“Privacy is not an option, and it shouldn’t be the price we accept for just getting on the Internet”
– Gary Kovacs
Many people have grown accustomed to disclosing personal identification information during a general personal or business transaction. This activity can range from sharing of Bank Account Numbers, Loan Account Numbers, and Credit/Debit Card details, to providing non-financial personally identifiable information such as name, e-mail address, Phone Number, Address to identification details like PAN, Social Security Number, Aadhaar Number or Driver’s Licence Number. In a nutshell, mainly the finance, capital markets, and insurance sectors hold and deal with a large amount of personally identifiable information daily (1). This data also includes Public Data, Internal-Only Data, Confidential Data, and Restricted Data(2).
Companies are increasingly focused on improving data protection programs owing to the surge of data breaches, theft, identity theft, and related fraud growth across industries. Data breaches are a threat in all industries; but, due to the intrinsic importance of the underlying data, the financial services sector is a primary target of fraudsters(1).
As of present, there are no data privacy laws in India governing data protection or privacy. However, the relevant laws in India dealing with data protection are the Information Technology Act, 2000, and the (Indian) Contract Act, 1872.
Data privacy refers to how a piece of information—or data—should be addressed concerning its value. For example, you probably wouldn’t mind sharing your name with a stranger in the course of introducing yourself, but there’s information you wouldn’t share until you’ve gotten to know that person better. When you open a new bank account, though, you’ll almost certainly be asked to reveal a great deal of personal information, well beyond your name.
We commonly extend the principle of data protection to sensitive personal information, also known as Personally Identifiable Information (PII), and Personal Health Information in the modern age (PHI). For a business, data privacy extends beyond the Personally Identifiable Information (PII) of its employees and customers. It also contains data that aids the company’s operations, such as proprietary research and development data or financial data that demonstrates how it spends and invests its funds. Data privacy risk management is important for an organization in order to protect their customer’s information and have their trust built on them.
Bad things can happen when data that should be kept private falls into the wrong hands. A data breach at a government agency, for example, might give an enemy state access to much protected classified information. A data breach at a company may place confidential information in the hands of a potential competitor. A school security breach could place students’ personal information in the possession of criminals who could use it to commit identity theft. PHI can fall into the wrong hands if a hospital or doctor’s office suffers a data breach(3). Therefore, the importance of data privacy arises in order to protect your personal information from getting into the wrong hands.
Although businesses are increasingly relying on consumer data, corporations have little understanding of the implications of such data use and have little idea how to avoid negative consequences. Customers’ fears of vulnerability may be heightened, or actual vulnerability may be created, as a result of data protection efforts. According to studies, data management activities that are transparent and controlled will reduce the negative effects of consumer data vulnerability. Experiments show that simply having access to personal data increases feelings of abuse and decreases confidence(4).
Maintaining the confidentiality of sensitive customer data has become critical for any company that collects or stores personally identifiable information. Names, addresses, and social security numbers are examples of sensitive data; however, credit cards, debit cards, and bank account numbers are examples of critical and financially sensitive data.
For regular business transactions, the financial services sector operates and deals with a large amount of sensitive corporate and customer data. The financial services sector is one of the most common targets for data breaches because of the perceived importance of this information.
The Major Industry Groups represented by Percentage Breach Events, in 2010 include(1) :
- Hospitality: 40%
- Retail: 25%
- Financial Services: 22%
- Government: 4%
- Manufacturing: 2%
- Tech Services: 2%
- Business Services: 1%
- Healthcare: 1%
- Media: Less than 1%
- Transportation: Less than 1%
- Miscellaneous: 2%
As the data speak, In 2010, the hospitality, retail, and financial services industries were among the most heavily impacted by data breaches. These three verticals accounted for nearly 87 percent of all data breach cases reported in 2010, with financial services accounting for nearly 22 percent of all breach cases reported across industries. On the bright side for the financial services sector, this 22 percent marks a decrease from the previous year’s 33 percent. The decline in 2010 is most likely due to recent arrests and convictions following large-scale financial services industry intrusions, which is contributing to a greater emphasis on less reactive targets like retail and hospitality.
The quantum of data that was breached is another way to quantify a breach. Financial services accounted for nearly 35% of all records breached in 2010. Even by this metric, 2010 was a reasonably successful year for the financial services sector, given the typical historical average of 90% or more. The lack of large-scale mega breaches in the financial services sector in 2010 explains this decrease(1).
The Enterprise Risk Management (ERM) team collaborates closely with the Information Security team when assessing risk to ensure that all departments are assessing and classifying risk from the same perspective. ERM assigns a ranking to each organizational function’s risks to better evaluate, analyze, and manage them. These risks, as well as the risk categories that they correspond to, have been internationally aligned.
In recent years, Information Security has collaborated with Legal and ERM to create a collection of policies based on universal standards through the International Organisation for Standardisation (ISO). Three policies were established as a result of this process which includes:
- Partnership Policy on Global Data Protection and Privacy: This policy establishes an overarching framework for global data protection and privacy, documenting the data protection and privacy principles and policies necessary to ensure data protection and privacy consistency, compliance with applicable data protection/data privacy law, good practice, the protection of Personally Identifiable Information (PII), and the reduction of regulatory risks. It is the overarching policy that all other data securities and privacy policies are based on.
- Partnership Policy on Information Security: This policy establishes an overarching structure for information security, laying out the information security principles and policies necessary to protect the properties, information, data, and IT services encompassed with the company or organization. It is the policy that all other technical and security measures are subsumed under.
- Management Policy on Information Security: This policy focuses on global information security roles, challenges, and problems. It is backed up by and aligned with the Partnership Policy on Information Security, which has been approved by the board. Offices may add more information or make policies more strict, but they must follow the policy’s minimum requirement. The following move would be to align existing policies with this one.
A Global Protection and Privacy Management Policy, as well as a set of Data Protection and Privacy Security Standards, have been drafted and are constantly being reviewed. These practices are a good start and should be followed by all offices.
Modus Operandi for Enforcement of the policies: Although developing policies is critical, enforcing them can be a more cumbersome task. Staff Training for Information Security Awareness is one of the current approaches. It is intended to prepare employees to take responsibility for protecting organizational data and information from unauthorized users, recognize possible security threats, and be able to disclose incidents immediately. Learnings are reinforced with online instruction, learning reinforcements, and phishing tests. Staff training for global data protection and privacy is currently being developed(5).
The most common ways and certain checklist mostly practiced by companies and firms alike, generally include :
- Developing a Compliance Strategy: Without a strong overall enforcement plan, no company will expect to achieve something. This approach must be systematic, observable, and incorporated, with data privacy enforcement at its heart. A data management strategy is normally developed with a high-level set of principles that will be followed along with the necessary documentation. It is also ensured that they specify the necessary safeguards for personal data protection.
- Hiring Matter Experts in Compliance: It’s almost difficult to keep track of all the requirements that must be met when there are so many. That is why GDPR (General Data Protection Regulation) and HIPAA (Health Insurance Portability and Accountability Act) experts have been educated. These data breach experts are also known as subject matter experts (SMEs), and you can recruit or train one whose sole responsibility is to establish legally compliant policies and procedures. You can be assured that you will still comply with regulations if you hire a dedicated SME who can control the matters with their data privacy risk management skills.
- Making an inventory of all sensitive information: Personal data must be correctly tagged and inventoried once it is obtained. The organization must also have a system for monitoring all data, making it easier to find and protect it. All of this must be done in compliance with legal and prescribed guidelines.
- Establishing Policies and Procedures for Data Protection: Organizations that follow data privacy legislation must use physical, technological, and administrative protections to ensure data integrity, confidentiality, and availability. These protections must be capable of detecting and preventing unauthorized data access. It’s also important to actively track, evaluate, and upgrade information security to ensure that emerging threats are adequately addressed and dealt with.
- Having a Response Plan in place for dealing with breaches: Even if the company follows all security procedures, the system would not be entirely safe from data breaches and cyber-attacks. As a result, any company should have a data breach response plan and a data management strategy in place, as well as employees who have been educated on how to use it.
- Saving and Backing-Up of Documentation: All the enforcement procedures and plans must be well documented. It’s critical to have a strong content management system in place to keep this documentation accessible. The company or organization can also appoint someone to oversee the management of these records.
- Being Ready to furnish the Proofs of Compliance: It’s not enough for the company and its staff to be aware that the organization is committed to data privacy. It must also be able to provide evidence of compliance in response to both internal and external inquiries. Making this proof freely available and conveniently accessible to anyone who wants to see it in paper and report form helps to commit to data privacy. An escalation strategy and a set mechanism for reporting non-compliance are also required by the organization. You must also demonstrate continuous compliance by auditing, inspection, and the use of controls(6).
While people all over the world fear breaches in data privacy, and it is legitimate to think so. While such events often lead to negative and harmful consequences, which makes people lose faith in an organization or a company. Especially when the customers entrust the organization with highly confidential information, and if they forsake that trust, the business will soon cease to exist. However, if they religiously follow data privacy regulations, it will not only save the business and reputation but will also avoid some hefty penalties.
- Martin KD, Borah A, Palmatier RW. Data Privacy: Effects on Customer and Firm Performance. Journal of Marketing. 2017;81(1):36-58.
Blog published by: Ryan Varghese Mathew, Student Risk Committee Member