Why CIOs Should Inform Their CEOs of Data Breaches
Whether due to negligence (e.g. a lost USB stick or laptop) or malicious intent (e.g. by cybercriminals or disgruntled employees), data breaches can cause companies serious and irreparable harm.
First and foremost, data breaches can significantly harm a company's reputation and brand image. Take the case, for example, of a web shop or online banking application that is hacked, thereby placing data of clients or customers at risk. In this case, clients or customers may lose trust in the company and turn to a competitor.
Secondly, data breaches can be costly to remedy. Companies may also face claims by persons whose personal data have been stolen.
Furthermore, a company may lose confidential know-how or trade secrets.
Finally, the company may be exposed to administrative or other fines under data protection legislation if the breach concerns personal data. Under the General Data Protection Regulation, which will apply as of 25 May 2018, failure to notify a data breach to the data protection authority and/or the individual concerned may be sanctioned with fines of up to EUR 10,000,000 or, in the case of a company, up to 2 % of its worldwide annual turnover for the preceding financial year, whichever is higher.
It follows from the foregoing that being aware of a data breach immediately is of the utmost importance for each and every company. If you don't know that a data breach has occurred, you can't take measures to remedy it. According to a survey by Vanson Bourne reported in the Belgian press last week, almost 50% of Belgian CIOs do not report important data breaches to management. If this figure is true, many Belgian companies are facing a massive problem and should immediately put in place a data breach handling policy.
The policy should provide for a step plan detailing the actions to be taken from identification of the incident until closure. It should amongst other things identify:
- which incidents should be reported;
- how incidents should be reported;
- which actors should be involved (e.g. the HR manager, legal counsel, data privacy officer); and
- the measures to be taken.
Since an ounce of prevention is worth a pound of cure, companies should also consider:
- conducting periodic risk assessments;
- having their systems tested by an external security expert; and
- rolling out an awareness campaign and security training for all employees.