Let's explore in more detail the three steps financial institutions can take to protect their newly acquired data:
Step No. 1: Monitor business communications for sensitive data
The first step following an acquisition should be to monitor business communication channels for confidential data. One of the easiest ways to do this is with a DLP solution. This technology includes out-of-the-box templates for hundreds of data types and regulations. For example, DLP technology can be used to find regulated information such as information about the Gramm-Leach-Bliley Act (GLBA) and the Sarbanes-Oxley Act, as well as customer data such as Social Security numbers and credit card information.
In a merger and acquisition situation, a lot of confidential data is exchanged between law firms, auditors, human resources and other departments. During an acquisition, fear and uncertainty can lead good employees to make bad decisions. For example, salespeople may make copies of customer lists, while developers may make copies of proprietary source code. It's critical to get visibility into both the good and the bad business processes early on.
This will give organizations the intelligence necessary to better govern and secure the business by monitoring the communication channels to see what data is being sent, where it is going and who is sending it. Most people think that they have to do a deep discovery process for their data before they can monitor it. However, by using built-in policy templates in a DLP solution, they can easily begin to monitor for the data they suspect they have, even before they know for sure.
Step No. 2: Discover information assets
Data discovery provides an inventory of the data stored in an organization and can alert managers to data that is "at risk" of being lost. When data is discovered, you gain visibility into the organization's information assets and can begin to classify them. Through this process, you can improve both storage and security across the enterprise and better plan for provisioning, access and growth (while at the same time mitigate risk).
Although most organizations can satisfy their discovery requirements by using the policy templates built into a DLP solution, the technology also provides for deep content inspection using digital fingerprinting technology. This capability permits the discovery of virtually any type of data, including proprietary information such as source code, merger and acquisition documents, and patent information.
Step No. 3: Implement policy controls to secure sensitive data
After gaining visibility into what data an organization has and what data is being used, a DLP solution can institute controls to protect it. Setting policy controls around data, employees and communication channels allows organizations to send data wherever it needs to go, but safely. Communications during a merger and acquisition are critical, and data transfer should not be blocked under the right parameters.
For example, the legal teams for each party must be able to send information back and forth, but it's also important that those communications are secured. That's where DLP and encryption technology come into play. Setting policy controls can manage who can send what data, where they can send it and how it is sent. For example, in the attorney scenario, policies could be set to automatically encrypt e-mails between lawyers. Other examples of setting policy controls include fingerprinting data so that it can be sent securely in an e-mail. However, if someone tries to post it on a financial chat board, the policy would prevent it. The goal of policy controls is to secure data while at the same time enabling business.