Data breaches in the financial sector – what constitutes a breach and when do you need to report it? Posted by Mike on 13 October 2017

Data breaches in the financial sector – what constitutes a breach and when do you need to report it?

If the news that Equifax Chairman and Chief Executive, Robert Smith, has stepped down following a data breach has caused you to consider your company’s exposure, read on for guidance on what constitutes a breach and what you can do to take steps to mitigate this risk.

Whilst the financial sector is no different to other sectors in its requirement to adhere to legislation, the industry tends to have much heftier fines from the financial regulators, which means that data breach management is critical to prevent a wider gamut of regulators descending. A classic example of this came about because the shredder didn’t work. It involved a well-known financial retail bank in London, who threw volumes of personal financial records of high net worth individuals into a bin, which was duly intercepted by a journalist. This resulted in hefty fines from the financial regulator, alongside a full audit and enforcement notices from the ICO. Quite a heavy price to pay for office equipment failure.

The resultant action from the regulator varies, from a slap on the wrist to enforcement notices and fines. It boils down to the scale and severity of the breach as well as how maturely you dealt with it, so having the correct processes in place can make all the difference.

What is a breach and when should it be reported?

With growing amounts of data being collected every day, and increasing efforts from nefarious sources to destroy people’s rights to privacy, it is important that all employees are completely clear on when and what to report as a breach. Under the Data Protection Act there is no requirement to report a breach, although the ICO recommends you do, whereas under PECR (Privacy and Electronic Communications Regulations) organisations who provide a service allowing members of the public to send electronic messages (eg telecoms providers or internet service providers) are required to notify if a personal data breach has occurred. This will change again with the introduction of the GDPR, so you and your team will need to be clear on what constitutes a breach in the eyes of the regulator, and be sure that protocols are in place to ensure reporting times are adhered to.

A security breach can be considered any incident that results in unauthorised access of data, applications, services, networks and/or devices by bypassing their underlying security mechanisms. Whilst they do occur when an individual or an application has the opportunity to illegitimately enter a private, confidential or unauthorised logical IT perimeter, not all data losses occur in cyber-space and can be the result of simply allowing an unauthorised person to gain access to private data which has not been appropriated and responsibly handled. Some breaches can have no consequences at all, whereas others can be devastating to businesses, relationships and personal privacy.

How is a data leak identified?

In the case of cyber-security breaches, these are typically identified and mitigated by a software or hardware firewall/Intrusion Detection System (IDS). If an intrusion, abnormality or violation is detected, the firewall/IDS issues a notification to the network or security administrator.

In the case of non-cyber breaches, these can be a lot harder to identify not least of all because they typically result from human error, something we aren’t always so keen to own up to. If an employee leaves a USB stick in a public computer or doesn’t delete a stored file from a shared printer, they might hope that nothing will come of it and just keep quiet. Having protocols that accept human error and yet still prioritise the importance of privacy are highly important.

Clearly there are ever increasing concerns with regards to hacking attempts, however, it remains the case that the vast majority of data losses are caused by staff. It is hard to put a definite figure on it, because of the lack of reporting, but it is estimated that at least 80% of data breaches are considered to be ‘intentional non-malicious’. In other words, an innocent action resulting in the loss of data. A corporate air of blame-seeking and finger-pointing will only help to put the pressure on the unfortunate employee to keep their secret quiet, and leave the company vulnerable under the reporting requirements.

Systems for flagging up a data leak

As data protection specialists with many years’ experience, one of the most common examples of human error we’ve seen is using auto complete in Outlook, where the sender inadvertently ends up emailing a spreadsheet containing thousands of records of employee data to the wrong person. We have seen this happen so many times. So simple, and yet so potentially damaging.

A company should have in place a sympathetic but comprehensive response plan. Staff need to feel confident that they can raise an alert when a breach has occurred, and the organisation in turn needs to be able to demonstrably react positively, quickly and decisively. Documenting the response is critical as well is ensuring there is a system for putting in place appropriate learnings.

How to keep safe

With cyber-attacks, there is a wide range of technical solutions available, from standard anti-virus software through to complex Intrusion Detection Systems, to detect hacks and external attacks, and for internal breaches, Data Loss Prevention software is important. Whilst a technical response is important, we would strongly recommend that training is extended to all staff to get them thinking

Contact us on 0207 936 9442 or info@sytorus.co.uk to ensure that your current approach is robust enough to secure you, your company and your customers.