Claims that a leading UK high street bank has been hit by a significant and alarming data security breach marks the latest in a long line of high profile data breaches to have taken place in the UK and the USA. In this case a “whistleblower” provided a newspaper with a memory stick containing the confidential information of 2,000 customers, detailing customers’ earnings, savings, mortgages, health issues, insurance policies, passports and national insurance numbers. Whilst the initial information provided to the newspaper concerned the details of 2,000 individuals, the “whistleblower” claimed to have access to the details of 27,000.

 

One of the most striking aspects of this story is the fact that not only has the breach affected so many people and involved such highly personal information, but that the source of the breach was not an external cyber hacker but rather a rogue employee.Contrary to what the media would have us believe, financial institutions generally have incredibly sophisticated data protection set-ups.  

 

Onerous obligations

 

In addition to data protection requirements under the Data Protection Act, financial institutions are also under stringent and onerous obligations imposed by the Financial Conduct Authority and/or the Prudential Regulation Authority. Financial institutions also employ vast numbers of people to ensure they comply with information handling requirements. Yet as this case highlights; the actions of a single individual can potentially have a devastating impact on the privacy of those whose data has been compromised, in addition to sullying the reputation of a business and its brand.

 

Whilst the Data Protection Act 1998, under section 55, contains criminal offences for those who are guilty of obtaining or disclosing personal data without the consent of the data controller, this would not, perhaps, provide much comfort to those trying to weather the customer and media storm this latest revelation has provoked. If this latest breach tells us anything it is that even large organisations, who may have spent millions on their IT security, are not invulnerable to this kind of data breach.  Employees ultimately hold the key to true data security and as a consequence, internal policies and procedures coupled with proper training is the only way that businesses can reduce the likelihood of a leaky back office being the cause of a future breach.  

 

Inevitable

 

It is inevitable that data breaches will affect all businesses at some point in the future, irrespective of whether they stem from an external cyber-attack or from within.  What is critical and abundantly clear from this latest incident is the importance of the business response to such a breach, in terms of ensuring that any adverse reputational impact is carefully managed and mitigated. Pivotal to this is: 

 

1. Preparation: Make sure that your organisation has a robust and detailed data breach response plan, and that all critical teams have been involved in its preparation.   Regulatory compliance by itself is not enough: understanding the full context of the business and the threats it is subject to (including internal threats) is critical so that a tailored risk-based security strategy can be formulated and implemented.

2. Internal communication and co-operation: Ensure that any breach response plan is understood and is widely circulated amongst all relevant teams including Legal, IT and PR/Comms. Make sure these teams have open channels of communication between them.

3. Fast, efficient internal and external response: If the worst should happen, at the very least you must ensure that you:

• Work with your legal team to consider whether any relevant regulator should or must be informed.

• Work with your IT security team to fully investigate and contain the breach, where possible.

• Work with your PR/Comms team to ensure that any external communication comes from one source and is on message – minimise the chance of employees or even board members making ad hoc statements to the press or on social media regarding the breach.

4. Practice, practice, practice: Undertake simulated data breach scenarios with all relevant teams and employees so that in the event of an actual breach, correct procedures and reporting structures are followed. 

 

How the bank in question manages the fall-out from this latest data security breach will be interesting to watch.  Much will depend on the way in which the bank manages public reaction to the breach over the coming weeks and months, but one thing can be guaranteed – the conversation in the boardroom will be centred on how this kind of incident can be avoided in the future, irrespective of whether such incident stems from a rogue individual in the leaky back office, or a sophisticated cyber-attack.