Author:Michael Jelen

January 11, 2022

DREAM Bigger About Data-Driven Compliance

Data privacy risks vary from firm to firm, use data and experts to tailor your program to your needs.

3 min read

Experts plus technology result in better risk assessments.

DREAM a little bigger to integrate experts and data into risk assessment.

"On the morning of January 11th, 2022, we identified evidence that the personal information of a number of our customers has been compromised. No further action is required by you, the customer. The breach has been resolved and our services are working normally."

Another one? Great... whatever.

If you're like me, you've received dozens of emails like the one above, notifying you of a data breach, the potential loss of your personal information, and an attempt to assuage you that "everything's ok now." To be honest, I've received so many at this point that I hardly even notice, and maybe you have too.

But not all data breaches are created equal. While the ship may have sailed years ago to be able to tie my name to my address with stolen data anyone can purchase on the dark web, I really, really hope that my genetic data is safe. Receiving an email that my genome floats through the deepest, darkest corners of the interwebs with a price tag on it makes me feel very differently than if someone has my mailing address. Surely companies must protect different kinds of data differently and consider the commensurate risks this data carries, right?

Some do. But some don't. And the fines levied by regulators for data breaches aren't high enough to incentivize the level of investment required to protect us from an ever-increasing level of sophistication on the part of our cyber adversaries. When the highest fines are in the low millions of dollars, it's highly rational for executives to accept that a few million bucks on a product that generates tens of billions is just a cost of doing business. Investment continues to flow toward revenue-generating activities and away from securing customers' data.

But what if that changed? What if we had a more effective way to measure data privacy risk that incorporates nuance? Maybe fines aren't the only penalty for a non-compliant company? What if customers vote with their feet and choose to leave businesses who treat their data recklessly? These questions inspired us to build DREAM - our Data Risk Expert Assessment Module.

DREAM is an expert-led quantitative model to assess an organization's true data privacy risk, based on hundreds of features about their business. Does your firm hold data about children or only adults? Is customer data crossing international boundaries? Do you have vulnerabilities in areas that attackers have been targeting recently? All of these attributes carry different risks and should be treated appropriately.

DREAM ingests a trove of publicly available information about previous data breaches, regulatory fines, and even stock market performance after a breach. It then marries this data with the unique set of characteristics of your firm, benchmarked data from other BRG clients, and most importantly, the expert opinion of BRG's world-class data privacy professionals. Together, this combination of expert and machine produce robust, detailed assessments of where risk exists, how much damage a breach may cause, and most importantly, the key areas to invest in to prevent it from happening in the first place.

Your circumstances are unique, so shouldn't your approach to data privacy be as well? DREAM a little bigger about data-driven compliance.

The opinions expressed in this blog are those of the individual authors and do not represent the opinions of BRG or its other employees and affiliates. The information provided in this blog is not intended to and does not render legal, accounting, tax, or other professional advice or services, and no client relationship is established with BRG by making any information available in this publication, or from you transmitting an email or other message to us. None of the information contained herein should be used as a substitute for consultation with competent advisors.