Why it will soon be mandatory for companies to report data breaches

By Mark Eggleton

When the US credit-reporting agency Equifax recently announced it had failed to disclose a cybersecurity breach in July which effectively revealed the personal details of over 140 million Americans, the reaction was strong.

Considering much of Equifax’s data is obtained from other financial institutions such as banks and credit card companies, many consumers wouldn’t have been aware they had shared their data, nor that it had been breached. 

This dissemination of personal consumer data that many financial institutions provide to credit reporting agencies, loyalty programs and even external software providers presents a real and present cybersecurity challenge to the whole finance sector. 

According to Kelly Henney, National Lead of KPMG’s Privacy team and Associate Director in their Risk Assurance division, the key for organisations is having a real understanding of how they collect, use and disclose their clients’ personal data. 

“They need to have a better understanding of the personal information lifecycle because (at present) many businesses underestimate how personal data moves around and potentially leaves their business. 

“The key is firstly understanding the data touch points and the channels the data enters organisation. Secondly, how is the data being used internally and thirdly, where does it leave?” 

Where are your servers?

Henney says business needs to recognise where all the data touchpoints are and where their servers or cloud backups sit.

The whereabouts of the servers and cloud backups are increasingly important as we see Australian data regularly being stored offshore in jurisdictions such as Malaysia, South Africa or the Philippines for example, who have different interpretations of data retention laws or may not have such laws in place.

One major reason companies need to better understand the risk profile associated with the retention of their customers’ personal data is the upcoming changes being made to the Australian Privacy Act.

The Notifiable Data Breaches Scheme (NDB Scheme) is being introduced, which comes into effect in February 2018, and the laws governing Europe’s General Data Protection Regulation (GDPR) comes into effect on May 25 next year.

In regard to the Privacy Act in Australia, the NDB Scheme will require certain organisations to report data breaches to the Office of the Australian Information Commissioner and potentially affected individuals. Failure to do so may pose significant reputational risks to the organisation involved.

With the introduction of the GDPR in Europe, there may be global ramifications for many Australian businesses and local outposts of European business. Henney says the GDPR includes mandatory reporting but goes much further.

“There is a question of how the GDPR will be enforced outside of the European jurisdiction, but the fines are rather heavy at two to four per cent of a company’s global annual turnover capped at 20 million Euro.

“At present, there is a lot of hype around becoming GDPR compliant and companies are needing to take a close look at their data flow,” Henney says.

Cyber security in Financial Services

For financial sector players, Henney suggests the need to be smarter with data is imperative.

“There has to be a huge focus on privacy awareness and ensuring employees (for example) only have access to data relevant to the needs of their role.

“Portability of data is an issue because you can’t have someone being able to simply download data onto a USB. So there is a real issue around rogue employees which goes beyond how data is shared with third parties.

“Companies need to realise their customer data is a valuable asset and one day may hit the balance sheet, so getting their houses in order may increase their workloads but ongoing monitoring and surveillance of how personal information is handled is imperative,” Henney concludes.

Kelly Henney will be speaking at the FSC Cyber Security Series in September. To register for this event, click here.