Consumers are aware of the opt-in and opt-out terminology related to whether companies can send emails and postcards explaining their latest products or what products are on sale at this moment. Since marketing and sales communications can be overwhelming, the opt-in or opt-out method of controlling permission has become standard. For the EU under GDPR, consumers must explicitly opt-in to communication while most consumers are given the option to opt-out via unsubscribe links embedded in the spam email. We also see opt-out for telemarketing with the Do Not Call Registry.
Opt-out should apply to more than blocking SPAM and telemarketers. Opt-out should apply to data security. Legacy security solutions have always operated under an opt-in model. Users were asked to identify sensitive or confidential information and either classify it as Internal Only or encrypt the file with password protection.
Users don’t have any incentive to be the watchdog of corporate or customer data. Regardless of the data is confidential financial data, corporate intellectual property, or customer personally identifiable information, users just want to get their job done with the least amount of hassle. And even if all users are diligent about security, users make errors. Lots of them. . Bottomline: Users can’t be trusted. Legacy data security solutions are not protecting organizations’ data properly. Data loss headlines for simple cases like losing a USB stick with the security procedures of Heathrow Airport or emailing a file of patient records to the wrong person are constantly in the news.
With an opt-out security model, enable protection by default. Users would opt-out of security when the business requirements dictate. Internal only company data should never leave the company. If the data was accidentally or maliciously sent to someone outside the company, unauthorized users could never access it. Additionally, access permission should automatically follow the content. If a chart from a Finance Group spreadsheet was copied into a new presentation file, the presentation file should retain the same access control, only allowing members of the Finance Group to access the presentation file.
A user that have legitimate business workflow needs have the incentive and the authority to remove protection from files that need to be shared with clients, suppliers, and other third parties. The opt-out model puts in the incentives for users in the correct hierarchy. A user may or may not care about security, but they will care that their client has the proper information.
Consider opt-out as a requirement for data protection to protect all data by default and align the proper security workflow with users.