When dealing with a data breach, what key thing tends to get forgotten? In other words, what element or action is more critical than it may initially appear?
Often, the “key thing” that gets forgotten in a data breach are the individuals whose personal information has been compromised.
When a company discovers it has experienced a breach involving personal information — or more likely, learns of one of its vendors having experienced a breach — the company will be focused on legal liability, in particular, from enforcement agencies. If the company is a processor of personal information for other companies, it will have additional concerns regarding contractual liability to its customers. Of course, the company should be concerned with enforcement actions and law suits, since these can significantly impact a company.
Companies should remember that real people are affected in a data breach, people whose lives could be upended, with their credit damaged and their identities at risk. Whether individual customers, employees, or the customers or employees of the company’s customers, they want — and deserve — to know what has happened, whether they’ve been harmed, and what the company is doing to remediate the damage.
Too often, companies fail to live up to their obligations to individuals, pre-breach, and then, post-breach, they fail to be timely and transparent to those affected. Lawmakers and enforcement agencies have taken notice. Arguably, by forgetting the individual, business finds itself facing increasing restrictions on its collection, use, and maintenance of personal information.
What were some learnings from managing privacy for DHS and how have those translated into private sector work?
Two aspects of my time at DHS have really helped me upon my return to the private sector. The first, unsurprisingly, is understanding better who the “customer” is. The primary customers of U.S. aerospace and defense technology companies are the defense, security, and intelligence agencies of the U.S. government. Having served at DHS and in the military, and having worked with other departments and agencies within the interagency, I understand the “customer” in a way that those without prior federal service might not.
The second aspect is in understanding who the key stakeholders are and then how to work with them. Handling privacy compliance within a global company isn’t too far off from working within a large agency, or the interagency. “What is the mission?” That question should always come first for all involved, but each stakeholder will have a different view of the mission.
An honest broker who understands all stakeholder points-of-view will be viewed as a trusted partner. Trusted partners are better able to support the mission, because they are brought into programs earlier and therefore can better provide privacy compliant solutions that stakeholders will agree to and will implement.
What advice would you give peers in defense technology regarding special security considerations for a high-stakes client like the government?
Advice? I think I could learn just as much from my peers, as they could from me.
A&D industry members support the very important national security missions of their customers. We must protect the information we hold — whether ours or our customers’ — not just from criminal hackers, but also advanced persistent threats. Many of the tools the industry employs, often at the direction of their customers (screening of potential employees, network monitoring, and insider threat programs, for example), raise privacy issues and may not, on their face, be compliant with local country privacy laws.
I note that there are similarities between the A&D industry and the financial industry, when it comes to the need for special security considerations. Unfortunately, many non-U.S. jurisdictions’ laws do not recognize the need for additional security for the A&D industry, as they do for the financial industry, let alone mandating higher standards for A&D companies than for other commercial activities.
So what should a global A&D company do? A few things come to mind. First, understand local jurisdiction legal requirements, for both privacy and security. Second, work through the privacy issues on security measures. Privacy impact assessments are critical here. Third, know what the flows of data are related to the security measures.
With this information, the company can assess the risks for various approaches and determine whether they are within the company’s risk appetite. If necessary, engage local counsel that is aligned with the company’s risk posture to advise on compliance and risk mitigation strategies. It may be that the company takes additional privacy measures or reconfigures the IT infrastructure to better align with local privacy requirements, while still maintaining an adequate security posture.