No one should question the importance of properly managing and protecting the data of your customers and employees. So why do regulators feel the need to point out the obvious? Probably because of the low priority such tasks are historically given.
As consumers become all too aware of the risks, will they consider the way companies value their privacy? Will they hesitate to hand over valuable information? Will they consider the positive steps you take, or leave in the event of a data breach?
We have become all too aware of the threats and impacts on our lives, with many Australians having to replace important identity documentation to avoid ongoing risks associated with the compromise of their personal data. The number of fraudulent attempts to access our private and personal data to gain some financial or other advantage is very real for many Australians. While technology has created many opportunities to improve products and services, it has become a critical risk for companies that rely on that data to execute and manage their business processes.
Many financial and insurance companies (particularly health) need or create data that is very personal in nature. Being able to demonstrate the ability for customers to trust them with our data is essential to their business. The impact on company valuations (for privately listed companies) is all too visible and clear, with around 60% of small companies that are hit by a data breach or cyber-attack going out of business within 6 months. Larger companies are better able to contain the impact of these events but still suffer significant losses in reputation, revenue and customers leaving.
With increased cyber threat activity, it is harder and harder to be on top of everything. Human error, social engineering and sophisticated attacks are increasingly putting company, customer, and employee data at risk. Being confident in being able to avoid an incident is not enough. Having a plan and understanding how to respond, inform and address the concerns of those that have trusted you with their data is also essential.
So, while it’s essential to ensure that you are aware of the relevant regulations in your industry and respond to them, it’s probably more important to ask the question, “what if this happened to us? How can we mitigate the risk, and how should we respond to demonstrate our understanding of the trust our customers and employees give us is understood?” It’s too late to start asking these questions after the fact, and a plan needs to be in place.
Don’t wait for the regulator, to show your customers and employees how important your trust relationship with them really is! Maybe, just maybe, this will help you avoid being another statistic.
So what can you do?
Design products, processes, and services to avoid the requirement for the data in the first place (don’t encourage bad behaviour – many banks still require individuals to identify themselves after initiating contact today). It’s not just employees that need to be aware of the techniques and approaches that fraudsters and criminals use, but also your customers. While training staff and validating their knowledge and understanding is easy, supporting customers is best achieved through design and establishing appropriate behaviour. When designing products and processes, ask yourself if you really need personal data or if there is another way to achieve the objective.
Using design to mitigate risk is essential. Other techniques like “transferring the risk” (insurance) won’t protect your customers or employees.
Start using design to reduce risks by:
- Adopt best practices for all your designs, and avoid anti-patterns
- Educate process/service designers to help them understand the dangers and how they can prevent them (design out risk and reinforce good customer behaviour).
- Reviewing current incidents and causes, understand common approaches
- Review processes and customer touch points to prioritise and remediate where required (ask if you really need all the data collected, if you do for what purpose and when can it be deleted)
What might once have been seen as an IT issue has clearly made it to the board room. Trying to understand and respond to the “clear and present threat” of cyber-attacks and data breaches really is keeping executives up at night.
Data Governance Councils are responsible for ensuring the appropriate controls are in place and that they are effective. Establishing a solid data governance framework and processes is essential to linking the data and process owners with clear roles and responsibilities. Note that with the complexity of the threat, it is a team sport; make sure you have appropriate representation from cyber (and physical) security, fraud, risk and audit. Depending on your organisational structure, these roles and responsibilities may differ, but the important thing is that the roles, responsibilities and relationships are defined and understood.
Start or enhance existing governance by:
- Educate senior executives, ensure they understand what is at stake, and ensure they are onboard; you will need their support.
- Ensure roles and responsibilities are clearly defined. Even in organisations where there is no data governance, there are informal policies and processes. Avoid any confusion by establishing, documenting, and agreeing on roles and responsibilities. Primarily where processes are implemented across departments, or there are joint capabilities (for example, data governance includes responsibility for data quality, and incidents of data quality may indicate evidence of fraud or present operational risks).
- Identify process and data owners that can define and own responsibility across the full data lifecycle for data collection, retention and disposal policies, processes, and controls.
- Meet regularly to ensure relevant issues and risks are clearly understood within the broader context of each specialist domain, including process and data owners. The focus should be on ensuring appropriate coverage, implementing and reviewing controls and addressing relevant issues by establishing project teams to action prioritised activities.
- Ensure items and actions from the reviews and meetings are acted upon and tracked. Knowing there’s an issue doesn’t help if you don’t move to remediate it.
Finally, if the worst does happen, you need to identify who was impacted and establish how to respond, how you can help protect your customers and employees and notify relevant authorities and regulators.
How do I start?
- Understand your regulatory obligations and how it might impact your customers or employees
- Identify and assign roles and responsibilities for acting on these obligations (to your customers, employees, and regulators)
- Define and implement processes to be able to identify, investigate and respond to incidents as they arise (i.e. who do you notify, when and how should you advise them to protect themselves)
- Create awareness of the companies’ responsibility to respond and the implications that incidents may have on customers and employees
What regulations may I need to consider?
Some relevant government legislation and regulatory bodies that issue advice and legal responsibilities to companies operating in Australia include:
- Privacy Act (current under review with significant changes recommended)
- Notifiable Data Breaches Scheme
- My Health Records Act
- Financial Sector Legislation (APRA, ASIC, etc)
- Telecommunications Act
- Spam Act
- Healthcare Records and Medical Privacy Laws (can differ from State to State)
Establishing a trusting relationship with your customers and demonstrating your commitment to using their data with the respect they’ve entrusted you with will most likely help you comply to regulations today and tomorrow.