When a Regulators’ Visit Can Be the Least of Your Worries

Tuesday, August 28, 2018

Jesse Canada

21ebb461b9add7173e8e69f62ef440b4

Companies today have a huge task on their hands with the sheer volume of red tape to demonstrate compliance. Such is the global nature of today’s regulations that most organisations must adhere to them even if they are not physically in the markets covered. This is exposing them to greater compliance risk than ever before.

What makes regulatory compliance even more complex is that there is no ‘one-size-fits-all’. Each regulation has a different focus, with different rules aligned to its individual purpose, sometimes with conflicting requirements. For example, financial institutions must comply with anti-money laundering (AML) and fraud regulations involving strict controls on transaction reporting. Yet AML compliance must be in line with GDPR which focuses on the capture, using, securing and discarding of customer personal data.

However, leaving the question of fines for non-compliance aside for a moment, the ultimate purpose of these regulations is not to increase workload, but assure data is reported accurately, protect it from inappropriate use and to identify possible illegal activities. Unfortunately, many companies first find out that they are not adequately managing and/or protecting their data before a visit from the regulators – rather when they experience a data breach.

The impact of a data leak

The time period for businesses to disclose a data breach have been squeezed thanks to GDPR. Instead of waiting until two years after a breach, as had seemed an uncomfortable norm, under GDPR, companies now have only 72 hours to report the event to the affected individuals (they must report to supervisory authorities as soon as they know a breach has occurred). This three-day turnaround means businesses must be much more on the ball in terms of knowledge of their data inventory and security systems.

When data leaks occur without public disclosure, severe financial and reputational consequences can occur when the breach is finally disclosed, and they always do.  Take, for example, the Yahoo breach and the Facebook/ Cambridge Analytics debacle, which, while not a breach, involved questionable handling of private data.

Between 2013-2014, almost three billion Yahoo user accounts were affected in a hacking attack, making it the largest data breach in history. And yet, it took over two years for the Internet firm to divulge the occurrence.  The impact of the breach was significant to Yahoo’s reputation, costing the company real money. Not only did they face a $23 million fine by the SEC but the incident also threatened its acquisition by Verizon, who cut the deal by $350 million.

While Yahoo’s data breach was caused by security flaws, this year’s Facebook/Cambridge Analytics scandal shows the potential damage when the use of data cascades out of control. While a complicated story, it involves the unauthorised use of personally identifiable information of up to 87 million Facebook users. While the data was harvested through permissions given by a third-party quiz, questions were raised about how the data was provided to Cambridge Analytica and what rights they had to use it.

Facebook’s share price dropped 8.5% and, more importantly, polls showed a 66% drop in consumer confidence in Mark Zuckerberg who was subjected to US Congressional and EU scrutiny and agreed to a wide range of changes to Facebook policies and practices. Just 28% of the Facebook users surveyed after Zuckerberg’s testimony believed the company is committed to privacy, down from a high of 79% just last year.

The lesson is that the entire extended data supply chain must be carefully managed. An organisation must know the location of the data, if they have the right to use it, afford the requisite level of protection, be immediately aware when it has been breached and know the population of individuals affected. The institution must also know where their data flow and track it to ensure it is not subjected to improper or disallowed use.  If an organisation fails to manage its data along this complete journey, the regulators will be the least of their worries.

Fines are, after all, typically a one-time event – and a successful company can often quickly recover from the financial setback. Reputational damage is different, since it has significant public exposure, and especially when customers lose their trust in a brand the result is an impact to the company financially in the long run – not just directly through loss of business, but also through a drop in market value.

Businesses, large and small, are the custodians of customer data, not the owners. GDPR clearly enforces that the individual owns their data and controls its use. This means businesses must look after what is only lent to them and treat it as carefully as any other corporate asset. In other words, they must keep it safe and secure. Just think, if you were the proprietor of a bank or vault, you would not let just anyone walk in. Instead, you’d have the proper security checks in place to make sure the right people get the right information. This same mindset must be also applied to data - whether that is transactional records or a customer’s personal information.

Of course, this is not a straightforward thing to do. Trying to understand the complex nature of how data travels across an organisation’s diverse number of platforms, services, movement outside the organisation, and how data interacts with third-party web services and APIs can be an overwhelming task.  The process is necessary in order to put in place the basic recording, inventorying and reporting processes in order to maintain compliance over time.

Technology is not only helpful in this process – it is essential to achieving and maintaining compliance. Automated discovery and data lineage creates and maintains transparency into processes and the data being managed. Reporting supports an “audit ready” position so supervisory authority inquiries can be answered without a fire drill while data intelligence change detection prevents new problems from sneaking in.

Many companies are finding that a data catalog will ensure that any user can easily access and use data as needed. A software-driven or intelligent data catalog can locate even the most complex data within a data estate, ready for analysis and decision making. This will enable users to spot personal information amongst new data and a data lineage version comparison alerts them to changes in how that personal data is handled.

What data a company chooses to collect, store and discard very much depends on the sector in which they operate. However, there are some steps that almost any company can take such as capturing the information only directly related to your product or service and keep it in a limited number of databases. It is also wise to scope out how much of the data needs to be safeguarded.

When it comes to specifically storing sensitive data, simple actions like avoiding generic passwords and applying guardrails is crucial. If in place, the Data Protection Officer must oversee the process of reporting on personal data - or personally identifiable information - that show the data an organisation is responsible for - including recording and classifying protected data in the glossary so that the users know what they can and can’t do with it.

Technology solutions such as Data Intelligence can go a long way to providing peace of mind here. Intelligent Data Analysers examine data and metadata to promote comprehensive understanding, including detailed automated data lineage for insight at a deeper level. Out of the box reports assist with GDPR compliance, offering a GDPR inventory dashboard and a set of reports summarising Privacy Impact Assessments (PIAs). These and process maps that show how protected data moves through the organisation are critical to data security and compliance. These can show where data is vulnerable and if and how it moves to outside processors or outside protected areas.  The company will need to record that protections are in place through model agreements and binding corporate policies. 

Today’s reliance on data to fuel predictive analytics means businesses believe there is value in keeping data lakes for future business goals. However, on the whole, they need to become better at discarding what is not necessary and GDPR helps by being very specific about when information is supposed to be deleted.

Data leaks, intentional or unintentional, happen. Whether it happens depends on how proficient the team is at reducing the risk. Failure to do so, as we’ve seen in this piece, means they may just find themselves having to prove what measures were taken to secure information to authorities and fend off the adverse side effects of data leaks, such as damage to customer loyalty and financial penalties. 

About the author: Jesse Canada is an Enterprise Data Management practitioner with over 20 years in diversified financial services experience working with prestigious institutions (RBS, Citizens Bank, Citibank, and Bank of America), non-profits, and consulting services.

Possibly Related Articles:
15445
HIPAA PCI DSS Enterprise Security
Compliance Regulation GDPR Data Leak
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.