In a recent online article the Harvard Business Review, commenting on the latest massive data privacy breach to hit a U.S.-owned company, shared some important takeaway for senior managers and regulators to consider in relation to the management of private data and the implications of the European Union’s General Data Protection (GDPR) legislation.
The breach in question involved Marriott Hotels where up to 500 Million People were impacted, exposing at least 25 million passport numbers and 8 million payment cards. The group faces the possibility of a record GDPR fine if an E.U.-based data protection agency applies the highest possible 4% of annual global revenue for the previous financial year penalty.
Some of the key finding of the report were as follows:
1. Cyber Risk Disclosure is still Inadequate
Companies are still not reporting data privacy violations within the applicable deadlines and the penalties for doing this are not being enforced by the relevant bodies. Marriott did no report the data breach for over 12 weeks, they should have made it public knowledge within three days of it being identified.
2. Mergers & Amalgamations Tend to Result in Data Breaches
During the investigation into the Marriott data breach it was discovered that the violation actually occurred on Starwoods databases – Starwood being the company that Marriott merged with as part of a new business arrangement. This, according to Harvard Business Review, highlights the importance of companies taking time in a situation like this to ensure that all staff are fully aware of the requirements placed in them.
3. Cyber Breaches Can Impact the Complete Supply Chain of the Targeted Company
It is important to remember that once the cyber criminals has access to one major database they then have the potential to target every system that this database connects with. For example, if a large company is outsourcing an order system or payslip software then it is possible that the hackers will be able to log onto this system and commit further data breach violations.
4. Make-up of Company Boards does not Include Experts on Cyber Security
Again using Marriott as an example it was found that the company has a board of 13 members, none of whom had any experience in cyber security – nor was there a cyber security sub committee established in order to stay on top of this area of the business.
The report, authored by Shivaram Rajgopal, Professor of Accounting and Auditing and Vice Dean of Research at Columbia Business School, and Bugra Gezer, founder CEO of Cyber Rate LLC, concluded by saying: “We believe that regulators could get companies to focus on cyber readiness and the attendant systemic cyber-risk exposure by forcing boards of directors to make representations on the cyber security exposure of the company. Once the board is ‘on the hook’ corporate accountability should improve and mitigate the damage from cyber breaches to customers and to society as a whole. Many companies could learn from Marriott’s story and consider in detail how they would handle such a major data breach.”
You can read the full text of the report on Harvard Business Review online.