In an era when data needs to be recognized as an asset in order to transform as a business, retrieving value from data becomes the topmost priority. As fiercely as organizations are investing in innovating new tools and techniques to get the best possible “data deal,” are they considering the risks of grabbing hold of diverse, complex and sensitive data? Should the safety of data that transforms a business not be on the priority list? 

Firstly, the perception about data protection has to change. Now that data is no longer seen as a by-product of business, the description of protection also needs to extend beyond building a defense against probable attacks. Otherwise, the data that is considered an asset can soon become a liability. 

Consider the case of Blackbaud, a California-based cloud computing provider whose customers range from nonprofit organizations to educational institutions. It faced a data breach in July 2020, which exposed personal data of more than 10,000 organizations and numerous individuals. This compromised information included Protected Health Information (PHI), bank account numbers, and Personally Identifiable Information (PII) like social security numbers. Not only did the company not implement the basic security controls such as multi-factor authentication or customer reminders to change their passwords periodically, but it also held on to the data unlawfully. 

This is an outright violation of the data minimization principle mentioned in most data protection laws, like the EU-GDPR, UK-DPA, California’s CCPA, Mexico’s LFPDPPP, Germany’s BDSG, and the Philippines' PDPA. In addition, the lack of data retention policies permitted the exfiltration to take place. In June 2024, Blackbaud was ordered to pay $6.67 million as a settlement.

Some of the orders to Blackbaud by the Federal Trade Commission included producing a comprehensive information security program, deleting the data that is no longer purposeful, creating a schedule for data deletion, and alerting the FTC of any data breaches in the future. According to the state’s (California) orders, the company was required to create a design to take backups of only necessary data and establish a secure data process. 

Turns out control over data for longer than necessary can bring in more harm instead of the much-intended hike in revenue, reputation and customers. Who would have thought getting rid of data could be the open secret to protecting data?

The Reasons Behind the Crisis

Data is not numbers existing in the virtual world. Any kind of breach of this information impacts actual people in real life. From smart cities to smart phones, everything from equipment to infrastructure relies in some way or form on data. Predicting the impact of cyber-physical security incidents, Gartner states that 75% of CEOs will be held personally liable for professional scenarios. 

Leaders who wish to build a legacy of a secure data culture in their organization need to ingrain this sentiment in their employees. A leader does not have to be a data or security expert to create a culture that puts data protection at the core. The fact that employees look up to the leaders for inspiration should be enough for leaders to initiate the change and lead by example. A periodic email or an annual reminder regarding password change or security updates cannot replace the organizational practices followed by the leaders on a daily basis. Similarly, there are a few assumptions that lead up to a Pandora’s box of penalties, such as: 

• Not My Job: What often becomes a barrier to prioritizing data protection in the organization is a dangerous belief that securing data is the responsibility of the IT team. It not only increases the burden of the IT and security teams but also allows people of other departments to wash their hands off being accountable. This results in silos, which hampers the opportunities for cross-departmental collaboration.
• Ground Before Global: The amount of penalties that a business has to pay in case of an attack or a breach reaches millions and billions. For major businesses, these unfathomable loads of moolah in the form of lawsuits and fines are results of violations of global data protection laws and regulations. However, blunders are a culmination of daily careless mistakes on the ground that can easily be avoided by staying transparent with the data processing activities. 

Suggestions For the Secure Path Ahead

If organizations can go to lengths to gain ownership of personal data of other people, they also need to take the onus of ensuring it’s protected at all times. Also, if the leader gets the credit for the wins, they also need to bear the brunt of repercussions that a data breach brings. The leader can contribute to the creation of policies that prioritize data protection, the implementation of secure data processing practices, and the establishment of a culture that places cybersecurity at the center. Other solutions that can be incorporated are:

• Employee Training: An empowered workforce is a safe workforce. However, an annual learning and development program cannot serve the purpose of making data security a daily habit. Most people are aware of the usual security solutions, such as using strong passwords, multi-factor authentication, and VPNs. To encourage continuous learning, the training programs must be updated with the newer threats and security practices that can help safeguard the employees’ data. Often, such sessions either end up being boring or too technical. To make these lessons interesting, free them from technical jargon and fuse them with interactive activities to ensure more participation.
• Proactive, Not Reactive: “$15 million payment in lawsuit settlement by Hoosier Cash App” and “$370000 ransom paid by AT&T to hackers to get data deleted” are examples of cases where organizations reacted after the personal data of their customers had already been jeopardized. However, to be a secure organization, you have to be proactive in devising security strategies, fulfilling compliance requirements, and testing the implemented security solutions. An organization should consistently monitor and analyze the efficiency of their cybersecurity posture in preventing risks to their data and reducing the impact of cyberattacks. 

Embed Compliance Into Culture

An organization might be safe today because it complies with the governing laws and regulations. But unless and until data protection is viewed as a mere compliance requirement and not a safety solution for real-life entities, it can get tough to incorporate it into the organizational culture. An organization’s commitment to data security is not demonstrated by their capability of being able to stay in business post-crisis but by ensuring they abide by their values consistently without a watchdog or a complaint.