Exploring the financial risk of data breaches
One of the challenges the emerging digital data governance industry has had, is to quantify its value. This is always difficult for a relatively young sector (if we assume that it only come in to focus, in response to GDPR). But it’s perhaps always difficult to justify when the primary aim is on eliminating downside risk; in other words, when you are stopping costs arising when something bad happens, rather than adding incremental value.
Many have focused on the British Airways (BA) breach in the summer of 2018, predominantly because it was to be one of the first major breaches to occur after GDPR came into force in April of that year. In Late 2020, BA settled a regulatory fine of £20m for the breach with the ICO. A considerable sum, and certainly enough to justify data governance investment as a business case everywhere.
Originally, the ICO had intended to fine the airline £183m, so even those business cases were significantly less powerful than they had previously been; although it did provide a more realistic view of what the actual impact would be. Unfortunately, it hasn’t ended there for BA’s legal team. In January 2021, the eagle-eyed among you may have noticed a compensation law firm has launched a major TV ad campaign to encourage the 400,000 customers affected by the breach to join a “class action lawsuit” against the airline view here.
Once again, various eye-watering assessments of the additional costs have been provided in the press. But clearly, even though the final amount may well be significantly less than these, the law firm has deemed it a sufficiently good opportunity for them to spend a large amount of money on TV and digital advertising to attract the potential claimants. The business case must stack up well for them.
What is clear is that the financial risk of data breaches extends well beyond just any regulatory fine. There will also be the impact of compensation to those who have lost their data as a result. What’s more, there is an entire legal industry gearing up to target that money. However, it will also be the much harder to quantify impact on customers, and their trust. But just because it’s harder to measure doesn’t mean it is not as important; if not more important, than legal fines.
What to do about data governance?
In a series of blogs, Station10 explores some of the methods and processes which organisations can use to set up data governance processes, and what sort of mitigation these can provide. This is not to say that this will immediately fix all the problems; each business and situation is unique. But it can be useful to consider a particular scenario to demonstrate the potential mitigation.
For the full details on the particular “British Airways” case, here is a full outline – but in essence, a sophisticated hacking operation stole around 400,000 users’ secure information from British Airways by inserting a small amount of code on its web site’s checkout pages. According to the ICO’s investigation, part of this was enabled by data security challenges and not testing code sufficiently, and part was because user access on the system was too broad, allowing the hackers greater access to security features than should have been allowed.
Station10’s Digital Governance Tips:
Audit Your Environment, including Access
To address one of the issues raised above, it’s important to have a full picture of your digital environment, including who has access to what. This is because often different parts of an organisation have differing views of key data entities, such as customer data or products, in order to do their jobs.
The first step is to conduct a tagging audit on your domain. Tagging Audits should review the systems that deploy tags and those that monitor the process by which
a tag is placed on the site and the type of data that is being collected. This audit reduces the risk of unnecessary code being added to your site and so reduces the potential impact that could have on performance or data security.
To facilitate this, Station10 have developed a Tag Audit methodology where we spend time identifying and documenting your collection points and map this together, so that you as an organisation have clear understanding of possible risk points in data collections. The output from this exercise can help an organisation to start to develop their internal governance framework.
We are currently helping many clients establish governance frameworks to help them address the current legal requirements. These governance frameworks are bespoke to each client. So, we ensure that the design, build and definition of data collection processes work for your business specifically. We also audit the entire data flow and analyse the outputs to ensure that the decisions being made match your business priorities.
To find out more or to discuss more about Data Governance please get in touch with Jan Piedrahita.