The story of Tesco Bank suffering a data breach that exposed 20,000 of its customers’ accounts to theft is a perfect illustration of a headline grabbing crisis that can severely damage brand image, and probably comes close to being every CEO’s worst nightmare.
From such serious reputational damage to punitive fines, the pressure to protect customers is increasing from all sides.
Yet, some organisations are still resistant, whether through reluctance to invest in something that doesn’t directly generate revenue, or sometimes simply because of inertia. So, which are the factors that finally drive directors to take action?
>See also: Tesco Bank accounts have been compromised
If reputational damage doesn’t top the list, organisations could easily assume that financial losses might play the biggest part in a businesses decision to bolster data security.
A staggering £399.5 million was lost due to fraud in the first half of 2016 in relation to payment cards, remote banking and cheques. What’s more, this represented an increase of 25% from the same period in 2015, when the figure was £320.3 million.
It’s all about the rules
But according to a recent report, neither of these scenarios is the leading reason that drives organisations to invest in security measures.
A survey of 126 large companies (those with more than 2,000 employees) has shown that the number one motivator for the people in charge of protecting sensitive information is in fact regulatory compliance.
The study indicated, moreover, that the importance of regulations had increased nine-fold in just over two years.
The regulations that drive businesses to act cover a wide spectrum. From the Health Insurance Portability and Accountability Act (HIPAA) regulations in the US to the Financial Conduct Authority (FCA) in the UK or the Payment Card Industry Data Security Standard (PCI DSS) worldwide, every sector has its own regulator, with varying degrees of power.
One that every organisation should take heed of, however, is the European Union’s new General Data Protection Regulation (EU GDPR).
The EU GDPR is almost upon us
The biggest, and some would say most intimidating, regulation on the horizon is the EU GDPR. After four years of discussions and debates, the new legislation has been signed and sealed and will officially be delivered in 2018.
This regulation, which is unlikely to be toned down by Brexit, will issue severe penalties on organisations that fail to protect customer data. A breach could result in a fine of €20 million or 4% of annual turnover, whichever is highest.
>See also: What are US companies’ view on GDPR?
Similar fines will come into force for neglecting to report a data breach to the relevant Data Protection Authority (DPA) within 72 hours. An estimate of the aforementioned Tesco Bank breach suggests that it would have cost the company £1.94 billion in fines had the EU GDPR already come into effect today.
With this staggering figure out in the public domain, company boards would do well to take notice and start planning now for how they will adhere to the latest data regulation.
To further concentrate the minds of business leaders, the UK Information Commissioner’s Office recently recommended that company directors be held personally liable for data breaches.
Doing the right thing
In the world of global business, where short-term profit is highly valued, perhaps we should not be surprised that many organisations will not take action until they are forced to do so by regulators.
But common sense tells us that the more enlightened will be aware that there is a bigger picture. A financially-damaging, one-time penalty is a terrible thing, but long-term distrust and bad-will among your customer base could be fatal.
>See also: Change is coming: the GDPR storm
Legislation should be regarded not as a stick to beat companies into compliance, but as a framework upon which to base a full data security strategy. So that when your company is targeted by fraudsters, as it almost inevitably will be, you have the processes in place to withstand it.
Don’t wait until a new regulation forces you into action; sort out your security measures now. You owe it to your customers – and to your employees – to protect the data you handle.
Sourced by Tim Critchley, CEO, Semafone