Data Categorizations: A Back to School Basic

Data categorizations should be on every company’s back-to-school supply list. A few years ago, we published a blog post about how when the kids go back-to-school, it is a good time to take stock of your cyber-readiness in business. After going through the harrowing task of back-to-school shopping and locating the very specific items that my children needed for each of their teachers, I always pause to remind myself that there should be (at the very least) a yearly evaluation of our cyber “supplies” that an organization has to get ready for a cyber attack. 

Now if I hear one more person say, “it is a matter of when not if” a company or organization will face a cyber-attack, I will scream.  As accurate as that statement is, organizations are still not taking cyber threats as seriously as they should.  But instead of chastising, I think it is a better approach to go through the basic cyber-supplies organizations of every size should have to enhance their readiness. 

Every department within an organization needs to go through a data categorization or data mapping exercise. I call it an “exercise” because it can be difficult and time consuming, but well worth the effort. In fact, whenever we do a data categorization for a company, the employees go through the stages of work-place grief.  First, denial “I can’t believe we have to do this”. This stage is followed by the promise we make- “we will help you, it will be fine”. Which quickly moves to anger “I have too much work to do!” And finally acceptance, “fine, I will do it”. However, we have yet to complete a data categorization that did not end in a “wow, this was really helpful and informative.”  

Doing a data categorization serves multiple purposes. For a start, it gets every member of your organization and team to consider the type of data they collect and why they are collecting it. It is imperative that we start to change the way we think about and approach data. Domestically, we love data. In fact, we generate over 2.5 quintillion bytes of data each day. And that is only growing as the internet of things (IoT) industry grows.  

The second purpose is that data and cybersecurity is NOT just an IT concern.  Yes, an IT department does have more visibility than post departments into the data collection and processing practices. However, just having IT participate is not the best or most effective approach. If the data categorization is not performed by each department separately, the company may miss out on some significant benefits- the aforementioned appreciation for the type of data being collected and the existence of shadow IT. 

What is shadow IT? It is the systems that are used in an organization without the knowledge of the IT department (yes, you should *shudder* at that thought). Shadow IT is a big problem in organizations because IT cannot protect and control what it does not know exists.  In addition, if those systems are being used to store sensitive data (including a company’s intellectual property), it creates an unprotected liability just sitting out there for any hacker to easily grab. Doing a data categorization at the department level will help to discover these applications or systems that are not supported by IT. 

Another benefit of a data categorization is the knowledge it will bring to the company to make informed and knowledgeable decisions about its information governance. The approach to data collection, retention, processing and storage is different for each organization. The constant in all of those activities: data is a potential liability sitting in a system or application. If an organization is breached, each piece of data is another potential lawsuit or regulatory fine. So it behooves organizations to start to consider and implement the principle of data minimization– something already required if you are an organization that needs to be GDPR compliant.  The only way to know what data to keep versus what data should be destroyed is to go through and categorize that data. Understanding where you got it from, how you are storing it, who you are sharing it with, and why you need it; these are the first steps to true cyber-readiness. 

A data categorization will also tell you where the proverbial bodies are buried. Data categorizations provide a roadmap on where you store all data, and particularly sensitive data that could trigger a breach reporting obligation. Remember, for most domestic states an organization is only “breached” if personally identifiable information (PII) is taken or compromised. Knowing which systems, files, and databases hold PII can mean the difference between a blanket notification of all customers, a targeted notification, or (dare I say it) no notification at all. If a company can say that only one set of files was compromised, and it knows from its data categorization that those files do not contain PII, it has a good faith basis not to notify. It just makes sense. 

Data categorizations should be updated at least once a year, if not more. A good data categorization will form the backbone of the company’s breach response plan, cybersecurity policies and procedures. It will make an organization more cyber-aware and better situated to face any threat. And, while data is being heralded as the “new oil”, that “oil” has risks and liabilities that should be addressed through-out the data lifecycle. Because remember, in the world of cybersecurity, luck favors the prepared.

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.