Priya Keshav:

Yes, of course. So this is our classification wheel, and as you know, CCPA expects you to understand the various types of information that you store in various systems, like biometric data, profile information, or credit card information, or educational information. So from the data map, you’re able to classify them into various categories, and with a click of a button, you can get to the systems that are likely to have the particular data type that you’re looking at. So for example, I clicked on the IP address and it gave me the two systems where we store IP addresses. So it’s very functional, meeting the regulatory requirements.

Rafael Moscatel:

What about data flows? How do applications like that make sense of those? Because they can be so complicated and so involved.

Priya Keshav:

Yes, so it’s very important to understand how your data is flowing. So you have to understand the place of origin and all the places that it goes to be able to truly … Both from a data governance standpoint, as well as a privacy regulation standpoint. Because if you are looking at a request where you need to delete the data, you have to understand that. For example, we’re looking at an HR process right now. So let’s say somebody got a resume from LinkedIn and sent it to Greenhouse and used Greenhouse for recruiting and then eventually, that person was hired. And obviously, their data was moved into Workday. Maybe they send some expense reports in and Concur was used as an expense reporting system.

So in this case, what happens is that if that person comes back and says, “Please delete my data,” you have to be able to understand that that person was an employee. And the fact that you probably had information about the interviews. If it is not yet past that retention period, there was probably information about their resume and the various background check that happened, as well as their employee information in Workday and every other benefit-type systems or analytics systems that it was passed onto from Workday. And the expense reporting system.

So the data flows helps you understand all the systems that are impacted, as well as exactly what type of information is flowing. So for example, Workday, in this case, is sending, as you can see, a bunch of information on a daily basis, via API, to Concur. So being able to map this is a fundamental step to being able to meet the privacy regulations.

Rafael Moscatel:

In this new environment, so many companies are being forced to do so much more with less. And I’m wondering: How do platforms like this, the Maru platform, enable those organizations to do that?

Priya Keshav:

So yes, we’re trying to … Everybody’s shifted to a work-from-home environment, and obviously, that increases security risk. And there is also a need to accelerate some of the programs towards digital programs, because there’s a need for more technology and for more and more technologies to be online, as opposed to on-prem, because of the changes that we’re just going through.

But we’re also facing budget cuts and the need to do more with less, and one of the best ways to use a data map is to understand and prioritize. Because you understand where your data is, how it’s being used, and what’s the most important as well as the biggest risks that your organization is likely to face, using the data map enables you to make informed decisions, as opposed to making decisions based on intuition. So I think there are so many different ways in which we build … And that’s what differentiates us because we don’t look at this as a privacy tool that just solely does privacy-related work, which is important.

But most organizations, with limited budgets, they’re trying to comply with the privacy program. But they’re also trying to leverage what they have to reduce their overall risk with data, to improve their security program, as well as trying to look at how effective their analytics programs are. So there are so many use cases, and truly, that’s one of the things that I think we look at it as fundamental to how a data map should work and how it should be a single tool that sort of brings everybody’s objectives together and helps them collaborate through the tool.

Simplify For Success

There is tremendous value to simplification. To quote Steve jobs, “Simple can be harder than complex: You have to work hard to get your thinking clean to make it simple. But it is worth it in the end because once you get there, you can move mountains.” We wanted to explore how people and companies achieve simplification in this series of posts.

Data is complex but our solution to managing data need not be complex. Can simplifying what we are doing help us to do more with less?

Simplification is a key focus for many companies and everyone understands how eliminating unnecessary complexity can lead to more successful outcomes. But achieving simplicity is hard. So why is simple not easy and obvious?

First, lack of time to simplify. Your processes or products can get more complex over time as new aspects are introduced. Or your first iteration to achieve your objectives might not be the simplest version – but you are in a time crunch to get that first product or prototype out of the door. In either case, you realize there might be simpler ways to achieve what you are doing, but you just do not have the time to step back and possibly disrupt your current state while redesigning and rebuilding a simpler and a more straight forward version. Again to quote Steve Jobs, “When you first start off trying to solve a problem, the first solutions you come up with are very complex, and most people stop there. But if you keep going, and live with the problem and peel more layers of the onion off, you can often times arrive at some very elegant and simple solutions.”

Second, a perception that simple might be inferior. Often detailed and sophisticated problems require complex solutions. A solution might feel basic or inadequate or not good enough. The thinking can be when the problem we are solving is obviously complex, shouldn’t the solution also be complex?

Finally, simplification efforts get held back by lack of clarity. Clarity around exactly what needs to done and clarity around what exactly is being done in each step of the process. Once that clarity is available, it is easier to eliminate processes or steps that are not adding value and only focus on those that are doing what needs to be done. But this is easier said than done.

So what do you think is the best way to simplify? How does your company view simplification? is the right approach to re-configuring processes to streamline and eliminate unnecessary or repeated parts of the process. Or do you see better results when you start from an innovation focused approach to simplification. Are new advances in technology or radical redesign the only way you can simplify?

If you would like to share your thoughts please let us know.

via Simplify For Success

FTC Slaps InfoTrax and its CEO with Severe Cybersecurity Order

Utah Company Settles FTC Allegations it Failed to Safeguard Consumer Data

As a result, hacker gained access to personal information of a million consumers, agency says

via FTC Press Release

A Utah-based technology company has agreed to implement a comprehensive data security program to settle Federal Trade Commission allegations that the company failed to put in place reasonable security safeguards, which allowed a hacker to access the personal information of a million consumers.

InfoTrax Systems, L.C., provides back-end operation services to multi-level marketers. This includes such services as compensation, inventory, orders, accounting, training, and data security, as well as operating its clients’ website portals.

In its complaint, the FTC alleges that InfoTrax and its former CEO Mark Rawlins failed to use reasonable, low-cost, and readily available security protections to safeguard the personal information it maintained on behalf of its clients. This includes failing to:

  • inventory and delete personal information it no longer needed;
  • conduct code review of its software and testing of its network;
  • detect malicious file uploads;
  • adequately segment its network; and
  • implement cybersecurity safeguards to detect unusual activity on its network.

In addition, the FTC alleged that InfoTrax stored consumers’ personal information—such as Social Security numbers, payment card information, bank account information, and user names and passwords—in clear, readable text on its network.

“Service providers like InfoTrax don’t get a pass on protecting sensitive data they handle just because their clients are other businesses rather than individual consumers,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “As this case shows, it’s every company’s responsibility to protect customers’ personal information, especially sensitive data like Social Security numbers.”

As a result of the company’s security failures, a hacker infiltrated InfoTrax’s server, along with websites maintained by the company on behalf of clients, more than 20 times from May 2014 until March 2016. In March 2016, the intruder accessed about one million consumers’ sensitive personal information, according to the complaint.

InfoTrax did not detect these intrusions until March 2016, when it was alerted that its servers had reached maximum capacity. This alert was due to a data archive file created by the hacker who had infiltrated its network. InfoTrax’s security failures not only affected its network but also the websites of its clients, the FTC alleges.

The personal information that the intruder obtained can be used to commit identity theft and fraud. The FTC alleges that InfoTrax’s failure to provide reasonable security for personal data in its care violated the FTC’s prohibition against unfair practices.

As part of the proposed settlement with the FTC, InfoTrax and Rawlins are prohibited from collecting, selling, sharing, or storing personal information unless they implement an information security program that would address the security failures identified in the complaint. This includes assessing and documenting internal and external security risks; implementing safeguards to protect personal information from cybersecurity risks; and testing and monitoring the effectiveness of those safeguards.

In addition, the proposed settlement requires the company to obtain third-party assessments of its information security program every two years. Under the order, the assessor must specify the evidence that supports its conclusions and conduct independent sampling, employee interviews, and document review. Finally, the order grants the Commission the authority to approve the assessor for each two-year assessment period.

The Commission vote to issue the administrative complaint and to accept the proposed consent agreement with InfoTrax and Rawlins was 5-0. Commissioner Christine S. Wilson released a concurring statement.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $42,530.

Compliance & Privacy Partners provides smart and affordable privacy compliance, data governance and risk-management solutions designed to help organizations build privacy programs, assess, manage and remediate risks and demonstrate defensible compliance. We offer and support a variety of data privacy management platforms which include data subject fulfillment workflows, records and PI inventory management, vendor assessment and policy adherence tools, privacy impact assessments, file analysis projects and records retention enforcement.

Call us today at 323-413-7432, schedule a free consultation or visit us at www.capp-llc.com to learn more about our tailored privacy compliance solutions.

So, how much is this damn CCPA thing gonna #$@&%* cost me?!

The short answer? A lot, but not as much as you might have been told…

As I’ve traveled around California doing my “Blessings of the CCPA” presentation, I’ve been asked repeatedly about the “average” cost of a CCPA solution from CFO’s, GC’s and IT folks alike. It’s a loaded question as there are many requirements to the law, from policy and website disclosures to consumer data request obligations. One size does not fit all and your organization needs to spend time methodically planning its approach before setting aside budget and other resources.

While some unprepared organizations may need to beef up spending in the near-term, others may end up refining their programs over the coming years as they realize their initial investment wasn’t as strategic as it probably needs to be.

ILTA Blackberry and CAPP Presentation
At the San Diego ILTA Presentation of “Preparing for the California Consumer Privacy Act”

Decision makers, consider the following:

  • What’s our true risk exposure based on the personal data we already collect, sell, barter, manage, etc. on behalf of our business partners?
  • Can we do this all in-house or should we outsource some of it?
  • Do we have any existing talent and software that might help streamline some of the CCPA’s major workstreams like data mapping?
  • What kind of fundamental changes are we willing to make to our IT infrastructure?
  • Do we fully automate self-service requests through API’s and is that even the right idea, long-term, given our risk, the evolving nature of IT and emerging legislation?
  • How can taking a principle based approach to privacy using concepts like data minimization to insulate us going forward?

Click here for a free CCPA Roadmap from Compliance and Privacy Partners.

Clearly, all of us subject to the law need to protect our business and expect some activity, whether it be through consumer requests or even the limited right of private action afforded by the CCPA. That doesn’t mean you turn your entire organization upside down and fork over hundreds of thousands of dollars in licensing ransom! Change management on this scale first requires proper risk analysis, roadmapping and getting stakeholders to buy-in and be accountable.

Then what’s my next step?

Before you embark on this journey to become a privacy-centric company, the real question you should be asking yourself is….

Are there consultants and affordable software solutions out there that will leverage our resources and best minds to help us implement a proportional strategy that protects us? 

The answer to that last question is YES!

Slide4
CAPP’s California Consumer Privacy Act Roadmap

Long-term solutions need to be fact-based and reasonable, recognizing the unique facets of your culture and business model. Big, complex and expensive isn’t always better.

It’s true there are some amazingly fancy privacy software products out there. But do you really want to spend a quarter to half-a-million dollars a year to fend off what might ultimately be a handful of consumer requests and opt-outs, when you can do the exact same thing with a far less expensive and better tool?

The bottom line…

There are so many vendors playing in the privacy space today and way too many folks are impulsively investing either too heavily or disproportionately in them just to “check the box.” Yes, of course you need to “check the box,” but running headfirst into this regulatory challenge could leave you with a budget nightmare and organizational headache you’ll soon regret.

The bottom line is your investment needs to be proportional to your risk profile and the complexity of your infrastructure and organization. Even then, you may not need a solution that costs you hundreds of thousands of dollars when you could be compliant and sleep comfortably for under $50,000 a year.

Call us today at 323-413-7432, schedule a free consultation or visit us at www.capp-llc.com to learn more about our tailored privacy compliance solutions.

New Podcast: #GRC and Me – The Blessing of #CCPA

EPISODE SUMMARY:

Rafael Moscatel, managing director at CAPP, joins GRC & Me to discuss how his background in law and consulting ultimately led him to the world of GRC. He shares how one tweet led to a watershed moment in compliance and privacy, and tells his deeply personal connection to California adoption records. Rafael also explains how CCPA should be viewed as a blessing that helps better understand what’s “under the hood” of your company.

EPISODE NOTES:

Top 3 Quotes

  • “The more that you can show your customers that you’re being a good steward with their data, the more they’re likely to trust you. And from a reputational standpoint and a branding standpoint, that’s always one of the best benefits and one of the reasons that consumers will choose one product or service over the other.”
  • “And I think if you look carefully, the CCPA is quite a blessing. It helps reduce expenses and monetize the information life cycle because you have a better understanding of what’s under the hood in your company.”
  • “…you know there’s not one silver bullet when it comes to preparing data for an information governance strategy, IG is essentially a multidisciplinary type of approach.”

Show Highlights

[01:28] Rafael’s background in law and consulting
[02:35] Discussing Rafel’s company and beginnings
[04:36] The “Olympics of Privacy”
[05:59] A watershed moment in Compliance and Privacy
[08:05] Rafael’s personal connection to records in California
[09:05] The incredible moment Rafael received his birth records
[12:00] The “blessing” of CCPA
[14:11] Rafael’s personal opinion of CCPA
[16:19] Best practices for privacy and policy management
[19:30] Policy management systems
[21:04] How to read more about Rafael’s thoughts on these issues
[22:58] The Little Girl With The Big Voice
[24:03] Vendor Risk Management
[25:00] Being mindful of what’s outside your company walls as well as what’s within them

Resources: