When it comes to corporate data policy, actions speak louder than words.
High profile data breaches have shown that even heavily regulated financial companies can falter when it comes to securing private data. Experts said data stewardship must be ingrained in corporate culture, but in many companies, it still isn't.
"It's just not a working habit for people," said Rich Mogull, research vice president with Stamford, Conn.-based Gartner Inc. But it has to become one, he said.
A major breach at CardSystems Inc. resulted in the theft of millions of consumer records that the company said should have been deleted long ago. In a recent Bank of America data breach , the company admitted to losing unencrypted backup tapes containing the personal information of 1.2 million customers. And a breach at LexisNexis was apparently the result of simple fraud, but try explaining that to compromised customers.
These incidents are just a few of the 60-plus breaches that were publicized in the last year. As a result, new and proposed legislation promises to further regulate how companies handle sensitive information.
"Most organizations are going to need to change how they handle private information," Mogull said. The issue is so important that he advocates senior level involvement and endorsement of corporate data policy by the CEO and board members.
But getting the CEO on board might be the easy part. Getting employees to adhere to new data policies has proven to be a bigger challenge, one chief information officer (CIO) said.
"Our biggest battle wasn't the deployment of the technology, it was the changing of the culture," said Kevin McDearis, vice president of information enablement and CIO of the software division of Norcross, Ga.-based CheckFree Corp.
McDearis oversaw a multi-year data stewardship initiative at the financial services provider and said the project took time, technology and organizational change. CheckFree now has a process for creating, enforcing and regularly reviewing its data policies, and data stewardship has become a much-evangelized company initiative.
As a result, CheckFree was the recipient of a 2005 Leadership Award from The Data Warehousing Institute, which recognized the company's exemplary data stewardship practices. It was a small reward for a project that's been a long time in the making.
Impacting the bottom line
Initially, the CheckFree IT group attempted to define all the data contained in various systems, with minimal success. "The result was a long, unreadable Word document that no one read," McDearis said.
So, three years ago, the company tried another approach. This time they focused on business rules and processes, McDearis explained. They evaluated hundreds of CheckFree business processes, and for each process, the team identified the "data consumed and data generated." The company defined hundreds of data quality metrics and documented the data definitions in a data repository. CheckFree also added hundreds of data policies covering the handling and security of data.
Many of the actual policies came directly from the company's attorneys, who evaluated the data types and business rules against sound corporate policy and regulatory requirements like the Sarbanes-Oxley Act.
For example, since CheckFree handles data for several financial institutions, maintaining data privacy is of utmost importance. McDearis explained that the company has a policy of not sharing one financial institution's data with another. There are policies about retention and data archiving, and policies surrounding encryption levels of various types of data and how data can be transmitted. And perhaps most importantly, the system describes who is ultimately accountable for the data in CheckFree databases. Rather than IT or developers "owning" the data, McDearis said, the people who own the business processes are held accountable for data quality and security.
In the new system, data definitions are documented and maintained using the MetaData Manager in the PowerCenter application from Redwood City, Calif.-based Informatica Corp. A linked, internal Web resource describes all the company's business processes, data types and owners. Once a year, data policies come up for review and renewal, and it's easy to add or change processes and policies, McDearis said, because the system is flexible. The metadata repository makes it "easy and quick" for the company to respond to audits, he said, adding that auditors have commented on the system's ease of use. Perhaps even more importantly, he is confident that employees have been adhering to policies.
A training program and internal marketing campaign helped all employees understand their role in the data stewardship process, McDearis explained. Now, when new employees start, they receive a glossy brochure and introduction to the data stewardship initiative and corporate data policy.
But the impact of the project isn't just measured in employee compliance and audit success, McDearis said. CheckFree estimates that the improved data stewardship process saves it $300,000 each year, by reducing the employee time spent sorting out data issues.