PwC scandal highlights information management issues

The PwC tax scandal has been unravelling in the public sphere over several months, with new information still emerging about the scale and impact of the company’s employees leaking confidential government information to corporate clients. There has been extensive commentary into the legalities and ethics of the organisation’s behaviours, along with how much was known and by whom. It is still unclear what the consequences will be for the firm.

It would be tempting for business executives watching from afar to view these incidents as irrelevant to their own organisations, but this could not be further from the truth. Now is the time for businesses across all industries to recognise the scale of what this scandal shows about the importance of good governance and secure information management. Organisations have an opportunity now to adopt learnings from what is happening at PwC to ensure the integrity of their own information and to reassess their information management practices.

Understanding data management

As we move further and further into an age of treating data and information as a commodity, it is more important than ever to ensure that this commodity is being managed, protected and secured so that the expectations of customers, consumers and citizens can be met. This means that organisations managing sensitive information — including consulting firms, financial institutions, government agencies and healthcare providers — can drastically mitigate the risk of malpractice or unethical sharing of information by having the appropriate systems and processes in place. Ensuring this requires a top-down approach and strong governance.

Furthermore, regularly updated, industry-specific and properly audited regulations are required. To get this right, the government must collaborate with industry experts across the corporate sector. This is not an easy task and cannot happen overnight, but is crucial in today’s society, where information has become monetised and mission-critical for many organisations.

As further regulation is required for the private sector, there must also be room for collaboration among government agencies in ways that add value. For example, if a government agency has found or suspects inappropriate behaviour occurring with contracted organisations, there should be effective mechanisms in place for those concerns between government agencies to be flagged and actioned in a timely manner.

Until that time though, there are still things organisations can work to implement.

Setting up enforceable and effective barriers

Every organisation today is data and information driven. Consequently, every organisation needs clear information barriers for content, according to its level of sensitivity or confidentiality. For retailers, banks and hospitals, this may be personally identifiable information such as addresses and driver’s licence numbers. For small businesses, this could be credit card information kept on file or copies of past transactions. Regardless of the business’s size or industry, there should be a thorough understanding of what qualifies as sensitive, non-sensitive and highly sensitive data.

Once these categories are established, there must be rules and processes to ensure that each type of data has appropriate limitations for how it is shared internally and externally. Systems and tools need to be put in place to enforce those barriers — eg, highly sensitive documents should only be accessed by those with appropriate permissions, and even those activities should be tracked to ensure certain actions are blocked when they do not meet the set security rules or requirements.

Most importantly, there should be robust auditing systems and processes to ensure these barriers are working as planned. Organisations need to be able to immediately identify where and how inappropriate actions have taken place. This is to avoid delays in responding to potential risks or adding to an internal culture where staff feel they are unlikely to get caught for not following secure processes.

Good governance should filter out vendors with poor information management

Now that PwC’s inappropriate behaviours have come to light, more businesses are announcing that they will freeze or not start new contracts with the firm, with the latest including several of Australia’s largest superannuation funds. However, it should never have taken a scandal of these proportions for organisations to hold vendors to the highest security and information integrity standards before deciding to work with them.

The PwC incident demonstrates there have been failures not just within the firm, but also with the government’s contract arrangements. All government contracts with vendors should include appropriate information management responsibilities, particularly in regard to security, use and retention of information.

If this had happened and the vendor was found to meet their requirements and then commenced work, there should have been better governance of those contracts after they were awarded. This includes ongoing auditing of how information was used. For misuse of information or non-compliance, applying immediate and significant penalties would ensure all parties are aware of what has happened and the tangible consequences of inappropriate behaviour.

Terms and conditions are not always enough to keep the private sector accountable

Currently, the private sector is not regulated for information management to the same level as the public sector, meaning contract T&Cs are relied on to enforce best practices around how information is shared, used and managed.

These recent events have proven how easy it is for consulting firms working with the government to apply a different set of standards and rules to how their information is managed externally. It is clear there should be stronger regulations that apply to the public and private sectors with equal rigour to ensure this cannot happen again.

While many in the political and corporate sectors are watching the PwC situation unfold from afar, this is not the time to become complacent and settle for pointing fingers at others, despite the significant amount of wrongdoing to be addressed. As we learn more about how this situation started and evolved, every business should be looking internally at its own information management processes and asking what risks are currently present and how they could be reduced. With the introduction of some simple tools and processes, businesses can ensure major decisions regarding confidential information are not left to the individual opinions of an employee, but rather driven by an appropriate and regularly audited set of rules that keep customers’ data secure and maintain the values and integrity of the organisation.

Image credit: iStock.com/carloscastilla