Data Leak: Uncomfortable Truths

As long as information can be saved or copied, data will be leaked. Period.

This is increasingly a frequent reality, and one which will necessarily change the way information is governed and handled by businesses. This past weekend’s Panama Papers leak set a new precedent for the scale and global scope of data leaks, and the subsequent revelations are forcing both the general public and business world to face some uncomfortable truths.

The scope of the leak was the largest in history: 2.6 terabytes of data, over 11.5 million documents, 214,000 companies involved, and a timeline stretching all the way from the 1970s to 2016. The information shows a sprawling web of offshore corporations, the companies and individuals that use them, and the routing of billions of dollars around the globe. Regardless of your opinion of shell companies – they’re legal, and can be used for either naughty or nice – the Panama Papers will have an eventual impact on businesses.

So this isn’t a blog post about scandal, or wrongdoers, or even whether or not regulation should be changed. It’s about public expectations, and how those expectations might affect the ways businesses handle and document information. If you’re a large business with human customers, this affects you.

In short, the public expectation for information access and transparency has increased. It’s an inevitable byproduct of the digital era; in the last two decades or so, most individuals in the developed world have witnessed a radical explosion in the amount of information accessible to them in a matter of seconds. Instant inquiry is the new norm, so if someone has a question – any question – they can likely get some form of an answer pretty quickly. For better or worse, this means that there has been a broad cultural shift in expectations. Rather than information being perceived as a rarity, it is often perceived as a right. The public have come to gradually expect more transparency from organizations, leaders, governments, companies, and everyday people… even if the information they want is legally protected, not required to be disclosed, or even completely private.

The result for the enterprise is that customers generally now expect higher degrees of social responsibility and transparency than ever before. This doesn’t have to be a bad thing for business, necessarily. It’s actually an opportunity to improve data management practices, build defensibility, and even cultivate trust, – a key component of profitable, long-term customer relationships.

So what’s an organization to do? In the wake of a large data breach, many organizations would immediately try to galvanize their data security: attempting to prevent any undesired data loss. But this approach is flawed, and only represent a short passage of the full story.

Why? Data governance and security begins deep within the enterprise, and not just at the firewall. Most data leaks (albeit mainly the small ones) are largely unintentional. Employees need not be all treated as potential criminals; a true information governance and security effort must include ongoing employee training, proper access controls to content, compliance awareness, and opportunities for whistleblowers to report internally in the case that something truly illegal is going on. No reasonable person expects a company to volunteer confidential information such as trade secrets. However, what they may want to know is its justification: why it is classified as such. Building strong policies for content not only improves records management and legal defensibility, it provides reasoning for why specific categories of information are always treated a certain way.

As the information disclosed in the Panama Papers is just beginning to unfold, there are likely many more controversial revelations in the future. However, the initial flood of reporting makes several business pointers immediately clear:

• Due diligence is more important than ever in business. Know your business partners, know your customers. Relationships should be built on mutual trust and benefit, not just profit. Proper data management and record-keeping is critical on both sides of the relationship.
• Prepare for renewed interest in Foreign Corrupt Practices Act (FCPA) investigations. Although shell companies can be used legitimately, they can also be used to obscure the true origin of bribery. As FCPA investigations have steadily been increasing over the last couple of years, now is a better time than ever for multinational firms to examine their policies, practices, and training to help avoid illegal transfer of money.
• Trust has to be earned from customers for a long-term relationship. As any social media marketer can tell you, a glib remark can turn into a worldwide gaff overnight. But building trust involves more than just saying the right things; it means doing the right things as well. Data responsibility and open communication.
• Data lifecycle policies are more protective to organizations than ever. Consistent policy is better than perfect policy. And lifecycles aren’t just for “records” anymore: IoT content, wearables, and social media all complicate governance. All data within the organization should be subject to some sort of lifecycle management whether or not that data is earmarked for permanent retention or deletion after a week. The most important factors are (a) the reasoning behind the retention period, and (b) the ability to consistently execute it.

What’s overwhelmingly clear following the Panama Papers leak is that there are a lot of uncomfortable truths to face. Just because an action is legal doesn’t mean that it won’t face public criticism. Similarly, the line between personal privacy and business accountability is increasingly blurred, especially for high-ranking individuals. The time to think about business implications is now, and failure to do so may have lasting negative impacts in the indefinite future.

FRCP information governance Panama Papers security

Technology marketing strategist, obscure knowledge enthusiast, Duke fan, long-time dabbling musician. I have a background that is as diverse as my interests, including undergraduate focus on neuroscience and psychology, a master’s in management, plus a work/internship background in the biomedical research field and clinical trial software. Information governance matters to me because information matters to me. Knowledge that you can’t retrieve is knowledge that you don’t have. I like to focus on high-level trends and the steadily growing business value of unstructured content.