The increase in corporate mobile device use, fuelled by better technology and trends like Bring Your Own Device (BYOD) and enterprise focussed apps, means there are many more ways in which a business can lose data; whether through employee mistakes, malicious theft or the sale of confidential information.
Under the Data Protection Act 1998, when a business loses personal data, the Information Commissioner’s Office (ICO) has the power to fine it up to £500,000. Breach of the act can also constitute a criminal offence, meaning in extreme cases individuals can be sent to prison. Over 650 prosecutions have been commenced in the last six years by the Crown Prosecution Service.
What makes this an even bigger issue is that personal data has such a wide definition: any information that can be used to identify an individual. As a result, GRC (Governance, Risk Management and Compliance) is currently one of the biggest issues facing companies of all sizes. Unfortunately, it has yet to find appropriate billing on agendas in boardrooms across the country, meaning remaining on the right side of the law may increasingly become a real problem.
The reality for CIOs
With such dramatic consequences, CIOs may question whether mobile working policies such as BYOD are worth the hassle. But the prospect of the clear efficiency benefits of mobile working and the increased demand from employees to use devices of their choice means that every CIO will have to face this issue. The threat is further heightened by the fact that there is now a prolific amount of data consumption in the workplace. To some, the obvious and logical solution would be to implement preventative measures to ensure compliance from employees. But this just isn’t happening.
Recently an Aberdeen Council employee was reported to have taken home some work to finish off on a personal computer. Microsoft Word auto backed-up the documents and published them online for three whole months, unbeknown to the council or employee. As a result, the council was penalised and fined £100,000 for not putting in place a regulation compliant BYOD policy.
In the Aberdeen case, the organisation was left fully accountable by the ICO despite it being the accidental wrongdoing of the employee. In a contrasting example, a manager from Enterprise Rent-A-Car was found to have breached compliant security processes in place, by stealing and selling over 2,000 customers’ details to a claims management company. Following suspicions, Rent-A-Car alerted the ICO, which raided the third party company and found the correlating data. The result: the manager was successfully prosecuted and fined £500; ordered to pay a £50 victim surcharge and had to fork over £264.08 in prosecution costs.
In situations like the Enterprise Rent-A-Car case, where the employee is clearly at fault and is fully aware they’ve maliciously breached policies, a company can successfully hold them to account and even look at criminal and civil proceedings. In circumstances like Aberdeen Council, the organisation is made accountable for not having a policy for the employee to fall in line with.
Either way, it’s clear that avoiding crippling financial fines requires detailed evidence of compliance best practice.
Compliance best practice
To comply with data protection regulation and mitigate against fines, firms need to take a holistic three stage approach to ensure that data is kept secure. This consists of education, policy and technology. But what do each of these steps entail and how can businesses implement them without impacting their mobile device use?
1. Implement a policy
Businesses need to have a clear data and device policy communicated to their staff and actioned. Within this, there must also be clarity on how data is classified and distinct data classification protocols. These shouldn’t be written in overly legal or technical language, but rather in a tone that all employees will understand. That way, both the company and employees are kept fully aware on what they’re allowed to do with their devices. Having a good policy in place ensures it is clear when employees have breached that policy.
2. Train and educate employees
The human factor is often the weakest link in a company’s data security which is why it’s so important that employees are sufficiently trained and educated to avoid security slip ups. It’s vital to be able to demonstrate to your employees the impact that poor data security practices can have on the whole company, so that they understand why their support is necessary. However, it’s not as simple as pinning a piece of paper with a list of rules to the office wall or downloading a training package from the internet. Data security best practices need to be engaging, relevant and tailored to the jobs people are doing.
3. Utilise a technology solution
Despite setting out a cohesive device policy and thoroughly educating staff, there is still a vital third element. Employees will break the rules, both accidentally and purposefully. This is why it’s so important to have an underlying technology software solution which can protect the business in the event of a data breach. Businesses need to be able to persistently track, manage and secure all devices used at work, as well as the data stored on them. Most importantly the technology used will also allow a company to prove that compliance processes are being properly enforced and adhered to.
With the rise in data consumption driving increased regulation, organisations must put policy, education and technology in place to avoid the increasingly real issue of data loss. However, should a company not have these constituents in effect, it should still alert the ICO. Punishment can spiral if evidence of withholding details of a breach is uncovered. Also, the ICO has discretion in every case and can provide assistance by agreeing next steps which may bury a breach and leave the business’s reputation (and bank balance) intact.
Putting GRC on the agenda
With the threats of fines, damage to reputation and possible criminal prosecution, CIOs can’t take their data security for granted and GRC has to become a boardroom issue. This will become even more urgent when the new EU Data Regulation comes into force in 2017. The core principle of this legislation is that personal data should not be processed by businesses except where certain compliance conditions are met. This may sound like a mountain to climb if you’re starting from scratch. But if businesses start preparing now, the new laws will be less of a challenge when they come into fruition.
A policy has to be clear and accessible; the BYOD training given to employees must be relevant to them and the organisation, and there must be proper data protection software in place. Business mobility can have countless business benefits, but it must be managed properly to counter risk and comply with regulation. And if a breach should occur, the employer may be able to escape sanctions if it can prove that it did everything it could – policy, training, and technology – to prevent the breach.
With such a complex compliance environment, it’s now essential to take this three-pronged approach to make sure all bases are covered and that organisations have the upper hand.