But the whole question is mired in uncertainty for firms and customers, writes Ed Lewis
The sense of anger surrounding corporate data breaches is palpable – and finally people are understanding just what these breaches signify.
High-profile cases in 2015 have brought the message home – and now that cybercrime accounts for roughly half of all crime in the UK, a wholesale cultural shift is needed.
However, the law and regulatory frameworks have failed to keep up. We won’t change the behaviours needed to combat the risks in this new digital world without adjustment.
Many old risks manifest in new ways via technology. More of us are starting to appreciate the harm that can happen when our data ends up in the wrong hands. Businesses can’t afford to be complacent; the stakes are high.
The UK’s Data Protection Act is a great example of the problem. It requires “appropriate technical and organisational measures” to be taken by businesses to prevent their customers suffering losses in the event that their data is stolen. But what is appropriate? The legislation offers little guidance. Instead it muddies the waters further, telling businesses it’s up to them to determine the measures they should employ “having regard to the state of technological development and the cost of implementing any measures”. Seriously?
Technology is now advancing so rapidly that today’s measures are often obsolete when tomorrow comes. And why should cost be a factor? Personal data has the same intrinsic value regardless of whether it’s in the hands of a large corporation or an SME.
Does the SME which can’t afford to put in place the protections that a large corporation can therefore have an excuse for not doing so? The measures should be the same regardless – it should be the value of what’s being protected and the interests of its owner that matter, not whether the custodian can afford to protect it.
Worse still, the legislation also says the measures need only ensure a level of security appropriate to the nature of the data and the harm that might result from its loss. Once again, who’s to say what’s appropriate?
Whilst objectively a class of data might not seem particularly valuable, the question may of course be entirely subjective depending on whose data it is and what harm they may suffer if it was lost.
The whole regime is a mess.
Consumers are starting to ask questions, and they’re not happy with the answers. To be told there is a lack of consistency in how they will be protected from one business to the next is irritating; to then find out that the law fuels that irritation is terrifying.
The onus is effectively on consumers to enquire, then make a choice about whether they are satisfied with the measures a business has in place before handing over their data.
This information can be hard to come by, so the argument for minimum, assured standards of protection which everyone understands is compelling – and the news from the EU that data protection laws will be overhauled next year provides the perfect opportunity to get things right.
But the public aren’t going to put up with flimsy laws that set no hard and fast rules. If data breaches continue to rise, eventually people are going to stop handing their data over. It will be a long road to win back confidence.
Those businesses with a keen eye on the horizon will be setting the bar high and taking steps to specify the standards they will measure up to. As much as data protection and cyber security are grabbing the headlines for all the wrong reasons, they are also a phenomenal enabler for businesses looking to differentiate from the competition, increase market share and improve profitability. When so many markets are experiencing zero net growth, that’s one heck of an opportunity.
• Ed Lewis is a partner in the insurance and reinsurance team at Weightmans LLP. www.weightmans.com