The list of household names involved in significant data breaches is common knowledge: Target, Sony, JPMorgan Chase, Home Depot, Michaels, P.F. Chang’s, Anthem, U.S. Office of Personnel Management, and more. Along with the immediate financial impact, an organization’s brand reputation is at growing risk from the effects of cyberattacks, complex global value chains, aggressive marketing practices, and other evolving vulnerabilities.
According to Ponemon Institute, the costs of lost business resulting from a data breach have increased from a total average of US$1.33 million in 2014 to US$1.57 million in 2015. One grand challenge in the digital era is maximizing the potential of the copious data collected while effectively protecting it to preserve and strengthen the organization’s brand reputation.
Until recently, brand management resided squarely in the marketing realm. However, the era of data has given rise to an unprecedented link between IT and brand. Now, the CIO has an opportunity—if not the outright responsibility—to help drive a digitized business strategy that embraces responsible data stewardship to safeguard brand reputation.
As a tidal wave of automation overtakes data collection and usage, the “creep factor” is intensifying around everything we do being tracked. Last October, Chapman University published findings from its second annual survey of American fears. Respondents were asked about their fear level concerning 88 different factors, which ranged from crime and disasters to their personal futures. The survey found that 5 of the top 10 things people fear are related to misuse of their data: cyber-terrorism, corporate tracking of personal information, government tracking of personal information, identity theft, and credit card fraud.
That fear is deeply rooted in a lost sense of control over one’s own information. Brands that stoke this fear will face consequences. As both the literal and figurative head of information, the CIO can take concrete steps to improve data management while also championing a responsible, organization-wide approach to data stewardship. The following measures help protect your company and the brand behind it.
Get a Handle on Your Organization’s Current Data
Start by gathering a comprehensive inventory of what you have and where it comes from. Assess who has access to data and how it gets shared. Who owns or manages which data sets? Look into current archiving and destruction practices. Given the proliferation of shadow IT, it is critical to pull this information out of the business units, which often don’t give these considerations any thought.
Assess Enterprise Programs in the Works
Do Everything Possible to Protect the Data You Have
Organizations thought to have taken inadequate security measures become the target of lawsuits. For example, Anthem is facing multiple suits after revealing a massive breach in February 2015. New malware strains proliferate every minute, so even the best intrusion protection software cannot guarantee complete safety. Meanwhile, hacking and insider threats are increasing, and the Ponemon Institute study reports that 47 percent of breaches were caused by malicious or criminal attacks. By considering what you can do now to protect your data proactively, you will serve your brand well and help reduce your organization’s exposure during legal actions or the rare FTC investigation.
Employee negligence is another source of risk to data. People may carelessly handle physical documents, inadequately secure file cabinets, or fail to destroy artifacts that are no longer needed. They may leave unsecured computers accessible or make simple mistakes like losing a laptop. Building a culture of mindfulness about practices that may seem innocuous can go a long way toward keeping data secure.
Attend to Your Partners
You must also protect your data when it is controlled by others in your value chain. Admittedly, shadow IT makes that challenging. “Shadow IT investments often exceed 30 percent of total IT spend,” says Matt Cain, research vice president at Gartner. Moreover, Ponemon Institute reports that third-party involvement is a factor that increases the per-capita cost of a data breach for 36 percent of surveyed companies. This is where influence-building and collaboration with peer-level executives need to be applied.
The data owner typically has bottom-line responsibility (that is, the one who could be sued in a breach). So it behooves your organization to integrate strict data management terms into contracts with those who collect or process data on your behalf. Floating those terms before contract execution will quickly weed out those unwilling to play nice. IT must then engage in vendor reviews and audits. Your team will be the first ones to recognize and understand when data is not being managed correctly.
The Internet of Things is spurring exponential data growth, which exacerbates issues associated with securing data at the points of collection, transfer, and curation—as well as the implications for analytics that come from it. While contractual data protections should be obligatory with third parties, prudence dictates you avoid sharing with those who perpetrate the creep factor, especially when the data path can be traced back to your organization.
Carefully Consider What You Are Enabling Through Sophisticated Analytics
Big data enables truly unprecedented and often beneficial insights. But just because you can doesn’t always mean you should. Manipulation and deception in business and marketing practices are just plain unethical, and customers don’t like feeling duped. Consumers have real concerns about revealing too much of their identity and their location. In some cases, facial recognition or improper sharing of data could further discrimination or bias—as could anything having to do with highly sensitive health, medical, or financial information.
As a senior leader, you can help your organization maintain a group conscience and draw appropriate boundaries. Take a recent security and privacy conference, for example, where the CPO of a very large data processing firm shared an anecdote about the reach of advanced data analytics. Her company’s data analytics are so comprehensive, they can identify by name a large percentage of the U.S. male population who are likely to have a certain health condition that most would not want revealed. The CPO had to call foul and was able to stop the general availability of these lists for purchase. Sometimes, IT and data analysts need to think twice—if not three times.
Set the Organizational Tone
The CIO, as a respected senior-level authority who also understands the organization’s data gestalt, can be a leading advocate for a strong culture that respects security and privacy. Champion an empathetic organizational character, within IT and across the greater organization—one that internalizes and adopts customer-centric security and privacy practices. This can be reflected in the policies you adopt, the way customer data is collected and handled, and the attitude and values that are expressed and embodied from leadership through the ranks.
Training and frequent reminders are critical. Help your team remember that behind every purchase, tweet, post, click, and share is a human being, with all that entails. Anyone who has something or someone to protect can appreciate that.
Further, consider incenting or requiring those who work with other’s personally identifiable information—whether it belongs to customers, employees, partners, students, or anyone else—to get certifications. This can help people more deeply grasp the implications of what they’re working with.
Make Friends with the Legal and Compliance Departments
Considering the many laws and regulations that govern data handling and privacy, it’s imperative for IT to maintain a collaborative and engaged relationship with legal and compliance. The environment is changing all the time and can vary greatly by country and region.
If your organization does business in Europe, the new General Data Protection Regulation (ratification pending) is a game-changer. Also, late last year the European Union (EU) Court of Justice invalidated the U.S.-EU Safe Harbor Framework for data protection. The ramifications of that decision have yet to play out, with changing implications for cloud providers and data processors about the handling of EU citizens’ data.
Bottom line for brand reputation: What counts is customer perception and experience, not legalities. A thoughtful approach best serves and protects your business and your brand, particularly through changes in customer sentiment and the regulatory environment. Apply due diligence to what you collect, how you collect and use it, how long you keep what you collect, whom you share it with, and what they do with it.
CIOs: Empowering the Customer
There’s a great temptation to use data to push boundaries further than ever before. While technology is accelerating what’s possible, the desires of today’s consumer come back to fundamental and timeless human needs that will outlast every wave of technology: security, respect, dignity, control, and freedom. The brands consumers choose for a long-term relationship will be the ones that understand those human desires. When an organization empowers a customer to have choice and control in the data relationship, stronger loyalty and sound brand reputation will be the reward. In an era where digitization is business, now is the time for CIOs to lead.
1,3,5. Ponemon Institute. “2015 Cost of Data Breach Study: Global Analysis.” May 2015.
2. Chapman University. “Chapman University Survey of American Fears.” October 2015.
4. Gartner press release. “Gartner Says Every Employee Is a Digital Employee.” August 20, 2015.
Image credit: MF3d/iStock/Thinkstock