Data Protection Compliance Faces Increased Auditing
Europe, Middle East and Africa
The UK Information Commissioner’s Office (ICO) has released Highways Agency Data Protection Audit Report: Executive Summary (July 2011), finding that “arrangements for data protection compliance with regard to governance and controls provide a reasonable assurance that processes and procedures are in place and being adhered to”. Nonetheless, recommendations were made to improve aspects of compliance monitoring, controls of portable storage media, and management of electronic files.
Humans the ‘weak link’ in information security but aren’t trained
Conducted by Echelon One on behalf of Venafi, the 2011 IT Security Best Practices Assessment: Security and Compliance Best Practices & Rankings (undated) has revealed that 77% of respondents admitted they “failed to follow the best practice of performing quarterly security and compliance training for their employees”, despite the fact that humans are often the “weak link” in information security. Echelon One chief executive officer Bob West reportedly stated that companies too often turn to a technical solution rather than invest in education and awareness.
Related news item:
Infosecurity: Most organizations do not follow security best practices, survey finds (28 July 2011)
(Source: Venafi; Infosecurity)
Firms Focused on Saving Face, Unphased by Fines
PCWorld reports that a recent CyberSource and Trustwave survey has found that companies are less concerned about being fined for data breaches and more worried about reputational damage. The survey reportedly found that only 26% of respondents were motivated by fines for non-compliance, but 70% cited a need to “protect the brand”. According to PCWorld, damaged reputations can lead to increased costs like lost revenue, customer loyalty and lowered stock valuations.
Notwithstanding these potential costs, respondents were reportedly disinclined to “proactively invest in better information security technologies, or be more diligent about protecting the data they are entrusted with”, as the threats are not perceived as sufficiently significant. According to PCWorld, data security legislation and industry standards are necessary to address this dissonance by driving companies to adopt a compliance culture.
PCWorld: Businesses More Concerned With Reputation Than Fines (21 July 2011)
Annual Report Notes Value in Audits
Europe, Middle East and Africa
The Information Commissioner’s Office (ICO) has released Information Commissioner’s Annual Report and Financial Statements 2010/11: Information is the currency of democracy (5 July 2011). Information Commissioner Christopher Graham released the report with a recommendation that businesses “should be more willing to undergo data protection audits”, particularly given that the private sector accounted for more data security breaches in 2010-2011 than any other sector. Mr Graham also observed that private sector organisations are much less likely to agree to an audit than public sector counterparts (19% versus 71%). Mr Graham said that agreeing to an audit “should count as a badge of honour, showing that the business takes data security seriously”.
The Daily Mail reports that banks were the most commonly complained about group, although official statistics are likely to underestimate the problem as there is no obligation to report complaints to the ICO.
Further information from the ICO
ICO’s media release (6 July 2011)
Daily Mail: Banks face more privacy complaints from customers than any other group (7 July 2011)
(Source: ICO; Daily Mail)
Banks Reminded to Boost Online Security
Reuters reports that the Federal Financial Institutions Council (FFIC) has reminded banks to use more than one form of authentication for online consumers. FFIC reportedly warned that “[f]raudsters have continued to develop and deploy more sophisticated, effective and malicious methods to compromise authentication mechanisms and gain unauthorized access to customers’ online accounts”. The warning reportedly follows a number of high-profile hacks that have shut down a number of websites in recent weeks.
Reuters: U.S. urges banks to tighten online fraud protections (28 June 2011)