Will data regulation lead to increased security risks?

Far reaching and novel legislations such as the GDPR and the CCPA are reshaping not only the security landscape of businesses, but also the methodology and attitude companies must have to data collection.

Companies are at risk of many legal trap doors and obstacles that if they don’t hurdle could damage their reputation, their finances and their autonomy.

Added to this, the ever-present threat of cyber attacks and data breaches means that companies which use or collect data have been given new responsibilities over privacy and exposed to new risks, particularly repercussions if compliance standards are not met.

Privacy has become the key word for businesses, regulators and consumers.

However, with increasingly sophisticated, large and well-funded cyber hacking producing data breaches, only 25% of consumers believe most companies handle their personal data responsibly according to PwC research.

Data collection architecture was not initially designed with security and privacy in mind, and companies are only beginning to fully engage in digital transformation of the workforce meaning not only is security not fully ‘baked in’ to the system, but employees are not entirely educated on cyber security.

How can businesses navigate the increasingly complex EU compliance landscape?

The EU compliance landscape, sparked by GDPR, is increasingly complex. Here, we provide four strategies for navigating this environment. Read here

Compliance can reduce risks to businesses

Ian Raine, vice president of product management at iManage, believes compliance to new privacy regulations is crucial for companies that want to manage their security risk.

“Organisations that embrace the steps involved to become compliant with data protection and privacy laws such as the EU GDPR and California CCPA have already undertaken measures and are underway in their digital transformation projects,” he says.

“They will have had to understand what, where and how their data is stored, disposed of any that they no longer need, produce data maps and identify how data could be lost via a breach — either accidental or from an internal/external threat actor. Those with a compliant privacy stance are more likely therefore to be in a stronger position when it comes to managing security risk.”

Compliance with regulation gives companies protection both by digital infrastructural design, improving privacy and security, while also protecting companies from the excesses of penalties, fines and lawsuits that regulation enables.

Risks posed by disparity in regulations

There is a variety of security protocols adopted by different legislation. Michael Magrath, director of global regulations and standards at OneSpan, points out that the Australian Consumer Data Right does not use the security standard the GDPR uses.

“In the EU, the European Banking Association defined robust technical standards for authentication in Payment Service Directive 2 (PSD2). So robust that the “strong customer authentication” requirements were delayed throughout the EU due to a lack of readiness by merchants.

“The Australian Competition and Consumer Commission Regulators initially pursued PSD2’s strong customer authentication requirement for open banking but eased off. What’s striking is that the country’s open banking launch was delayed from February to July 2020 due to security concerns. A “head scratcher” is that despite security concerns, Paul Franklin, head of the Australian Competition and Consumer Commission’s Consumer Date Right (CDR) project, said screen scraping would remain in place while open banking matured.”

Franklin himself asserted: “I think it’s fair to say that screen scraping has inherent risks, even though there’s no demonstrable consumer detriment being observed in the market.”

Magrath explains: “Screen scraping is when an individual provides their login credentials to a third party fintech. PSD2 prohibits screen scraping and instead provides account access via dedicated APIs.”

Australia, therefore, has arguably got weaker security protocols than the EU and this discrepancy may have a number of effects on consumer data, as trends towards more personal identification security authorisation will be required.

Privacy regulators and the challenge of enforcement

Privacy regulators are in a very tricky position when it comes to enforcement, according to Tim Hickman, partner at White & Case LLP. Read here

More regulation to come

As organisations and regulators continue to respond to the problems of privacy and security, Magrath anticipates more guidelines that may be adopted, most probably by the EU.

“Earlier this month the international money laundering watchdog, the Financial Action Task Force published its latest guidance, Digital Identity, which provides details on how to apply a risk-based approach to using digital identity systems for customer identification and verification, including remote onboarding and authentication for transactions.”

According to FATF, “Reliable digital ID can make it easier, cheaper and more secure to identify individuals in the financial sector. It can also help with transaction monitoring requirements and minimise weaknesses in human control measures.

“The EU’s approach is designed to be more secure and as governments and regulators consider open banking, it is much expectation that most will closely follow the FATF guidance and require more identity verification, authentication and transaction risk analytics to assure consumer trust in the system.”

Could transparency reduce risks and increase rewards?

According to Gartner, brands that put in place user-level control of marketing data will reduce customer churn by 40% and increase lifetime value by 25% in 2023.

Companies should be working to increase transparency in their data collection activities. They can do this by ensuring they can explain why they collect and share specific data, prove that they have received permission from consumers and informed users what the data collection and rendering process entails.

All of this will reduce risks of consumer dissatisfaction, distrustful users and lawsuits launched by unhappy customers.