| Home | About | Insights | 0
  • Your Shopping cart is empty.

EU GDPR

deslyon blog post travel tips

It’s that time of year when people are packing those flip flops and shorts to enjoy their summer holidays or simply take time out of the office.

 

If you’re going abroad – depending on where you go – there are data protection laws that you have to comply with when collecting or processing (i.e. accessing) personal data that is used in a commercial capacity (i.e. customer, employee or business partner emails for example). You don’t know who is monitoring the internet access in the location that you are in. If you’re taking paper documents with you then how do you know who has access to your hotel room? What controls are in place to prevent access to personal information that is on a portable device that you’ve left in your hotel room whilst you were out on the beach?

 

If you’re checking emails and need to respond to one that cannot wait until you return or is labelled “urgent”, and you’re using free wifi access, then this poses a significant risk as these networks can be particularly vulnerable.

 

Even if you’re not checking emails and you use your device for work and personal use, and you happen to be browsing websites when a pop-up appears on your screen (and you don’t recognise the language but feel compelled to click the green button or tick the box) this could lead to malware being installed that could lay dormant for days or weeks and then when you’re back home could activate the malware so that it now affects your home network or even the company network and possibly grant unrestricted access to the hacker.

 

Techniques such as “Phishing” are becoming increasingly common and even more sophisticated, so if you’re asked by customs or a government official to hand over your device for examination, it is likely that they will require access to the device and its contents before they approve your entry to their country.

 

So, what can you do to prevent a situation from occurring that might lead to a compromise of personal data whilst you’re on the beach supping that 6th/7th/8th(maybe you’ve lost count) Pina Colada?  Here’s a few tips to help you get started:

 

  1. The obvious advice is don’t take work devices with you if you don’t need to.
  2. If you do have to take the device, make sure that any information relating to work or personal data of employees, customers, business partners is removed from the device (you can uninstall work applications and email accounts and re-install when you return).
  3. Do not open files or attachments from people you don’t know and do not click on links in emails from unknown senders.
  4. If you have to have personal information and records that include personal information on your device whilst on holiday, make sure you complete a full backup and leave it somewhere safe (in the office perhaps?) before your leave, in case the data is lost during your vacation.
  5. Depending on the level of sophistication of your IT infrastructure, you may want to run your device in a virtual environment whilst you’re on holiday, as that will ensure that any issues or viruses are contained within the virtual environment.
  6. A password management policy should already be in place within your organisation but if it isn’t then it is worth changing your passwords for when you’re on holiday, and changing them back when you return (or even better – change to new unused password).
  7. If you don’t need to have your Bluetooth or wi-fi on, then turn it off!

 

Martin de Bruin, CEO suggests that you do not leave your device unattended at any time:

“Whilst the lure of another cocktail as you’re sat by the pool or sea running on ice-cubes and are in urgent need of a refill might seem appealing, keep your device with you! Also, if you lose your device or if it’s stolen you will need to report it immediately to your employer and company Data Protection Officer, stating exactly which customers’ information was accessible on the device and/or employees or business partners personal data as well. It may require a notification to the Information Commissioner’s Office or even to the users whose data has been affected.”

For further information or advice on how to creating and implementing appropriate policies around information security and data protection or device management for your organisation, contact info@deslyon.com today.

 Like
blog 2 out of 3 hotel websites leak data

With the recent announcement the UK Commissioner’s Office is intending to issue a fine of more than £99 million to Marriott Hotels group, a recent study by Symantec* shows some of the serious consequences that can result from unauthorised access, such as unauthorised cancellations, and access to personally identifiable information including name, postal address and passport numbers.

 

The study involved testing multiple websites, including more than 1,500 hotels in 54 countries, and found that 67% of these sites are inadvertently leaking booking reference codes to 3rdparty sites such as advertisers and analytics companies (even though all of the sites had a “privacy policy” but none of them mentioned this behaviour explicitly.

 

Types of personal information leaked included data such as:

  • Full name
  • Email address
  • Postal address
  • Mobile phone number
  • Last 4 digits of credit card, card type and expiration date
  • Passport Number

 

It is suggested that the cause of these leaks could stem from confirmation emails sent to the customer, which includes a link to the booking, allowing the user to go straight to their reservation without having to login.

 

Martin de Bruin, CEO of Deslyon comments:

“Whilst this is incredibly distressing, it isn’t really a surprise. What if the customer entered the wrong email address, and the booking confirmation was sent to someone else? The can of worms that could have been opened if the email address was shared by a couple!”

 

The study goes on to state that this information – which can be passed through the email confirmation link by the browser – can also be visible to unauthorised 3rdparties well-known social networks, advertisement and search engines, and all it takes is a rogue employee to use the information collected for their own nefarious purposes for a major incident to occur, which could affect the rights and freedoms of that individual.

 

It is worth remembering Recital 30 of the EU GDPR which states that ‘Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them’.

 

“Accountability is the underlying principle under the EU GDPR yet still thousands of companies still seem to think that they avoid their obligations when it comes to privacy and Data Protection, whilst we continue to vehemently be of a different opinion. Companies who do not demonstrate compliance by taking the appropriate technical & organisational measures will be subject to fines and sanctions similar to what we’ve seen in the last 48hours.  Prevention really is better than trying to find a cure after you’ve suffered a breach.” Martin concludes.

 

If you are looking for guidance and advice on how you can take steps towards data protection compliance and privacy regulations, contact info@deslyon.com today.

 

(*source: https://www.symantec.com/blogs/threat-intelligence/hotel-websites-leak-guest-data)

Photo by Krys Amon on Unsplash

 Like
blog post boardroom clip wings

The intention to fine a record amount to British Airways (as reported by the ICO* on Monday 9thJuly 2019) may have come as a shock to quite a few. However, these levels of fines and other significant penalties may start to become more familiar as more companies become exposed in their negligence of protecting personal information.

 

The 2018 Cyber Governance Health Check** report into the top FTSE 350 companies released by HM Government in March 2019 revealed some interesting findings, which should cause concern for boardrooms across all businesses that collect and process personal data – whether its customers, employees, or business partners/suppliers. The key findings from the report show that:

 

  • Less than two thirds (60%) of the FTSE 350 list of companies report that their appetite for risk (the extent and type of risk the business is willing to take) is agreed and written down. Therefore, for more than a third (40%) of businesses, there is a risk that not all staff members share the same vision as the board regarding the level and type of risk that they are willing to take.
  • 77% of FTSE 350 businesses do not recognise the risks associated with businesses in the supply chain with whom they have no direct contact.

 

The report also states that only around 1 in 5 boards of FTSE 350 businesses have undertaken a crisis simulation on cyber risk in the last 12 months, which – when you take into consideration that in 2017, 70% of large companies (and 74% of SME’s) reported that they had suffered a cyber breach*** this suggests that we’ll see a lot more exposure of cyber weaknesses in what are perceived to be credible brands and organisations who lead the public to believe that they deliver exemplar business practice.

Martin De Bruin, CEO at Deslyon suggests a few tips to help boardrooms start and navigate their way through their privacy strategy:

“First and foremost, the Board (including the CEO) has to decide on the company’s mission when it comes to Data Protection & Privacy. Then they can develop their strategy in accordance with the mission and form the team to steer the strategy. The framework should be based on the organisation’s needs as there isn’t really a one-size-fits-all. More often than not, the biggest risk in any organisation comes from internal, so it is vital that training & awareness is steered by the top. Communication is essential if all employees are expected to follow the company’s lead.”

If the words of Elizabeth Denham, UK Information Commissioner didn’t read loud and clear before, then maybe the following quote from her will make boardrooms across the country take notice:

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage, or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

 

To discuss your compliance requirements or to understand your obligations when it comes to privacy and Data Protection, email info@deslyon.com without delay.

(*source: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/statement-ico-announces-intention-to-fine-british-airways/)

(**source: https://www.gov.uk/government/publications/cyber-governance-health-check-2018) 

(***source: (https://www.export.gov/article?id=United-Kingdom-Cyber-Security)

Photo by Joshua Sortino on Unsplash

 Like

A little reading for the weekend.  Unless you’ve been partying on a yacht somewhere in the south of France this week, you’ve probably seen the report published by the Information Commissioner’s Office into adtech and real time bidding.  If you’re still too blurry-eyed to read the report, we’ve extracted some of the key “i-lights” from the report, not in any particular order:

Inconsistent
“Thousands of organisations are processing billions of bid requests in the UK each week with (at best) inconsistent application of adequate technical and organisational measures to secure the data in transit and at rest, and with little or no consideration as to the requirements of data protection law about international transfers of personal data.”

Issues
“Transparency issues also exist for the ecosystem itself, given the opaque nature of the data supply chain.

Ignorant
For some market participants, these were at best not fully understood or at worst ignored.

Inappropriate
“Data supply chain: In many cases there is a reliance on contractual agreements to protect how bid request data is shared, secured and deleted. This does not seem appropriate given the type of personal data sharing and the number of intermediaries involved.”

Invisible Processing
“…’Invisible processing’ is an activity that carries inherent risk to rights and freedoms as it takes place with no or minimal user awareness. The ICO’s Article 35(4) list provides the following definition: ‘Processing of personal data that has not been obtained direct from the data subject in circumstances where the controller considers that compliance with Article 14 would prove impossible or involve disproportionate effort (as provided by Article 14(5)(b).’ Our list clarifies that processing operations of this sort, combined with any of the criteria from the EDPB guidelines, require a DPIA. Similar examples appear on a number of the Article 35(4) lists prepared by other European data protection authorities”.

Improvements
“What we found was an industry that understood it needed to make improvements to comply with the law.”

IAB
“IAB
Europe global vendor list comprises over 450 organisations, each with their own privacy policy. Some of these will be in non-EU jurisdictions, meaning that international transfers of personal data are taking place.”

If you’re an investor of a company that is involved in the collection, processing, storage or trading of personal data as defined within the GDPR/DPA 18 then you may want to review whether your investment could survive a financial penalty – or even survive being instructed by the ICO to stop collecting and processing personal data, or if you’re thinking of acquiring a company that collects, processes, stores or trades in personal information, you may want to ensure that the appropriate due diligence has been carried out to ensure that you don’t end up paying more in the long run (see our blog post about M&A here: https://deslyon.com/2019/05/16/mergers-acquisitions-a-private-matter/).

 

It appears that with the decision to carry out an Industry Sweep, the ICO states: “Following continued engagement to obtain more information, we may undertake a further industry review in six months’ time.”  It is with almost certainty that the ICO won’t be brushing these issues under the carpet.

If you’re not familiar with the corrective powers bestowed upon the ICO, you may want to cast those blurry eyes over article 58(2) (d) and (f) in particular.

 All eyes really will be focused on the industry to see how it cleans up its act, which “Cannes” only be a good thing.  Chin-Chin!

(the full ICO report is available here: https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf)

 Like
Deslyon blog remote policies

Just 1 in 5 businesses have a Remote Working or Bring Your Own Device policy in place!

  • even though over 4 in 10 say that staff in their organisation regularly use a personal device such as a non-work laptop for business purposes!

The 2019 Cyber Security Breaches Survey for the DDCMS shows that whilst businesses  have taken considerable actions to improve their stance on cyber security, there are still areas that require significant development by implementing the appropriate policies.

Remote working isn’t a new concept. In fact, there’s an article posted by flexjobs.com about the history of working from home, which you can find on the following link: (https://www.flexjobs.com/blog/post/complete-history-of-working-from-home/),

However, what has changed significantly (in the last 10 years or so) has been the interconnectivity of devices that extend beyond a desktop computer or a laptop. In fact, since the launch of the i-phone in April 2007 (possibly even the Blackberry 5810 which launched even earlier in 2002), this led to fundamental change in the manner in which people perform their work duties, and the need for being based in the office.

Whilst there have been rapid advancements in technology that have increased the flexibility of remote working, what seems to have been left behind are the controls and policies set by the employer when it comes to the technical and physical security of devices when working from home or on the road.

This is an area that will likely come under further scrutiny since the EU GDPR and UK Data Protection Act 2018 came into force.

By having a company policy in place that covers your employees who work from home or remotely could significantly reduce the risk of any information on those devices being compromised.

Staff who use their personal mobiles for company use will often install applications and programmes that are probably not likely to be on the company “whitelist” of acceptable apps. Company staff may travel overseas – possibly to a different continent. The way in which they access the internet may require certain restrictions (i.e. they may not be permitted to use the hotel/coffee shop free wifi).

Martin De Bruin, CEO of Deslyon comments:

“You Just need to go to trade shows and industry events where you’ll see company representatives with laptops unattended, and sometimes even unlocked. How many stories do you hear where staff leave laptops in their cars and then the become the victim of a break-in? It doesn’t take long to work out what the consequences might be if company confidential information ends up in the hands of an opportunist.”

Of course if personal devices are being used in the work place, this can often mean that other family members use the same laptops/tablets/even home computers, so it is imperative that companies have a policy in place that covers the technical and physical security of information and assets, which staff understand and are aware of their responsibilities when it comes to their own devices, and the content within those devices.

For guidance on creating policies within your organisation or for more information about Deslyon services, contact info@deslyon.com

 1

Adapting to a volatile regulatory environment is the top priority in 2019, with just 4 in 10 Privacy Executives confident about adapting to new regulations, according to a study by Gartner (https://www.gartner.com/en/newsroom/press-releases/2019-04-23-gartner-says-just-four-in-10-privacy-executives-are-confident-about-adapting-to-new-regulations).

Other key priorities stated in the study also highlight that establishing a Privacy Strategy to Support Digital Transformation, Implementing an effective 3rdparty Risk Management Programme, Strengthen Consumer Trust and Brand Loyalty, and Identifying Metrics to Measure Privacy Programme Effectiveness completing the top 5 priorities listed in the Gartner survey.

  • Adapting to a volatile regulatory environment isn’t only a challenge, but the study also highlights that there are significant gaps between desired objectives and where executives currently view their organisation’s progress.
  • The study also goes on to state that most executives lack confidence in their existing plan around a strategy to support digital transformation at their organisations, and the challenge of formalising information governance remains a key concern amongst privacy executives.

Whilst Gartner gives some recommendations such as “designing an information governance framework that focuses on formal structures, and more on business purpose… accounting for privacy risk in cross-functional strategic planning exercises”, we at Deslyon expand on this by recommending that organisations should structure their privacy team once the privacy strategy is developed, but this can only be developed once the organisation has created a mission statement or vision for their privacy management (a key factor that lays the foundations for the rest of the privacy programme).

When defining the scope of a privacy programme, the organisation must understand the global perspective for which their organisation operates within. What are the local laws, what is the local culture, and what are the personal expectations within the country that your organisation operates/serves customers in? Only then can you customise your privacy approach from both a global and a local perspective.

Organisations can research various established frameworks as inspiration for their own model. It may be the case that no one particular solution mitigates all privacy risk, so it is vital that the right resource, knowledge and expertise is applied to help the organisation in reaching its objective (as set out in its mission statement).

Of course, in order to assess whether the framework is operating successfully it is important to implement performance measurement tools, for which the organisation will be able to assess its performance against pre-determined metrics. If chosen correctly, these metrics will provide key insights as to how the privacy framework is delivering in line with organisational objectives, as well as deliver key findings as to where improvements are required.

Developing a privacy strategy and framework can be both complex and challenging. Of course, it doesn’t stop there, as organisations need to continually monitor Legal/Compliance factors to ensure that the organisation keeps up-to-date on both global and local regulation, but the qualified expertise delivered by the team here at Deslyon, we can help you navigate through the twists, turns and bumps in the road – even if you haven’t set out on your journey towards compliance yet.

Contact info@deslyon.com to find out more.

 1

With recent news surrounding major Mergers & Acquisitions within the digital industry, questions will be raised around what due diligence is being applied to ensure legal obligations around the collection and processing of personal (sometimes sensitive) data under the acquirer.

There may be many legal and compliance aspects which need to be factored in as well as new controls which the acquirer has to put in place as a result of their new acquisition.

Industry Codes of Conduct such as PCI DSS become a subject matter for consideration where the business transacts online via credit card payments. If the new acquisition means that the acquirer enters into a new industry such as Health (and the acquirer has historically been within say – consumer electronics), then regulations relating to health and other sensitive information have form part of the privacy strategy moving forward, and possibly data relating to children.

Geographically, there may be a number of challenges that present themselves. For example, say a US company acquires a business in Europe, then it has to implement appropriate measures and governance that is relevant to each of the local markets, the cultural norms, as well as local regulations. If that seems challenging, then it gets even more interesting when one discovers that the General Data Protection Regulation is adapted differently depending on each EU market.

For example, in the UK, the UK Data Protection Act 2018 states that there are further exemptions (that are not included within the official GDPR text) when responding to a Data Subject Access Request. In Germany, there are amendments to the official text with regards to processing Special Categories of Data, amongst other variations. InSpain, Article 37 (designation of a Data Protection Officer – DPO) carries further obligations than what is in the official text, and there is an additional function for the DPO, in that the DPO may intervene in case of a complaint against a controller or processor with a supervisory authority and communicate to the complainant the organisations resolution within 2 months of the receipt of such complaint (before the complaint is submitted to the supervisory authority *source: iapp.org).

What if your company is divesting a business?

Again, a relevant question given that there are real-world examples of this actually taking place. When divesting a business, there may well be risks associated with the data that is being released, and therefore a thorough assessment of the infrastructure of all, or any part of the entity being divested prior to event must be undertaken to ensure that unauthorised access of any personal information/data is prevented as part of the divestiture process (unless there are specific exceptions – in which case they need to be documented).

It is worth remembering that an organisation can be exposed to unnecessary corporate risk by acquiring companies with differing regulatory obligations. A privacy checklist is a useful tool to help ensure this process is carried out effectively.

For further information on how mergers, acquisitions or divestitures could affect your organisation, feel free to contact us at info@deslyon.com.

 1

Following the news that a security researcher discovered millions of unsecured Facebook user information on an Amazon server that had been stored by a 3rd party Application called Cultura Colectiva, this news story raises questions as to how 3rd party developers and Applications providers are vetted by Facebook, as well as what obligations Facebook instil upon 3rd parties when it comes to the confidentiality of its members’ information.

Cultura Colectiva describe themselves as “a digital platform that inspires audiences through content created with data and technology…. The largest digital platform in Mexico and Latin America with significant reach in Argentina, Chile, Columbia, and Spain” – which of course is in the EU, meaning that Cultura Colectiva are subject to the EU GDPR not only due to their reach extending into an EU territory, but it is also highly likely that EU data subjects access and interact with their app and their website from a number of destinations around the world. Cultura Colectiva then sent that data for storage into a remotely managed services provider (aka the Cloud) and failed to protect that data by leaving it unsecured.

Under the EU GDPR, an entity has 72 hours to report a data breach to a supervisory authority. If that data is likely to harm or affect the rights & freedoms of data subjects then that entity is legally required to inform that data subject without delay, yet it took several months for any action to be taken once the breach was discovered by a security researcher (the breach was initially flagged on the 1st February and it took 3 weeks for someone from Amazon to respond saying that they were “looking into the situation” and the data was finally removed on April 3rd– by Facebook, not by Cultura Colectiva – source: https://www.bloomberg.com/news/articles/2019-04-03/amazon-cloud-storage-dilemma-exposed-in-facebook-s-latest-leak).

It is worth remembering that when data is sent into the cloud, you are at the mercy of that 3rd party’s security controls and systems.

If that data has been sent into the cloud by a 3rd party (Cultura Colectiva are a 3rd party who stored the data on a server provided by a 3rd party- Amazon) who hasn’t taken appropriate security measures to ensure that the data is protected or secured, that is highly likely to lead to complete loss of control of that data, which could lead to catastrophic circumstances if the data is of a personal nature. What’s more is that the initial collector of that data is – as data controller – ultimately responsible for allowing that data to be accessed by a 3rd party. Therefore it is vital that contracts and agreements reflect the responsibilities where there are “joint-controllers” (Article 26 of the EU GDPR).

It is also vital that data subjects are aware of how their data will be processed and what protections are in place with partners of that 3rdparty, so that individuals can provide explicit, freely given, affirmative authorisation for their data to be used in the exact way as described by the controller.

Therefore an update of privacy notice(s) and internal policies that take into account in local laws and regulations of members/customers/users of that company needs to be actioned. For example, if your company HQ is in Mexico, and you are collecting EU data subject data and are processing it by storing it remotely in the US then you are bound not only by Mexican Data Protection Laws but also the Data Protection Laws of the US and the EU, as well as the local laws of the users’ nationality.

 Like

GDPR Privacy by Design & Default

Should Privacy by Design be mandatory?

Privacy by design and default (PBDD) may prove to be far more useful in the world of privacy and data protection than it is considered now. Under article 25 of the GDPR a controller is required to implement PBDD by appropriate technical and organisational measures – but is that enough?

Controllers are expected to consider data protection issues as part of the design and implementation of systems, IT, services, products and business practices. To integrate or ‘bake in’ data protection into your processing activities and business practices, from the design stage right through the lifecycle. To anticipate risks and privacy-invasive events before they occur.

Until there is a specific rule or tightening of regulation, organisations choose whether to actively take risk measures via PIA’s (Privacy Impact Assessments) and / or use privacy-enhancing technologies (PETs) organisations may not be protecting personal data sufficiently. Which means a lack of action could result in personal data being put at risk.

A 10 million euro (or 2% of global revenue) fine may be made if it is found that personal data was not protected; when a significant new service, policy or implementation affecting personal data was introduced, giving no real excuse for not introducing PBDD. Deslyon believes PBDD should be mandatory when it is clear personal data is at risk through an organisation making changes, potentially causing the organisation to be GDPR non-compliant and potentially in breach of the regulation.

It is understood that the UK ICO & EDPB (European Data Protection Board) is considering certificating PBDD (identifying certification criteria under articles 42 & 43 and EDPB approved certification mechanism draft guidelines). Until certification is in place that improves this situation for Privacy by design and default, Deslyon recommends all organisations processing personal data implement PBDD when making significant changes which includes personal data.

Organisations should ensure that personal data is automatically protected, specifically when major changes are made such as (say) replacing a HR system or developing new systems which include personal data. Where an organisation has a DPO (Data Protection Officer) it is likely they will ensure PBDD is carried out, where no DPO is employed, the security officer, GDPR specialist or similar representative will always benefit from practicing privacy by design and default.

Article by Phil Lyon, COO of Deslyon.
Phil Lyon, MBA, CISMP, ISO27001 Lead Auditor, GDPR Practitioner.
Contact info@deslyon.com to discuss how we can help your business.

 1
penalty

Definition of a Data Breach: “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.” (source: ico.org.uk).

$2.1 trillion – the economic cost of data breaches globally

A study by Juniper research back in 2015 estimated that the economic cost of a data breach is set to quadruple to $2.1 trillion globally by 2019 (https://www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over-2trillion).

Depending on the nature of the breach, and what data has been compromised, calculating the cost of a data breach in real terms can be quite a complex equation to create (and more often than not, estimations can fall considerably short of the final total). In fact, as reported by Tech Radar last year, since the announcement of the personal data breach by Equifax in September 2017 (announced 2 months after the actual breach occurred), in its SEC filing for Q118 results, the company had incurred a total of $242m of expenses related to the incident and incident and incremental IT and Data Security Costs, of which $68.7m was just in Q1 18*.

The costs of a data breach

  • Conducting an investigation into the cause of the breach (a task that may require resource outside of the organisation)
  • ascertaining the likely number of data subjects affected
  • Organising the response team and executing the incident response plan
  • PR and External communication strategy (customers, shareholders, suppliers/vendors, security)
  • Legal expenses as well as remediation measures (updating contracts, installing new security software, replacing physical security equipment, reimbursing customers and compensation)

There are also the after-effects to consider when counting the cost of a data breach. This may include, the effect on the share price and share performance in subsequent months (Equifax share price reached levels of approximately $140 between July and 6th September) has never recovered to those levels, in fact dropping to as low as $89 in just under a week post-announcement of the breach. Of course, customers will probably terminate their accounts and move to competitor offerings, and any new business will more than likely be qualified out very quickly.

In some cases, the cost of a single data breach or lawsuit may be large enough to shut down an organization and destroy a career, as numerous news article have reported (one example being https://blogs.wsj.com/bankruptcy/2012/03/12/burglary-triggers-medical-records-firm’s-collapse/)

How can you prevent a Data Breach?

There are a number of measures which you can implement that will help to minimise the risk of being subject to a data breach. This includes (but not limited to) the following:

  • Encryption of data (both at Rest and in-motion)
  • Training of staff so that they’re aware of their obligations when it comes to Data Protection.
  • Updating policies (such as remote working, bring your own device, staff internet usage, USB/external device policy)
  • Penetration testing of systems
  • Information System Security Assessments
  • 3rdparty suppliers/vendor due diligence (and the ability to audit your partners)

Contact info@deslyon.com to discuss how we can help your business.

(*source:https://www.sec.gov/Archives/edgar/data/33185/000003318518000017/exhibit99120180331.htm)

 1