Protecting Personally Identifiable Information (PII) is the intrinsic goal of Governance, Risk, and Compliance (GRC) frameworks. At its ideological best, when defined, implemented, and operating effectively, these frameworks allow influential stakeholders to implement institutional processes where impactful, beneficial decision-making can be performed. However, the dynamic stakeholder landscapes of many technology-driven industries can create incentives for bad actors–resulting in a new landscape that requires new GRC rules.

This talk will explore the state of healthcare management in the context of data stewardship with private and public stakeholders driving how principles of GRC are operationalized and implemented. Drawing on publicly disclosed cases and anecdotal references, the talk explores the critical ethical and systemic failures that occur when the current GRC framework is misused against the stakeholder to meet sometimes less than ethical business goals. While regulations like HIPAA and FERPA exist to prevent misuse, loopholes and deliberate data tampering continue to pose significant threats, particularly to vulnerable populations and minors.

We will examine the lifecycle of a PII breach in the contexts of several industries and investigate the true effectiveness of privacy safeguards when, in many situations, the only defense for a data subject is user-interface icon (opt-out button). Attendees will learn the lifecycle of a data object in several industries and identify new points of contact in which enhanced accountability and traceability could be applied to mitigate risk.

The talk will center around GRC-oriented proposed five pillars for modern data stewardship:

• Stakeholder Disclosure: Mandatory, granular clarity on who is interacting with subject data.
• Data Sharing & Data Buying Policies: Moving toward full public transparency that extends beyond current FOIA limitations for specific use cases.
• Indicators of Compromise / Indicators of Sabotage: Establishing technical signatures for data integrity violations to detect when data integrity has been compromised.
• Public Service Announcement of Geographic Regulations: Ensuring users understand how their rights shift across borders.
• Public Service Announcement of Legal Repercussions & Reparations: Defining clear paths for restorative actions when data stewardship fails.

Attendees will come away from the talk with a greater understanding of how data is used in systems and identify potential breach points–vital understandings for technical and business practitioners alike. They will also learn about current GRC laws used in industry and receive a historical overview of data security and privacy violations–all perspectives that should influence attendees’ opinions on how data is ‘GRCed’ going forward.