CCO, It’s Time to Get Proactive About Data Protection

Chief Compliance Officers (CCOs) are the risk and compliance gate keepers at their companies. They are responsible for ensuring the appropriate policies, procedures and practices are in place, up to date and being followed to keep the company in good standing.

Organizations with a fairly mature compliance program likely have a whistleblower hotline up and running, documented policies and procedures in place and a way to accurately track attestations. You may even have a robust way to document and approve potential conflicts of interest. While these are all extremely important components of a compliance program, how confident do you feel that mistakes aren’t being made, that 100% of employees are following the policies and procedures they attested to and that sensitive customer and corporate data is safe?

We’ve all signed terms and conditions contracts without reading the fine print, and it’s fair to at least wonder if employees are doing the same with little regard to what your compliance policies actually say. Even when they do know the policy, it’s easy to find excuses to justify prohibited acts:

• “It’s just this one time.”
• “It’ll let me get the project done faster.”
• “I’ll be able to work at home after hours, which is good for the company.”
• “It’s not really a big deal.”
• “This is a dumb policy and it gets in the way. I’m not going to follow it.”
• “I trust this person.”

There are a million ways employees can knowingly or unknowingly violate company compliance policies, putting the company at risk of a compliance misstep or, worse, a data breach.

Compliance officers that are truly interested in meeting compliance standards need to move away from philosophical-only approaches to data protection and work with other organization departments to focus on more tangible security and compliance measures.

Here are some key questions CCOs should be asking to fully understand the company’s risk profile and in-place precautions. Many of these questions require CCOs to get buy in from IT, operations and the board of directors. But taking a comprehensive, multi-departmental approach to compliance can help organizations move beyond policies and into real world data protections.

Is sensitive data encrypted?

Encrypting data is one of the most straight forward ways organizations can protect against data leaks. But even this practice isn’t as prevalent as it could be. A 2015 study by Sophos found that less than 50% of surveyed organizations encrypt sensitive data. Leaving data unencrypted is an easy way for it to be exposed to unauthorized parties through both hacking and accidental exposure.

Is data being stored on endpoint devices?

One of the top causes of data breaches is lost and stolen devices – particularly as employees increasingly access work information from a range of devices and outside the office. If data is encrypted is it less likely to lead to a breach, but ensuring data isn’t stored on the endpoint at all negates the worry all together (as long as it’s stored in a secured datacenter instead).

How can end users transfer sensitive data?

While encryption can help, locking down high risk end user functions can prevent unauthorized data transfers all together. This is a larger conversation that needs to include IT and individual department heads to determine which functions specific employees need access to and which should be locked down. Key high risk functions to discuss, particularly for employees handling sensitive customer or internal information, include:

• Copy/paste
• Printing
• External drive/USB access
• Access to file sharing tools and websites
• Email attachments

Disabling unnecessary functions can prevent employees from maliciously stealing information and unwittingly exposing sensitive data. A great example of the latter is the Boeing employee who recently caused a data breach by emailing a spreadsheet containing protected information to his wife for formatting help. The employee didn’t mean any harm, but still caused a data leak that affected 36,000 records.

How is compliance and data protection extended to third party contractors and remote employees?

You likely already have an attestation policy for contractors and remote employees, but how are they being monitored to ensure the policy is being adhered to? What type of security measures does the IT team put in place for off-site workers and do those measures cover required compliance controls?

CCOs need to work extra closely with IT and operations to make sure data is protected when the company embraces contractors, work at home programs and a BYOD model.

How do your outsourcers and vendors address compliance?

It’s important to understand the compliance measures in place at any vendor or outsourcer that may have access to your company’s private data. When your data is involved, a breach at a vendor isn’t much different than a breach internally – you’re information is still out there.

When adhering to PCI compliance specifically, it’s important that any vendor or outsourcer that handles, transmits or stores payment card data – as well as any outsourcers they work with related to that data – signs a Business Associate Agreement (BAA).

Put business practices in place to ensure someone from the compliance team reviews or is involved in any new business partnerships to ensure compliance and data protection is appropriately addressed.

Do your outsourcers help you achieve compliance more easily?

Some outsourcers and solution providers have compliance-focused services available or baked into their solutions. These can help you more easily address compliance by taking some of the heavy lifting off your shoulders. Ask department heads to keep compliance in mind when researching and vetting outsourcers and vendors, particularly when looking to solve for IT, data management or workforce management. Working with an organization that places heavy emphasis on data security and compliance makes your job easier and limits additional risk.

Taking the Next Step

Fundamentally, the spirit behind compliance regulations is not to simply have requirements in place for requirements sake. It’s to protect data, consumers, companies and employees. It’s to make sure no one engages in unfair business practices or suffers a data breach that puts sensitive company or consumer information at risk. In this light, relying on policies and attestations isn’t enough. It’s a good start, but it doesn’t do much to protect data in the real world – this is clear from organizations that have suffered breaches after being deemed “compliant.” To truly protect data, CCOs need to move beyond their realm of checkboxes and put real measures in place to not only govern how data is handled, but actually control actions and approaches.

At the end of the day, you’re the compliance expert. IT, operations and other department heads aren’t as well versed in the requirements of compliance or even, in most cases, the devastating effects of a data breach. Compliance teams need to work closely with the rest of the organization to not only ensure policies and procedures are being followed, but to also make sure the company is engaging in proactive efforts to protect data.