Locking the Chain of Custody 

The key to information security and privacy compliance.

By Joseph DeSalvo

For U.S. companies, information privacy compliance is fast becoming a significant business priority, and not just because data is more decentralized, distributed and mobile than ever before. The meteoric rise of identity theft, coupled with highly publicized security breach incidents, has spawned public outrage and customer demand for swift and corrective actions. Lawmakers at both the state and federal levels are responding with a growing number of laws that govern the collection, use and disposal of confidential records. As a result, companies find themselves trying to reassure legislators and customers alike that this information, whether in paper or electronic record form, is protected for safety—and destroyed, if necessary, before it can be compromised.

As Chief Security Officer of Iron Mountain, a provider of information protection and storage services, I've fielded many questions about privacy and security threats, including the following.

Why should CIOs place information security and privacy compliance high on their list of priorities?
Maintaining information privacy compliance has emerged as a principal boardroom issue. Compromised data can damage your brand, dilute your stock price, infuriate your customers and place you on the wrong side of regulations governing the protection of sensitive information. CIOs cannot be reactive to security and privacy needs. In a world of mobile employees, distributed data and “anywhere access,” there are greater opportunities for information to slip out of your control. Companies now find themselves navigating complex and unforgiving terrain in the pursuit of rapid compliance.

How do companies begin to address this risk?
You can’t predict all possible breaches, but you can begin with an honest assessment of your current privacy practices, especially as they relate to your specific business or industry. Once you spot the gaps in your privacy practices, you can create an action plan to fix them. Your privacy protection program must be legally credible. In the event of a privacy lawsuit, the court will ask you to provide written proof of your policies, practices, procedures and controls. So after you identify information by type and use, you must set and document your policies, train your employees in those policies, and finally, enforce compliance.
The end goal is to have precise control over the chain of custody at all times. By chain of custody, I mean “who is allowed to access the data, who has actually accessed it, and when.” You can begin by examining the data life cycle to spot the points at which information is potentially compromised. Once you know where your chain of custody is weak, you can develop policies to strengthen it. The key is to apply those policies consistently to all users, under all circumstances.

Where is the chain of custody most often broken?
With a mobile workforce that’s as likely to be working in a coffee shop as a remote office, the greatest risk lies in inadequate access control. You absolutely must be sure the data on mobile devices is out of reach of unauthorized users. It’s critical to encrypt and password-protect data, or at least the critical files they contain. The best security solution for mobile devices adds yet another layer of protection. This type of solution monitors suspicious activities, such as repeated incorrect passwords or a failure to contact the corporate network in a specified timeframe. Once these activities are detected, the solution then disables the device and erases its hard drive.

How can legislators and customers be reassured about information privacy compliance?
Establish diligence by documenting the critical steps you have pursued to protect and secure confidential information. Then, strengthen privacy compliance throughout the organization and address key vulnerabilities and threats. Ultimately, institutionalize a conscious approach to managing information privacy across the enterprise to mitigate the risk of inadvertent disclosure, litigation and public attack.

Joseph DeSalvo is Chief Security Officer of Iron Mountain. He can be reached at Joseph.DeSalvo@ironmountain.com.