Toward the end of the 1990s, the European Union passed the Data Protection Directive, which essentially declares privacy a human right. The law presented a major data management challenge to multinational corporations: how to manage data sets across jurisdictional boundaries that have a range of privacy laws and still take advantage of expanding data analysis capabilities.
Businesses are still grappling with the issues created by the EU's directive and other regulations -- and now the considerations they have to weigh have evolved into big data security issues. Even companies that operate entirely within the U.S. must navigate a maze of state-level and industry-specific privacy regulations that make data management and analysis more difficult tasks. But in order to become more data-driven and embrace the benefits of big data analytics, organizations must find a way to manage their data in accordance with all relevant privacy regulations without making the data inaccessible and unusable.
"This is the next wave," said Peter Guerra, who leads a team of data scientists at consultancy Booz Allen Hamilton Inc. "We had nothing -- now we have all the big data technologies, and now people are starting to try to figure out how to manage all this data. There are some techniques to deal with that, but a lot are not ubiquitous."
More than slamming the door
One way to avoid big data security problems is to control access. Guerra said for a lot of companies, that simply means limiting the number of people who can view data sets. But that isn't always workable, given current analytics trends. Many organizations are looking for technology that lets business users perform their own analyses and share the results with co-workers. Limiting access to entire data sets cuts against that approach.
Instead, companies could base access limits on data attributes. For example, a financial services company may be able to structure access privileges so a sales manager can see the ZIP codes of customers to plan direct mail campaigns without giving him access to their Social Security numbers or other sensitive information. A business could also put in place field-level access control based on customer locations in order to handle regional differences in privacy laws.
But Guerra said implementing controls based on identity management and data segmentation can be technically challenging, which is holding back adoption.
"What we're seeing is a lot of uncertainty around how to manage data, especially around multinational companies," he said. "As businesses start to adopt these big data technologies and move them more to the core of their enterprise, when that maturity starts happening on a more broad scale, I believe they're going to need to be able to segment their data."
Don't get greedy about data
You need to understand the data you're collecting and why you're collecting it -- not at a source level but at a field level.
Alex Moss, partner, Conventus
It's a common trope today that data is an asset. And if something has value, why wouldn't you want more of it? That notion, combined with the plummeting cost of storage, has prompted many companies to start storing every bit of data they can get their hands on for possible analytics uses.
But businesses shouldn't simply collect and store data without thinking about what they'll ultimately use it for, said Alex Moss, a partner at information security consulting firm Conventus. Data might have value when it's put to use, Moss said -- but it can create compliance risks when it's just hanging around in systems.
The federal Health Insurance Portability and Accountability Act (HIPAA) requires strong protections for storing medical information. Similarly, the Graham-Leach-Bliley Act imposes rules for controlling access to financial data. Failure to comply with these and other privacy regulations can result in major penalties. Businesses that blithely vacuum up data might end up storing protected information without even knowing it.
"You need to understand the data you're collecting and why you're collecting it -- not at a source level but at a field level," Moss said. "People need to understand the risk associated with owning data."
To anonymize or not to anonymize?
One way to limit big data security issues is to anonymize data sets by removing key pieces of data from records, making it impossible to directly identify individuals. Martin Hack, president and CEO of big data analytics software vendor Skytree Inc., said that accomplishes two things. If done properly, it can help organizations stay on the right side of privacy regulations. It can also help ensure that customers feel comfortable with how their data is being used.
But not everyone thinks anonymization of data is fully effective. Booz Allen Hamilton's Guerra said researchers have shown it's possible to take anonymized data sets and cross-reference them with publicly available information to de-anonymize records. That particularly can be a problem in analyzing health information. An organization can be fined by the federal government under HIPAA for letting potentially identifiable data sets out of its possession, even if no actual harm comes to the patients involved.
"I don't know that anonymization is the best way to protect that data. There are ways to potentially trace back," Guerra said.
Driving force: Data breach or culture?
Unfortunately, it sometimes takes a data breach for organizations to start taking privacy and security seriously. For example, Conventus' Moss said retail giant Target didn't have a chief information security officer on staff prior to its recent data breach, which exposed the bank and credit card information of millions of customers.
Data breaches have been increasing rapidly in recent years. For example, the IBM X-Force 2012 Annual Trend and Risk Report showed that the number of reported breaches more than doubled from 2009 to 2012. There were more than 1,500 instances of personally identifiable information being lost, stolen or exposed in 2012, according to the report.
But in general, Moss thinks breaches aren't the defining factor in whether an organization takes big data security issues seriously. Ultimately, he said, it's a matter of culture.
"Those that haven't had a breach and aren't putting a focus on security -- there are some that never will," he said. "But then there are others that understand there's a risk."