21st November 2018

Internet Security – Part 4: Placing responsibility where it belongs

Corporate and Board responsibility

Credit Agricole is far from unique in its implementation of on-line security measures that are inadequate by any reasonable assessment. While discussing why breaches occur I suggested that a crude, cold-hearted financial motive lies behind most of the data loss and fraud that occurs on the web.

Simply stated, it is cheaper for an organisation to ignore data security than to incur the costs associated with locking the doors and windows to keep it safe. As episode after episode has shown, even the most massive (and, on a personal level, catastrophically harmful) data breaches that have occurred (eg; Yahoo, Facebook) result in fines that are derisory in comparison to the scale of the companies’ profits. As for civil or criminal prosecution of the companies or their directors for their dereliction of duty – forget it. The legislation isn’t there to support such prosecutions.

OR … it wasn’t.

On 23rd May 2018 a change occurred that has massive ramifications for companies that hold and process personal data. That was the date that the EU’s GDPR (“General Data Protection Regulations”) came into force. Finally, legislation with real teeth exists. Companies that allow or enable data breaches similar to those I have described or companies like Credit Agricole that employ inadequate security and inevitably enable personal data loss can now be fined the larger of 20 million euros or 4% of their worldwide turnover (not profit, their income before expenses).

Companies must now look hard at how they protect their customers from data breaches. The old risk-benefit ratios (which determined it was cheaper to let data be lost and pay for any clean up afterwards) are replaced by the potential of fines that can impose material damage to the bottom line of any organisation – perhaps even do existential damage to (ie; put out of business) the worst offenders.

Itis early days with GDPR. The big tech companies who gain most from harvesting and combining personal data fought hard to stop the legislation coming into being – and failed. So far most have responded to the data privacy requirements of the legislation – in most cases by amending privacy and cookies policies and, in some case, providing some description and control over how personal data can be harvested and used by the sites. I see this as just a misguided attempt by companies whose business modelrelies on the abuse of customer data. It will be interesting to see what happens the first time a Facebook or a Google is confronted by acomplaint of data breach – and faces fines on a scale never before seen. Watch this space with interest.

The situation for companies that have grown up in an environment that allows them to abuse the Internet and its citizens in a fashion akin to the way outlaws in the old Wild West used to terrorise and abuse the citizens of remote towns and communities is changing as users and governments begin to realise the scale of privacy invasion and personal harm that is being perpetrated. Because worse(for those companies) is yet to come. GDPR is only a part of something called the European Data Privacy Framework and, while the details of this legislation this have yet to be finally agreed the legislation is likely to come into force in late 2019. At which point the tables should really be turned and I expect that both companies and the directors who control them will face criminal penalties of sufficient magnitude to make even the most adventurous and care-free among them think twice about their attitude to keeping the doors and windows locked shut.