Duty of Care: Why Business Must Take Compliance Seriously
In every attack, no matter how big or public, the bottom line is always the same - cyber security threats can have a devastating effect on brand image, share price and customer retention. Organizations of all sizes can be subject to huge penalties for not being in control of these cyber threats. The Information Commissioner’s Office (ICO) in the UK can impose fines of up to £500,000 if they feel data has not been stored securely and it doesn’t discriminate by the size of the organization, simply the type of information lost.
January 28th each year represents Data Privacy Day, celebrated across Europe and in the US and Canada. It aims to raise awareness and educate both consumers about how their personal data is used while asking businesses to ensure this data is stored and protected appropriately. The newly appointed Giovanni Buttarelli who is the European Data Protection Supervisor has said that, “The EU has to make existing data protection rights more effective in practice, and to allow citizens to more easily exercise their rights at a time when we all run our entire lives with our smartphones.”
Worringly, 2014 saw a record number of data breaches but have we learnt from these incidents? A story that illustrates the sizeable penalties associated with data breaches is the case of the UK’s Ministry for Justice, a UK Governmental department dealing with policing, the court system as well as the prison and probation service. The organization was left reeling when the ICO handed it a £180,000 fine for ‘serious failing’ in the handling of confidential data after an unencrypted hard drive containing the details of almost 3,000 prisoners was lost. The UK is not alone in having the powers to hand out hefty fines. The French Data Protection Act stipulates that for data protection offences organizations can be fined a maximum of €150,000 for a first breach with repeat offending businesses fined up to €300,000.
Risking More than your Revenue
In fact, the practice of imposing financial penalities for data breaches is widespread across Europe and the rest of the world – Austria, Germany, Ireland, Canada and Italy can also hand out large fines. An exception is that the USA does not have a comprehensive federal law on data breaches, though federal regulators can force penalties for a lack of data compliance as in the case where Idaho State University agreed to pay $400,000 after leaving patient data insecure for over 10 months.
There is huge variation between markets, industries and regions around accreditation which can make the process more confusing. Of course there are some global standards, including the recent Binding Corporate Rules (BCR) Certification – a standard designed to allow multinational companies to transfer personal data outside of the EU while remaining in compliance with all local data protection regulations. Atos is the first IT company to achieve the certification, granted by all of Europe’s data protection authotiries.
Recommended spending on cyber security also varies across sectors – though, as a rule of thumb, most CIOs would be advised to spend at least 6.1 per cent of their IT budget on simply securing their IT estate.
In the next blog post we’ll be exploring some of the basic building blocks for achieving data compliance. In the meantime, you can read more about some of the most common cyber-threats and the areas your business must protect here.