Business Technology

Which data leak outcome is worse: Reputational damage or a regulator’s fine?

6 min read

20 August 2018

ASG Technologies' Jesse Canada explores the reputational damage that a data leak can cause – and the ways bosses can protect their brands.

Today’s leaders have a huge task on their hands with the sheer volume of work needed to demonstrate compliance. Unfortunately, there’s no one-size-fits-all approach. Each regulation has a different focus, with different rules aligned to its individual purpose – sometimes with conflicting requirements.

For example, financial institutions must comply with anti-money laundering (AML) and fraud regulations involving strict controls on transaction reporting. Yet AML compliance must be in line with GDPR which focuses on the capture, using, securing and discarding of customer personal data.

Yet while ticking the boxes for compliance, it’s easy to lose sight of the ultimate purpose of these regulations – to ensure data is reported accurately, protected from inappropriate use and to identify possible illegal activities.

Unfortunately, many bosses first find out that they are not adequately managing and/ or protecting their data before a visit from the regulators – rather when they experience a data breach.

The impact of a data leak

Instead of waiting two years after a breach, as had seemed an uncomfortable norm, under GDPR, companies now have only 72 hours to report the event to the affected individuals. You must report to supervisory authorities as soon as you know a breach has occurred.

This three-day turnaround means businesses must be much more on the ball in terms of knowledge of data inventory and security systems.

Between 2013-2014, almost 3 billion Yahoo! user accounts were affected in a hacking attack, making it the largest data breach in history and yet, it took over two yearsto report the incident. The impact of the breach was significant reputation-wise, costing the company real money.

This year’s Facebook/ Cambridge Analytics scandal shows the potential damage when the use of data cascades out of control. It involves the unauthorised use of personally identifiable information of up to 87 million Facebook users. While the data was harvested through permissions given by a third-party, questions were raised about how the data was provided to Cambridge Analytica and what rights it had to use it.

Facebook’s share price dropped 8.5% and polls showed a 66% drop in consumer confidence in Mark Zuckerberg, who was subjected to US Congressional and EU scrutiny. He agreed to a wide range of changes to Facebook policies and practices. Just 28% of the Facebook users surveyed after Zuckerberg’s testimony believed the company is committed to privacy, down from a high of 79% just last year .

The lesson is that the entire extended data supply chain must be carefully managed. An organisation must know the location of the data, if it has the right to use it, afford the requisite level of protection, be immediately aware when it has been breached and know the population of individuals affected.

It must also know where its data flows and track it to ensure it is not subjected to improper or disallowed use.

Fines are typically a one-time event – and a successful company can often quickly recover from the financial setback. Reputational damage is different, since it has significant public exposure. Customers can lose their trust in a brand as a result as well.

Of course, trying to understand the complex nature of how data travels across an organisation’s diverse number of platforms, and how data interacts with third-party web services and APIs can be an overwhelming task. The process is necessary in order to put in place the basic recording, inventorying and reporting processes in order to maintain compliance over time.

Technology is not only helpful in this process – it is essential. Automated discovery and data lineage creates and maintains transparency into processes and the data being managed. Reporting supports an “audit ready” position so supervisory authority inquiries can be answered without a fire drill while data intelligence change detection prevents new problems from sneaking in.

Many companies are finding that a data catalog will ensure that any user can easily access and use data as needed. A software-driven or intelligent data catalog can locate even the most complex data within a data estate, ready for analysis and decision making.

Technology solutions such as data intelligence can go a long way to providing peace of mind. Out of the box reports assist with GDPR compliance, offering a GDPR inventory dashboard and a set of reports summarising Privacy Impact Assessments (PIAs). These and process maps that show how protected data moves through the organisation are critical to data security and compliance.

These can show where data is vulnerable and if and how it moves to outside processors or outside protected areas. The company will need to record that protections are in place through model agreements and binding corporate policies.

Today’s cyber criminals appear to always be one step ahead and will exploit any vulnerability. If an organisation believes it is watertight, it is inevitably being complacent. However, it is vital to reduce risk as far as possible and this is only possible with a complete awareness of the data journey.

Jesse Canada is enterprise data management lead at ASG Technologies.