Making the most of your (next) data breach: part one

Whilst CEOs are undoubtedly more aware of the risks, how many have employees who still play fast and loose with customers’ personal data, and how many senior managers have that sort of control over their employees’ practices?
 
That was three years ago. Whilst CEOs are undoubtedly more aware of the risks now, how many have employees who still play fast and loose with customers’ personal data, and how many senior managers have that sort of control over their employees’ practices?
 
Although much may have been invested to protect digital estates,  many senior executives are unsure what personal data they retain, where, how well protected it is, who has access to it and, in an age of collaborative commerce, lengthening supply chains and eco-system delivery, precisely who is accountable for what.
 
Some still rely on averages (It won’t happen on my watch) and apathy (Everybody loses a little once in a while) to get them through any choppy water, should incidents occur and reach the public domain. But if you rely on crisis communications as your main defence (We are investigating an incident we can’t comment on now; meanwhile the launch of x has delivered stunning figures…), then there may be trouble ahead.
 
With increasing transparency, tougher penalties, ongoing Press interest and the rise of socially-savvy, digitally-literate citizens and consumers, a casual approach to privacy has to change.
 
New EU legislation in the form of the Network Information Security (NIS) Directive and the General Data Protection Regulation (GDPR) - both due this year - will mandate the disclosure of breaches. Freedom of Information will facilitate visibility through regulator openness on reported breaches. Press scrutiny will compare performance, and data portability will ease the transition of concerned consumers from one supplier to another - and many more can be expected to vote with their digital feet.
 
Even the best defences will succumb to attack sometimes. This is as much due to human fallibility - simple error and misplaced trust - as it is to the asymmetry of security; the defender needs to protect perfectly on all fronts whilst the attacker needs to find only one chink in the armour.
 
So how do you reduce the negative impact of any incident and make sure you ‘don’t waste a crisis’, should one occur?
 
top
Nick Rhodes, Business Solutions Privacy Lead 27 June 2016