Ethical walls and their importance for data privacy

What are ethical walls?

Ethical walls are apparent in any policy or process exacted to separate individuals and roles within an organization to make sure sensitive information is safeguarded appropriately.

The basis of many comprehensive privacy and security laws revolves around having walls in place to make sure that people can’t do things they shouldn’t be able to, including monitoring on your end. Read below to learn more about different types of ethical walls and how they can protect your organization from potential risk in the future.

Simply put, ethical walls prevent conflicts of interest by design.

Here’s a great example:

Ethical walls and data privacy and important concepts working together to protect sensitive information, and continuously ensure individuals’ personal information is not misused.

How are ethical walls used?

Organizations can utilize ethical walls to promote data privacy practices by implementing policies and processes that restrict access to sensitive information, with continuous monitoring and reporting on results on restrictions put in place. Some ways in which organizations implement ethical walls include:

1. Access Controls: Organizations can restrict access to information by implementing access controls such as:

   1. Password protection

   2. Multi-factor authentication

   3. Role-based access control

2. Data Classification: Organizations can classify data based on sensitivity level and restrict access to information based on classification

3. Separation of Duties: Organizations can implement separation of duties policies to prevent employees from accessing information that could create a conflict of interest, and continuously re-examine processes and procedures to ensure there is adequate separation

4. Monitoring and Auditing: Organizations can audit and monitor who is accessing sensitive information and when to help detect and prevent unauthorized access

Data privacy concerns

Lack of ethical walls can lead to pretty serious organizational repercussions.

Equifax

A more notable example, the 2017 Equifax data breach was caused by a lack of controls around sensitive information. Their failure to segment sensitive databases allowed hackers to access information they shouldn’t have been able to access, resulting in a significant data privacy issue for not only the consumers impacted, but Equifax as well.

Cambridge Analytica

Cambridge Analytica was harvesting personal data from millions of Facebook users without their consent, allowing companies and individuals to utilize that information to influence political campaigns. An ethical wall would have prevented Cambridge Analytica from accessing this data in the first place, as it would have required the company to separate the teams responsible for data collection and analysis from those responsible for political campaigning.

Target

Target experienced a data breach in 2013 that exposed personal and financial information of over 100 million consumers. Hackers were able to access Target’s payment system through a third-party vendor. An ethical wall would have prevented the vendor from having direct access to the payment system to read and export this information, as there should have been established guidelines and restrictions in place governing how that information was shared and accessed.

Yahoo

Yahoo experienced a massive string of data breaches that compromised the information of all 3 billion users. The breaches occurred due to lack of security measures, and subsequent failure to report in a timely manner. An ethical wall would have required Yahoo to separate the teams responsible for security and data management, and external communications so they could communicate effectively and transparently with each other and the public. This would have allowed for a quickly response and resolution to the breaches, and may have mitigated the reputational damage suffered by the company.

For example, the communications team may have been incentivized to downplay the severity of the breaches in order to minimize the reputational damage, while the data and compliance teams would have wanted to fully disclose the extent of the breaches. An ethical wall could have prevented conflicts and ensured the interests of both teams were aligned towards resolving the issue and protecting consumer data.

So why not bypass ethical walls? Is it ever okay to?

If you are responsible for implementing ethical walls, you’ll hear a variation of this question a million times: “Is it ever okay to bypass ethical walls?”. Most likely, it’ll be asked in the form of being delayed, to get something to production quickly or meet a deadline.

Outside of business stakeholders openly prioritizing business goals or revenue generation over compliance requirements or ethical considerations, there are some reasons why individuals may want to bypass an ethical wall. For example:

Efficiency

Ethical walls can sometimes slow down or add additional steps to processes, which may be seen as a hinderance to efficiency. For example, anytime someone wants to share or sell data outside of the enterprise, they need approval now, or need to filter for consent. Some employees may choose to bypass ethical walls to streamline their process and save time, even if it comes at the expense of compliance or ethical considerations.

If you’re responsible for designing and implementing processes to effectively create ethical walls, consider all the processes and strategy you’re creating against what is minimally required to comply with the ethical wall. The people impacted by your decisions will be thankful you considered that instead of implementing a tedious and unnecessary process, and worked with them to find a way to implement an ethical wall that doesn’t interfere or block the work they’re tasked with doing. This is an effective way to fix issues when you see teams across your organization bypassing ethical walls that are being set up, or are currently in place.

Convenience

Ethical walls can be inconvenient if employees or teams need access to information that is restricted, either by automated or manual processes. It inherently introduces more areas for work delay or stoppage, and can create frustrations and bumps if not implemented correctly. While no process is perfect, it’s important to consider easy ways you can make your implementation more convenient for the end user.

For example, you’re responsible for an ethical wall that restricts a certain data set. If you need access to it, you have to log an event into the organization’s ticketing system, create a ticket, and a human has to review it and approve or deny. It’s not a ton of information, but requires someone to open a separate screen and type in information from their native application into fields in the ticketing system every time they log an event. As a result, you start to see week over week that there are more events occurring from the file transfer system than are logged in your ticketing system.

A way to make this more convenient might be to implement a button within the native application being used to transfer the ticket information directly to the company system, or even automate a ticket creation and submission if certain fields are selected. Finding ways to make convenience a priority for your end user will go a long way for adoption of best practices at your organization.

Lack of Understanding

In some instances, employees might bypass ethical walls because they don’t understand the purpose, process, or importance. This can happen when large organizations implement siloed compliance resources, don’t allocate proper resources to communication and change management activities, or don’t have a strong policy and procedure presence company-wide. This can also just happen because organizations are big and nobody is perfect. For example, a new employee may not be aware of certain ethical wall policies and may bypass them out of ignorance. This truly underscores the importance of clear communication and training around these policies to ensure all employees are successfully equipped to comply with them.

Increasing evangelism through organizational training, hands on demos and presentations, and communication and change management resources is a great first step to increasing understanding at the company. Implementing ways to monitor the effectiveness of communication, and areas of opportunity is also very important so you understand which areas you’re successfully conveyed the message and how it’s sticking with people.

So what happens if I do?

Bypassing ethical walls can have serious consequences, including compliance violations, reputation damage, and legal liabilities. It’s critical for both employees and organizations to prioritize compliance and ethical considerations.

Implementation Tips

Implementing ethical walls can be used to protect sensitive information while still allowing the organization to generate business revenue. Here are a few strategies that can help you implement ethical walls in a cost-effective way:

Identify critical information

Conduct a risk assessment to identify the most sensitive and critical information that needs to be protected. This will help you understand which data needs to be restricted by an ethical wall so you don’t oversolution your compliance strategy, allowing more data to be shared freely. By focusing your efforts on appropriately protecting and classifying sensitivity of data, you can still protect the most sensitive data while generating revenue from less sensitive information.

Use technology where appropriate

Technology can help you more effectively implement and monitor ethical walls, while reducing cost. Often times when a compliance team needs to implement a new strategy, their first iteration of the process or procedure has a human manually intervening in a process step at some point to approve, deny, or review a business request or question. You can use access controls, data classification tools, and monitoring and auditing tools to manage access and automate approvals while ensuring compliance with policies. By automating these processes, you can reduce the time and resources needed to manage ethical walls.

Train employees

Educating your employees on the importance of ethical walls and how to comply can be an effective way to reduce risk of accidental or intentional privacy violations. Providing them with a contact point or resource center of information to answer their more nuanced questions about whether something is an ethical wall violation or not is key as well, because often times there are a lot of exceptions or grey areas that pop up, especially as a process is being adopted by the organization.

It is important to strike a balance between protecting sensitive information and generating revenue. By identifying the most critical information, using technology, training employees, and continuously reviewing your program, you can implement ethical walls in a cost-effective way that still allows you to generate revenue.

We can help

If you’re curious to learn more, or want to learn about the services we provide to implement effective ethical walls for organizations, contact us today.