ILINX DLP – Unintended Disclosure from Anywhere
If you are like most when you hear the words “data breach,” you think of the prominent examples in the news involving millions of records compromised due to a data intrusion. These are typically a result of hacking, malware, or social engineering. Although serious, these have often exposed email addresses and passwords instead of directly exposing more readily usable sensitive data like your full name and home address. Most of the Data Loss Prevention (DLP) tools you will typically hear about focus on preventing these larger breaches.
However, did you know that “unintended disclosure” also comprises a significant amount of lost confidential or sensitive data (PII, PCI, PHI, etc.)? Unintended disclosure generally involves human error, data and document mishandling, accidental disclosure of information, basic theft, etc.
Cause aside, according to a Ponemon Institute – 2020 Cost of a Data Breach Report, “the average total cost of a data breach is USD 3.86 million”. The costs to the individuals directly impacted by identity theft and fraud are $100’s to $1000’s per incident, with more than $1.9B total reported in 2019 (Insurance Information Institute). The sectors most frequently involved in unintended disclosure incidents are government/public, educational, financial, health care, and non-profits. The ILINX Platform and DLP solution can help safeguard against the unintentional disclosure of “personally identifiable information” (PII) stored within enterprise content.
As defined by the US Department of Labor (DOL), PII is “Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.” The most referred to PII examples include Full Name, SSN, Address, DOB, Credit Card Number, and Driver’s License. Data is also PII if it contains one of those values combined with other indirect identification data points such as gender, race, ethnicity, and general geography. The DOL more broadly defines PII as any unique identifying value or combination of data that would allow you to contact a specific individual physically or online. PCI and PHI refer to similar data related to Payment Card and Protected Health information.
Preventing unintended disclosure was challenging before COVID-19 when people primarily worked from within the company facility’s controls and walls. Even then, the content was not typically shared outside of the enterprise without a fair amount of policy, procedure, and thought. Now in our current work from home environment, whether we like it or not, we are external from some of the office’s safeguards and inherently more at risk. Today most of you are working and reading this article from somewhere in your home. It could be an office room with a door but is also likely sometimes a couch, kitchen counter, or some other shared living space. Recent Stanford Research shows that almost twice as many employees are currently working from home than at a workplace.
The problem of unintended disclosure gets even more complicated going forward into the inevitable “Work from Anywhere” (WFA) culture. In simple terms, WFA suggests that it should not matter where employees are working from if they are productive and that their well-being ultimately leads to greater profitability. The WFA movement was already brewing before 2020. The pandemic merely caused the pot to overflow—a 2020 Gartner survey of approx. One hundred twenty-seven business leaders revealed that most plan to continue to allow a hybrid workplace indefinitely, allowing employees to work remotely (82%) all of the time (47%). COVID-19 is currently tying most of us to our homes, but that will change as restrictions loosen. For the foreseeable future, the WFA movement will continue to expand, allowing people to work full-time from just about anywhere. A café, park, gym, hospital or home of a sick family member, friend’s house, co-working suite, your child’s school or your own higher education campus, airplane, RV, vacation rental, hotel, a move to the country, or even a beach are now workspaces.
While working from home, we are still likely being cautious about what data we email or share with others in and outside of our organization. However, do you give much thought to your screen’s visible information to the people around you or remotely interacting with you? Have you been on a web meeting and accidentally shared a screen or some content that you did not intend to or weren’t even aware of? Who is walking around while you work, and do you always lock your work device when you step away? We should not need to worry about extended family members, roommates, guests, or a child’s friend. We still must cautiously try to reduce the opportunity. I love my family, but there is no reason for them to see your address, credit card number, or health information. Extended to a WFA world, outside of our house, all bets are off. Unfortunately, a person of concern could be anyone sitting near you or even walking by with a phone in hand taking a photo.
Like Luke Bryan, the country artist with the song “Most People Are Good,” I too believe in humanism and seeing the best in people. However, for the same reason we lock our houses and cars, we still have a responsibility for being good stewards over other people’s sensitive data and protecting their livelihood from the few rotten eggs out there.
The ILINX Platform and DLP solution can help with this regardless of where your employees might be. It provides a breadth of functionality to identify and protect PII, PCI, PHI, or similar data within enterprise content and subsequently while viewing it. It can automatically redact sensitive data or can provide a user-assisted and guided review and redaction experience. The process moves through an intelligent workflow process that could include various review and approval steps. The solution allows for redactions to be applied as secure overlays or, as needed, permanently “burnt-in” into the content. The defined redactions are displayed and protecting the data by default when viewed. Users can apply additional permissions to the overlay redactions to restrict or allow various user roles to see the underlying data.
In this episode of the ILINX Platform and DLP, we covered the importance of protecting the content your employees are viewing. Stay tuned for the next episode of DLP that will discuss handling requests for data to be sent outside of your organization – Content requests for eDiscovery and Litigation, Public Records, Audits, Customer or Vendor Requests, etc.