If you are like most when you hear the words "data breach," you think of the notable examples in the news involving millions of records compromised due to a data interruption. These are typically a result of hacking, malware, or social engineering. Although serious, these have frequently exposed email addresses and passwords instead of directly exposing more readily usable sensitive data like your full name and home address. Most of the Data Loss Prevention (DLP) tools you will typically hear about focus on preventing these more significant breaches. 

But, did you know that "unintended disclosure" also comprises a significant amount of lost confidential or sensitive data (PII, PCI, PHI, etc.)? Unintended disclosure generally involves human error, data and document mishandling, accidental disclosure of information, basic theft, and more.

Cause aside, according to a Ponemon Institute - 2020 Cost of a Data Breach Report, "the average total cost of a data breach is USD 3.86 million". The costs to individuals directly impacted by identity theft and fraud are $100's to $1000's per incident, with more than $1.9B total reported in 2019, (Insurance Information Institute). The sectors most frequently involved in unintended disclosure incidents are government/public, educational, financial, health care, and non-profits. The ILINX Platform and DLP solution can help safeguard against the unintentional disclosure of "personally identifiable information" (PII) stored within enterprise content.

As defined by the US Department of Labor (DOL), PII is "Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means." The most referred to PII examples include Full Name, SSN, Address, DOB, Credit Card Number, and Driver's License. Data is also PII if it contains one of those values combined with other secondary identification data points such as gender, race, ethnicity, and general geography. The DOL defines more of PII as any unique identifying value or combination of data that would allow you to contact a specific individual in-person or online. PCI and PHI refer to similar data related to Payment Card and Protected Health information.

Preventing unintended disclosure was challenging before COVID-19 when people essentially worked from within the company facility's controls and walls. Even then, the content was not typically shared outside of the enterprise without a fair amount of policy, procedure, and thought. Now in our current work from home environment, whether we like it or not, we are external from some of the office safeguards and inherently more at risk. Today most of us are working and reading this article from somewhere in our home. It could be an office room with a door but is also likely sometimes a couch, kitchen counter, or some other shared living space. Recent Stanford Research shows that almost twice as many employees are currently working from home than at a workplace.

The problem of unintended disclosure gets more complex from now on into the inevitable "Work from Anywhere" (WFA) culture. In simple terms, WFA suggests that it should not matter where employees are working from if they are productive and that their well-being ultimately leads to greater profitability. The WFA movement was already brewing before 2020. The pandemic merely caused the cup to overflow—a 2020 Gartner survey shows an estimated one hundred twenty-seven business leaders revealed that most plan to continue to allow a hybrid workplace indefinitely, allowing employees to work remotely 82% all of the time. 

The pandemic is still tying most of us to our homes, but that will change as restrictions loosen. The WFA movement will continue to expand for the foreseeable future, allowing people to work full-time from just about anywhere. A coffee house, restaurant, library, hospital or home of a sick family member, friend's house, shared work office, airplane, RV, your vehicle, vacation rental, hotel, a move to the country, or even a beach are now workspaces.

While working from home, we are still cautious about what data we email or share with others outside our organization. Though, do you give much thought to your screen's visible information to the people around you or remotely communicating with you? — Have you been on an online meeting and accidentally shared a screen or some content that you did not intend to or weren't even aware of? — Who is walking around while you work, and do you always lock your work device when you step away?— We should not have to worry about extended family members, roommates, or guests. We still must carefully try to reduce the opportunity. I love my family, but there is no reason for them to see private information such as an address, credit card number, or health information. Extended to a WFA world, outside of our house, all chances are off. Unfortunately, a person of concern could be anyone sitting near you or even walking by with a phone taking a photo or recording a video.

I believe in seeing the best of people, but we lock our houses and cars for the same reason. We still have a responsibility to be good stewards over other people's sensitive data and protect their livelihood from some people who try to ruin that. 

The ILINX Platform and DLP solution can help regardless of where your employees might be. It provides a breadth of functionality to identify and protect PII, PCI, PHI, or similar data within enterprise content and subsequently while viewing it. It can automatically redact sensitive data or can provide a user-assisted and guided review and redaction experience. The process moves within an intelligent workflow process that could include multiple review and approval steps. The solution allows for redactions to be applied as secure overlays or, as needed, permanently "burnt-in" into the content. The defined redactions are displayed and protecting the data by default when viewed. Users can apply additional permissions to overlay redactions to restrict or allow various user roles to see the underlying data. 

I covered the importance of protecting the content employees are viewing. Stay tuned for the next post of DLP that will address handling requests for data to be sent outside of your organization. Content requests for eDiscovery and Litigation, Public Records, Audits, Customer or Vendor Requests, etc.

By Allison Parlett