Could your data be putting you at risk of losing out financially, as well as in terms of customers and business? Christine Andrews, managing director, DataIQ explains why running an audit of your data risk could keep you on the winning - rather than the losing - side.
Sobig, Mimail, Scribble and Zippo. No, not the names of the next re-incarnation of the Teletubbies - rather the names of complex viruses and worms which have caused havoc for information and data security teams over the past ten years. Hackers have a tendency to create headline news, as their deliberate attempts at corporate sabotage are devastating for the companies impacted, both from a “time to fix” and the brand or reputational damage and fines perspective.
Witness the British Pregnancy Advisory Service (BPAS) fined £200,000 by the Information Commissioner’s Office (ICO) in March 2014 after a hacker threatened to publish thousands of names of people who sought advice on abortion, pregnancy and contraception. The ICO reported that the BPAS, “didn’t realise the website was storing this information, didn’t realise how long it was being retained and didn’t realise the website wasn’t secure. Ignorance is no excuse”. What was also interesting about this investigation was that, as well as failing to keep the personal information secure (a breach of Principle 7 of the Data Protection Act), the BPAS had also breached the DPA by retaining the call-back details for five years longer than was necessary for its purpose (a breach of Principle 5).
But it isn’t just charities who need to beware of the risks of not being DPA compliant. On 5th August 2014, the ICO issued guidance to the legal profession following 15 incidents reported to the Commission over the past three months. At issue are the large amounts of sensitive information held on paper files, rather than secured by encryption, that lawyers carry around with them. These data breaches, warns the ICO, could leave these chambers open to financial penalties as the barrister and solicitors are classed as data controllers.
Estimates vary as to how costly a data breach can be, with the table below showing the potential cost to a large organisation being somewhere between £300,000 and £700,000 - brand damage being the largest variable. For smaller organisations, the figure may be less in terms of reputational damage and direct financial losses, but there are plenty of examples where staff negligence and stupidity have resulted in fines.
For example, the owner of Jala Transport Ltd, a small money-lending firm, was fined £5,000 after a thief snatched a briefcase containing an external hard-drive full of unencrypted customer data, documents and £3,600 in cash through an open window while his car was stationary at traffic lights. The stolen drive contained a back-up database containing the personal data of 250 clients, including their name, address, date of birth, nationality, passport number, driving license information and proof-of-address documents. Importantly, although the drive was protected by an 11-character password, it was not encrypted – a crucial distinction.
Given the exposure and risk so many companies are taking with their data, it is no wonder the ICO is experiencing a rise in breach notifications. Many of these instances could be avoided if only an organisation started by at least recognising that, while data is a vital asset to the business, it can also be a liability. Data can be de-risked, but senior management has to take the first step and ensure that a) they maintain a risk register for the business and that b) data is one of the items on this register.
Step 2 is to assess where some of the data risks might be. Typically, these can be divided into technical risks (ensuring web sites are secure, malware viruses are up to date, etc) and people and process risks (ensuring staff are trained on correct data handling procedures), with third parties also presenting more and more of a risk.
Perhaps a better way of assessing risks is to conduct a structured assessment of data protection compliance and data security risks. This can be done by internal audit functions or through using external support. Typical assessments, such as data consultancy DataIQ’s RADAR™ methodology, provide a company with a clear indication of areas of strength and weakness.
An overall score is provided on a RADAR™ maturity curve scale of 0-5, with 0 being “Chaotic”, ie, no recognition of problems and no attempt at either informal or formal process to address them, and 5 being “Optimised”, with the organisation having a focus on continually improving compliance through both incremental and innovative technological and process improvements. Most smaller business and many charities tend to score around the 1 mark, where they are reacting in an ad-hoc way to events, but many companies can easily score higher.
Specific scores for data protection, privacy and data security are included in RADAR™ reports, with areas colour-coded red, amber or green depending on the risks identified.
Data security (Principle 7 of the DPA) is given very specific focus as this is the area where most organisations are at greatest risk.
Risks are then assessed as a consequence of the review in terms of their likelihood and impact and an action plan to tackle them is presented for the client’s consideration. As data protection and security is an ongoing process, typically this might involve training, policy creation, formal risk assessment, seeding, mystery shopping and an annual re-assessment.
Risk, of course, is not new in the insurance world. But what is fast becoming a new trend is to insure against some of the data risks outlined above from happening. Some of the larger insurers have now developed specific cyber and data security insurance cover. James Tuplin, QBE’s portfolio manager for technology, media and telecoms (which includes cyber-security), has been developing insurance products that cover organisations for cyber and data security threats.
“Essential cover provides, for example, crisis management with a 24-hour hotline to assist in controlling a security event via forensics teams, to work out what has happened and to rectify the issue, and a PR response, to reduce reputational damage,” explains Tuplin. “Any damage caused to underlying systems can also be covered, as can the notification cost to those impacted by the breach, credit monitoring for those affected where necessary and the costs of setting up a call centre to respond to concerned customers, together with the cost of the fine (where insurable) and lost profits caused by the business interruption of a security event taking out your network. Even cyber-extortion and claiming against dishonest and disgruntled employees can be covered.”
The good news for organisations who have taken the issue of data protection and security seriously is that some insurance companies will offer discounted premiums. QBE, for example, has recognised that companies who are aiming to de-risk their data in the above way should benefit. Companies which have been through the DataIQ RADAR™ assessment, for example, could benefit from anything up to 25 per cent off the costs of their policy as they can demonstrate that they have taken seriously de-risking data theft, loss and misuse via a good DataIQ RADAR™ score.
The moral of the story, of course, is that organisations must put more value on the data they have and consider ways to de-risk the data to keep data breaches off the risk register. None of this is foolproof, though, as hackers will always be after the next big challenge and we, the humble employees, will still be people who make mistakes. So insuring against them is good common sense.