Data privacy is not only the responsibility of IT
On Tuesday, we learned that Bell Canada had a data breach, their second in less than a year.
Not many details have been shared, but having worked on many privacy management incidences, my questions surrounding breaches of this nature focus, naturally, on prevention.
The root cause of a breach is generally a cyberattack, but why? Did Bell have the appropriate protocols to keep their software up to date and avoid vulnerability? Did they manage passwords and access to their systems strongly enough? Do their employees understand the risks of clicking on links in unknown emails or inappropriately sharing information?
Bell, or any company, for that matter, does not necessarily need to answer these questions or share this information publicly. But having two similar attacks in a short period leads me to believe that they didn’t do enough “soul searching” last May after a data breach that impacted nearly 1.9 million customers’ email addresses and phone numbers.
The consequences are clear: this incident will not only impact them financially or, potentially legally, but their reputation and the trust the public has placed in them will be shaken. Fool me once, shame on Bell Canada. Fool me twice, shame on me. This may not be a big concern for Canada’s largest telecommunications corporation, but it should serve as an example that establishing trust and a good name are paramount to success.
All organizations should look at Bell Canada and ask themselves whether they have an effective incident and breach response management protocol in place, if this happens. We know Bell Canada informed regulators and the public, so there must be a basic response plan. But when exactly did the breach take place and how long did it take them to find out? When did they identify causes and let the appropriate stakeholders know? There is a difference between simply informing and informing in a timely and effective manner.
Another question to ask is whether Bell Canada did a thorough post-mortem analysis after their last breach and whether they identified gaps, risks, mitigations and a clear actionable plan to remediate these shortcomings to avoid future breaches. Was the plan executed?
Finally, do their employees understand the seriousness of safeguarding personal data? Are there policies and procedures in place that are enforced through training, awareness programs, audits and continuous improvement?
It is critical to have enough executive support to invest in resources that ensure an appropriate privacy management program instead of leaving this on the back burner due to other “pressing” priorities. According to PwC’s Consumer Intelligence Series, 92 per cent of customers want companies to be proactive about data protection.
Unfortunately, when it comes to data privacy management, only 45 per cent of organizations report having a plan to ensure data management compliance. This is alarming because we all share personal information with almost every organization with which we do business.
A misconception is that privacy and security management are the same thing. Perhaps this is part of the problem.
Security management refers to the safeguarding of data with technology and it is usually considered a responsibility of the IT department. Privacy management is an all-encompassing framework that includes security but goes beyond that.
Privacy management is the task of the executive team to enforce. It refers to the governance, policies and processes that ensure every employee in an organization understands their responsibilities when it comes to data protection and has a sense of accountability toward this task.
Until the highest levels of management in the organization understand the importance of having a data privacy strategy that is not only IT’s responsibility, we will continue to hear about data breaches.
Whether it is cyberattacks, regulators or consumers themselves, data protection and privacy management have taken centre stage in the collective consciousness. It is no longer an optional requirement. Consumers and organizations need to remember that information is power, and personal information is even more powerful.
The moral of this story is, with great power, comes great responsibility.
Ale Brown is the founder and principal consultant at Kirke Management Consulting, a strategy consulting firm based in Vancouver that focuses on privacy and the compliant management of personal information.