Why the hesitation? Addressing hidden PII security risks
As unstructured data is increasingly plumbed by AI models, more and more instances of incorrectly-stored sensitive data are being uncovered, placing executives and their organisations at risk of costly incidents.
It's widely acknowledged that unstructured data is 'having a moment' courtesy of generative AI. But there are a few ways to define this particular 'moment'. Although for Board directors and executives it may not be the 'moment' they've been looking forward to.
Generative AI technology is well suited to finding gems or nuggets of information in unstructured data such as documents, emails, videos, images and similar file formats, surfacing and coalescing them into something meaningful from which an organisation can draw actionable insights.
But the AI is not only surfacing insights – it is also finding other data, specifically Personally Identifiable Information (PII), that should not be in plain text in documents and emails at all.
Such discoveries tend to prompt one of two reactions: the obvious one is to scan all unstructured files to then locate and destroy all unknown and poorly-protected instances of PII. But this is not an option many organisations currently choose.
Instead, faced with an unknown quantum of PII in gigabytes or terabytes of files, some will either move more slowly with AI, or turn a blind eye to what it's finding altogether.
The big question is: why the hesitation and a lack of urgency to ask questions and address this problem?
Poor data-handling practices cause this, and they pre-date AI
AI may make the problem more pressing, but it's not new.
Most data in the world is unstructured - the most recent estimates show that it accounts for about 90% of data produced and held by businesses. That figure is possibly even higher now, as Large Language Models (LLMs) are busy adding to the pile of unstructured data that organisations have in their environments.
What makes reactions to the discovery of PII hidden in unstructured data even more puzzling is the Australian precedents that show just how much of a problem it can be. These all pre-date the AI era, demonstrating the problem at hand.
In one case, an Excel spreadsheet containing the PII of 9258 individuals was mistakenly embedded into a Word document that was then published. The document was indexed by web crawlers, broadening access to it before it could be taken offline. In an ensuing court case, affected individuals qualified for compensation ranging from hundreds to tens of thousands of dollars each.
In another case, participants in a data-themed hackathon were provided with a subset of data to test their creations. The test dataset was insufficiently prepared and cleansed, and contained real PII on about 7000 customers. It cost the business $68,500 to replace exposed identity documents, as well as costs associated with improving its data-handling practices.
In a third case in 2020, massive stores of PII, including licences, birth certificates and financial details, were stored in staff email inboxes. The compromise of 47 accounts led to 380,000 documents being stolen by attackers. A post-incident investigation found that privacy and security controls to manage sensitive information were in place, but "there was a lack of understanding of the risks and operation of controls and what could go wrong", and "a low level of staff and leadership appreciation of the potentially serious and long-term consequences that a breach of such information may cause customers."
Clearly, given the history of incidents involving PII hidden in corporate documents and systems, and with the ongoing adoption of AI tools that increase the risk of this hidden data being exposed, there needs to be a greater degree of urgency from company boards to reduce these risks.
Decide, or have it decided for you
Governments are aware of the exhaustion and distrust felt by victims of data breaches. The government recently indicated they will tackle the issue in the next tranche of privacy reforms.
A real risk for Boards and executives is that if the hesitation to act continues, if they do not ask questions, and if they don't locate and remediate instances of hidden PII in their unstructured data, the scale of the problem will be taken out of their hands.
Recent research by Gartner predicts governments will have rules in place by 2027. The clock was already ticking on data governance and security, but the issue is now even more urgent. Gartner, among its recommendations, suggests allocating budgets for trust, risk, and security management products and capabilities.
At a bare minimum, organisations should be asking: Where is personal information stored across our systems, including emails, backups and shared drives? What controls are in place to discover and manage unstructured data risk? Are our tools and processes adequate to detect, secure and remediate sensitive data across all repositories?
Organisations can take these three important steps:
- Implement forensic-strength cloud-based tools and processes to detect, secure and remediate sensitive data across all repositories.
- Craft an information management strategy,
- Define key data-handling and storage controls.
These steps provide a strong foundation to understand the scale of the issues they face.
An experienced partner like Atturra can help organisations start this journey and achieve clear, measurable outcomes that minimise PII security risks.
With governments and authorities circling, Boards and executives must move beyond passive data oversight and take deliberate steps to own the risk of unstructured data before regulators, litigators, or media make that decision for them.
