Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Can Internal Audit and Compliance Ever Tame Data Technology

Jose Tabuena | October 15, 2014

An understood maxim is that the regulatory environment nearly always lags the lightning-fast adoption of new technologies. The corollary of this maxim is that unintended consequences follow rapid adoption.

As a result of these two truisms, there is often scant guidance on how an organization should address novel compliance issues that arise. Just recently, for example, the U.S. Food and Drug Administration unveiled long-awaited guidelines for network security of medical devices, recommending that manufacturers consider cyber-security risks as they develop their products.

The paradox of emerging data technologies is that they give you control and have the potential to create chaos at the same time There is so much more readily available company (and personal) data that can be used ethically, used unethically, bought, sold, stolen, lost, and leaked. In certain fields, like healthcare, there is the impetus toward the interoperability and sharing of electronic information with the commensurate concern with ensuring data security when doing so. Audit and compliance professionals need to stay abreast of new technology developments and understand implications of all interactions with company data on regulatory compliance, reporting, investigations, and other areas.

Data, Data Everywhere

For an audit or investigation, various types of sensitive company data must be identified. And the problem of data overload is only being compounded by a development known as the “Internet of Things.” The term refers to a complex world of intelligent, interconnected devices used by businesses to communicate, track, and share information. These connected devices can speed a guest reservation at a hotel,  link a hospital heart monitor to a patient’s history, and find products in a warehouse or even automatically repurchase them if they have been shipped. But these systems are also intrusion points for cyber-attacks.

The Internet of Things refers to an infrastructure in which billions of sensors embedded in common, everyday devices are designed to record, process, store, and transfer data. Examples of advances, raising privacy issues related to the Internet of Things include:

  • Wearable computers (such as watches and glasses);
  • Quantified self-devices which record information about the individual’s own habits and lifestyles (such as sleep trackers); and
  • Home automation such as connected smoke alarms, thermostats, alarms, or washing machines.

The consequential data protection challenges involve the lack of control over the dissemination and flow of the data, and low quality or invalid consents from users of the devices. Similar to challenges presented by Big Data there is the potential to infer other information with a different meaning from the data itself, and then use that data for secondary purposes. This can result in the detection of behavior patterns and profiling through intrusive surveillance. The resulting data collection and processing is an area ripe for privacy impact assessments and audit of data security safeguards.

Sweeping Those Cookie Crumbs

Especially for global organizations doing business in the European Union there is the challenge of reconciling markedly different approaches to privacy compliance. One area seeing increased enforcement is compliance with the EU cookie directive, which requires companies to provide clear and comprehensive information to users about the use of cookies. Tracking cookies, placed on a user’s computer or device, are used to compile long-term records of individuals’ browsing histories—a privacy concern that has prompted regulators to take action.

Organizations have been learning how to manage devices that they cannot directly control. If you think managing BYOD is complicated now, wait until employees start wearing computerized devices.

The French data protection authority has embarked on EU-wide “Cookie Sweeps,” which are essentially audits to determine compliance with cookie laws across the European Union. With renewed concerns about online surveillance in a post-Snowden environment, new cookie requirements and more enforcement is likely. Organizations should consider conducting an audit of all the cookie and similar tracking technologies deployed across online properties.

From BYOD to BYOA and BYOC

The concept of Bring Your Own Device (BYOD) now seems so passé with most commentators pointing to its inevitable expansion as a cost savings model. BYOD is essentially the use of personal mobile devices, such as smartphones or tablets, for work-related purposes. As the use of such devices increases, so too does the number of individual perimeters and potential attack vectors that need protection.

Organizations have been learning how to manage devices that they cannot directly control. If you think managing BYOD is complicated now, wait until employees start wearing computerized devices. There is no one-size-fits-all solution for BYOD, so privacy specialists and IT auditors should be involved in determining what position the organization should take on acceptable use and on implementing a mobile device management approach, including sound and clear statements of policy, that is appropriate for the organization.

A significant difficulty is asserting and managing control over multiple operating systems, varying levels of configuration, device security, and ultimately control over transmissions outside the firewall. Unfortunately employees are known to operate under a “Shadow IT” out of a desire to modernize when IT departments do not move quickly enough to meet their needs. Employees feel they need to work around a security measure or protocol to be able to do their work efficiently. But while Shadow IT can lead to innovation, it has a dark side: the threat of non-compliance with regulations and a loss of data security.

The control challenge is exacerbated because individuals are accustomed to installing whichever apps they wish and using the cloud backup service they prefer. These activities have evolved into BYOA (Bring Your Own Apps) and BYOC (Bring Your Own Cloud). While IT teams can lock down company-issued devices with administrative privileges, these other environment are relatively open, with new, unknown, and hence untrusted apps being installed. BYOA and BYOC further expand the potential that company data can end up being stored outside the organization’s firewall.

As a result, an organization's data management practices may no longer be in full compliance with applicable regulations, especially health providers and financial service firms who must comply with security and privacy regimes designed to protect sensitive data. Moreover there is the human resource challenge of the presumption of ownership of an employee device which can lead to conflicts when files must be pulled from the device in the litigation discovery context or when the device has been lost and company policy requires a remote wiping of all data.

Internal auditors and privacy specialists should explore developing or utilizing app monitoring applications. There are also technologies to consider that automatically remove sensitive information, such as credit card and social security numbers, from e-maile-mails and attachments, before they are downloaded to a device.

Disappearing Digital Ink

Mark Cuban, the highly visible owner of the National Basketball Association’s Dallas Mavericks, made a splash recently with Cyber Dust, an app that allows users to send text messages that “self-destruct” within 30 seconds akin to Snapchat photos. As Cuban notes, e-maile-mails and texts create a digital record that can be stored in multiple places and is virtually impossible to eradicate. In a Forbes article, he explained the idea for Cyber Dust came from his experience with the Securities and Exchange Commission using his text messages during its insider-trading action against him.

Of note is the U.S. Supreme Court’s observation that remote wiping is not an effective way to protect data on phones. Justice John Roberts (not known for his IT acumen) explained in the case ruling against unwarranted searches of mobile devices that someone can easily prevent a remote wipe just by turning a device off or putting it in a faraday bag, which prevents the device from receiving radio signals thus leaving the data vulnerable. There are products like ZixOne, where a user’s e-mail is never downloaded onto a mobile device but rather viewed for a short period through a special window. After the allotted time, the data cannot be retrieved until the user logs back in; thus there is no need to wipe as the data is never on the device.

Similar technology has been developed that allows the sender of an e-mail to set it to expire after a certain amount of time. A new product, Yalgaar, provides a real-time messaging framework for both texts and e-maile-mails which can be hosted on any cloud infrastructure. Yalgaar technology similarly allows users to send e-maile-mails or texts that expire (burn after reading) including from servers. Messages can even be prevented from being printed and forwarded.

An application with such features offers the potential to avoid unwanted disclosure and minimize the danger of a lurking smoking gun. Privacy and IT experts would be needed to help determine if and when it is appropriate to schedule expiration dates and retention schedules for communications containing sensitive information. The habitual sending of automatically deleted messages may be unwarranted if it disrupts the flow of business and limits the shared knowledge that derives from the documentation of transactions and business processes.

With the proliferation of data that is difficult to completely erase it should not be surprising that individuals are concerned with protecting their privacy. Technology enhances the inherent tension between two distinct social values—privacy and free speech. The situations are quite different in the United States and Europe. This year, Spain’s data protection authority raised a case in the European Court of Justice that established a digital “right to be forgotten” and forced tech behemoth Google to tackle one of the thorniest problems of the Internet age: setting the boundary between privacy and freedom of speech. The consequences of the court’s decision are just beginning to be understood.

In a similar vein, Apple is taking what may appear as an important step in privacy protections (good timing given recent negative PR from its iCloud hack of celebrity photos). Apple says its new encryption no longer allows it to bypass a customer's passcode to access data that includes text messages, e-maile-mails, and photographs. However, just as the celebrity photo hacker gained entry to sensitive photos through the iCloud, government officials and others are likely able to emulate such access. All mobile (and now wearable) device users should check to see if their devices are automatically backing up information to a cloud-based server.

New data technologies hold the promise to achieve major improvements in many aspects of business, yet they also present many risks to the security and confidentiality of critical data. Audit and compliance professionals need to stay on top of these developments to continually attain an understanding of the current data security risks that are becoming more difficult to anticipate.