Challenges of Data Permissiveness in the Enterprise

Data, it’s everywhere!

Something around you collects data from the time when you wake up until you fall asleep. Every device seems to connect to the Internet, some with a warning about data collection practices. People gravitate past the warnings and notifications because they are often complex to understand and too long to read. In this article, I plan to address the complexities of data permissiveness and how the U.S Federal Government is taking steps to tackle these very challenges.

Are You Being Spied On?

Folks like you and me succumb to data tracking because it’s now become second nature to assume that companies and government regularly monitor online and offline activities.  There is a perception that to keep with modern life norms; you need to give up a piece of your privacy in exchange for convenience and a reasonable, not exceptional, experience. A 2019 Pew Research Study indicated that six in ten adults believe they cannot go through a day without having data collected on them. More specifically, the same Pew study reported that of the adults surveyed, as many as 63% felt companies were collecting data about them, many without permission.

It’s no secret that data-driven products and services are marketed to the masses with the notion that if you provide “a little data,” you supposedly get many benefits. Many products go so far as to proclaim that using their data-driven product will save you time and money.

But does it in the long run? Is being too permissive with data products a liability? Likely yes, but there is undoubtedly a cost, including potential security risks and some legal liability due to misuse.

Is Data Sharing Worth the Risk?

People appear willing to shrug their shoulders because it’s too complex to stop bad behaviors by enterprises who knowingly take advantage of their customers. In a study conducted by Harvard Business Review, our most sacred institutions, such as medicine and financial institutions, score relatively high in that customers trust what organizations are doing with the data they collect.

Harvard Business Review (2015)

Where does the downward spiral become apparent: with government institutions, media organizations, and social platforms?

How do organizations get away with this?

In a study commissioned by ProPrivacy.com, placing obsecure data collection in a privacy statement is feasible because less than 1% of end-users read the terms and conditions from start to finish. Of that 1%, only 22% actually read the state entirely. A 2022 Washington Post article shows the problem with reading most organizations’ terms and conditions or privacy statements. The article indicates an average data privacy policy is about 12,000 words, equating to ten single-spaced pages. How long would that take to read for a data policy fluent individual? About 20 minutes. It most certainly takes a lot longer for those with little knowledge on data privacy lingo.

Less than 6% of adults feel more secure today thanks to advanced security and privacy solutions making their way to the market. On the other hand, well over 70% say their data could be more secure as they are still determining how to manage it.

According to a study completed in 2021 by Forbes, most adults have been the victims of others mishandling their data, leading to a compromise with financial or personal repercussions. Furthermore, while there is a concern about how commercial platforms gather data, there is an even greater concern about how government agencies collect, store, and utilize data collected across its numerous platforms.

Does Data Quality Matter, or Just the Quantity?

Some platforms are explicit in what they claim they collect. It’s written out in their terms and conditions or privacy statements. On the other hand, other organizations claim that if you use our system, you should assume that anything and everything is fair game. The vagueness of what is collected and how it is used needs to be revised. The latter is the approach used by the federal government.

Organizations believe they need to collect data, but what do these organizations do with their data? We know that social media companies collect the proverbial kitchen sink so that the user experience is littered with contextually relevant advertising (or so they assume). But for government agencies, the use cases could be clearer.

According to the U.S. Government Accountability Office Website:

The federal government collects and uses personal information on individuals in increasingly sophisticated ways for things like law enforcement, border control, and enhanced online interactions with citizens.

All federal, state, and local agencies should go into how these data points are collected. But they don’t provide the level of detail on what data is actually being utilized for, or who has access to the data because there is a belief that it’s a matter of national security. Yet, federal policymakers recognize that there is a distrust between government and its citizens. especially on data protection enforcement.

What Can the Government Do to Be Data Role Models?

No alt text provided for this image

Local, state and federal government organizations must comply with specific data privacy laws that depend on their location and the type of data they gather. Almost all government entities regularly collect sensitive personally identifiable information (PII); it is crucial to employ data management systems that provide the highest possible security level, including restricting data permissiveness to only those who require access.

Comprehending the data privacy laws that apply to specific agencies can take time and effort. Agencies amass diverse sensitive information, from payment collection details to social security and healthcare data. Consequently, government agencies are also subject to the same data privacy and security regulations – they don’t get a free ticket to escape the rules. To ensure data privacy standards remain up-to-date, government agency personnel must comprehensively understand the regulations that may directly impact them and the citizens they serve.

In just the past few years, well over half of the United States State governments, including California, Texas, and New York, have enacted data privacy laws that apply to even federal government agencies per the New York Times. It doesn’t matter if you operate at the federal, state, or local level; it is essential to be well-versed in the data security and disposal laws that apply to your organization and its consumer base, both internally and externally.

The U.S. Federal Government is the world’s largest knowledge business. Virtually every decision made ties back to data collected by employees and contractors of these agencies.

Daily operations would be most difficult to operate efficiently without a strong knowledge ecosystem, leveraging data to make every decision. It doesn’t matter if you are a one-person operation or an agency the size of the Department of Defense; navigating these data privacy regulations is complicated.

It’s no secret that intelligence agencies are at the forefront of data protection due to the sensitive nature of their operations. Many civilian and healthcare agencies look to models developed by intelligence agencies, given their success at cybersecurity enforcement. Government-wide application of more stringent security and data protocols has become evident, with the inclusion of DoD-based policies becoming a standard requirement in current contract vehicles published and awarded.

Rules to Follow for Cybersecurity and Data Privacy Savvy Organizations

By making contractors who do business with these organizations follow a protocol that ensures cybersecurity compliance, including data privacy, the government is doing its best to be a role model for cybersecurity and data sharing best practices. With applications such as NIST 800-171 to ensure that controlled unclassified information (CUI) is safeguarded becoming commonplace for almost all contract opportunities and the forthcoming CMMC 2.0 rollout that specifies in more detail how CUI should be handled in the context of access control, identification and authorization, media protection, physical protection, system and communication protocols, and system and information integrity, data risk can be reduced.

How can you and your organization be more vigilant on data security practices? Here are some helpful tips:

  1. Don’t be overly permissive. It would be best to utilize administrative controls to restrict access to sensitive data when in doubt.
  2. Develop operational readiness plans, including a pre-emptive data breach response plan to implement in case of a breach.
  3. Build a data management strategy and heavily document the policy to ensure regulatory requirements are followed.
  4.  Select and implement industry-standard tools for your business that are trustworthy and reliable. That means limiting customizations to be more configuration-heavy, even if it requires modifying business processes to better adhere to security protocols.
  5. Don’t over-engineer your operations with unnecessary tools; more tools mean more opportunities to expose your data.
  6. Encrypt all data at rest and in transit for extra protection.
  7. Provide comprehensive training to all workforce members on cybersecurity hygiene and data privacy best practices.

These seven principles are grounded to establish a strong cybersecurity and data posture. If you want to validate your cybersecurity readiness with a certification path such as ISO or CMMC, these principles are part of the framework to fundamental success.

And with that, innovation, integration, and automation are within reach.

Scroll to Top