Tough new EU rules aim to ramp up data breach protection

By Marianne Curphey

It seems consumers' personal information is more at risk than ever from identity thieves, with every week bringing news of another data breach somewhere. Though security technology is constantly advancing, hacking technology is advancing, too. But businesses will soon have new incentives to get one step ahead of thieves.

Starting December 2017, new rules will apply across EU member countries stating that businesses could face up to €1 million in fines if they fail to protect consumers from data breaches. Under the new rules, companies must report data breaches to their national Data Protection Authority (DPA) within 72 hours. In the UK the national DPA is the Information Commissioner's Office.

Businesses must also name a data protection officer, and have a plan in place for avoiding a breach and handling one after the fact. Brian Kinch, a senior partner at FICO, says the regulations aim to ensure information is encrypted and stored in a way that does not allow it to be compromised. FICO is a US-based software company that specialises in global fraud

Why is the new protocol important?
"The introduction of EU Data Protection Regulation, expected to come fully into force within the next three years, will fundamentally and dramatically alter the data breach landscape," Amir Goshtai, managing director of
affinity at Experian Consumer Services, said in a statement.

According to research from credit bureau Experian, almost a fifth of UK companies lost confidential information in at least one breach between
2013 and 2015, and 57% of those affected experienced multiple breaches.

Data breaches happen simply because organisations have failed to
maintain adequate security in three areas: people, processes and technology, according to John Greenwood. Greenwood is a fraud prevention expert and marketing director of Compliance3, a consultancy that helps eradicate payment card and personal data fraud in business contact centres.

"People are the weakest link," Greenwood says. "Most breaches occur because people have not followed policies set by their employer and their employer has not focused enough, at the most senior level, to implement and maintain robust security and compliance policies."

The Experian research predicts that the risks of data breaches will continue to increase rapidly, and that repercussions will become more serious over the next few years. Those repercussions include not only lost business costs, but also business reputation: 63% of those asked in the Experian study said they would cease business with an organisation if their personal information was compromised.

"For companies, the biggest impact might be reputation, rather than financial, says Mark Prior-Egerton, solutions marketing manager at the The Logic Group, one of Europe's largest payment and loyalty specialists and part of Barclaycard. "There is an immediate financial cost in terms of fines but the financial cost of reputational damage is potentially greater as it is longer lasting."

Reporting a lax company
Because the rules are new for everyone, determining whether a company is doing all it can to protect your information can be a bit murky. But there are a few things you can look for.

According to Kinch, it's acceptable for some companies to store at least a few of your details. For instance, if you buy insurance and want to create a continuous authority to keep your payments renewing, the insurance company will need to keep some of your financial data on file. The same is true with some digital wallets, he says. However, it should not happen with retailers selling clothes or other non-recurring items.

"There are certain tell-tale signs for consumers which demonstrate that there might be potential problems with security," says Kinch. "For example, if you [buy] an item with a clothing retailer and then ... go back to their website a few months later to buy something else [and] find all your financial details [are] automatically populated by the retailer, including expiry date and security code, that indicates that they are probably not fulfilling their care requirements."

Greenwood says under the new rules, companies will have to be accurate and explicit about what they do with customer data, and they'll need to be able to present this information to their customers on demand.

If you feel a company isn't complying with the regulations, you can complain to the Information Commissioner's Office. There is a standard letter template available to help customers make a formal complaint. You can also check if the organisation is registered under the Data Protection Act. Then the ICO will tell you whether you have a basis for making a claim.

See related: Small businesses especially vulnerable to data breaches, Some US companies fail to comply with UK privacy rules

Published: 27 July 2015