The time is now – Why enterprises must do better when it comes to data privacy

Jim Barkdoll    ·      Tuesday, October 22nd, 2019

Another day, another breach. It’s getting tiresome, isn’t it? And despite the fact we may be starting to suffer from “breach fatigue”, there are lessons to be learned from each of these instances.

This time, Best Western and its reservation engine, Autoclerk, are under fire after an open database belonging to the reservation engine was easily accessible, as it had no security barriers. This means that anyone could perform searches to examine records within the database, which included full names, dates of birth, home addresses, phone numbers, dates, travel costs, some check-in times and room numbers as well as masked credit card details.

What’s more – one of the platforms connected to Autoclerk exposed in the breach appears to be a U.S. government contractor dealing with travel arrangements.

That’s a lot of incredibly valuable personal data and potentially serious national security data left unsecured. While we’ll no doubt hear a lot of conversation exploring how this could happen, this speaks to something bigger. You’ll recall a few months ago we learned of a similar incident at Facebook, when 540 million user records were exposed, including user names, likes, reactions and comments, as part of a mass data collection.

To examine each of these breaches on their own fails to look at the larger picture. If large, name-brand enterprises like Facebook and Best Western have data sitting around unsecured, I can guarantee there are many, many other organizations, of all sizes, with the same set-ups.

That is simply unacceptable.

With growing consumer understanding of how personal data is protected and used as well as an ever-increasing amount of data privacy legislation, enterprises are compelled to be better data stewards.

So that begs the question – if this is the case, then why do we still see these breaches?

The answer can be boiled down to two things:

1. There is a difference between data privacy and compliance

Just because an enterprise claims compliance with data privacy regulations (and honestly, there aren’t a lot that can claim 100% compliance, but that’s an issue for another day), that doesn’t mean it is a leader in keeping data private.

Think of it this way – when a new home is being built, it must comply with building codes. Once that happens, does that mean the house is one of the best built?

No, it simply means the house meets the basic safety requirements set forth by the state or province.

The same is true for enterprises. A commitment to keeping data private goes beyond compliance. Enterprises have a responsibility to all of us to ensure our data is well protected.

There is a significant barrier to that goal, however, which brings me to my second point.

2. Many enterprises simply don’t know where personal data exists

I hear this from potential customers every day – they’re compelled to reach out to vendors, including Titus, because they simply don’t have a handle on where personal data resides in their organization. That data isn’t limited to names and credit cards alone – it can include health and financial information and more.

Without knowing this, it becomes next to impossible to ensure all this data is properly secured.

That’s where Titus comes in.

Our solutions enable enterprises to understand where they have sensitive data (including personal data) that exists today (data at rest) as well as where sensitive data is being created daily (data in motion).

Once that is established, enterprises can develop strong policies to ensure this data is well secured.

As we all know, this is far from the last time we’ll read about a data breach where critical personal data was left unsecured. But hopefully each new breach will provide a louder wake-up call to enterprises that they must know where their sensitive, personal data resides and that they must do more to ensure it is protected.