Protecting Customer Data – The Impact of new EU Legislation

By John Greenwood – Director, Compliance3

Why do breaches happen?

Data breaches happen simply because organisations have failed to maintain adequate security in three areas: people, processes and technology. People are the weakest link. According to Ponemon in the 2014 “Cost of Data Breach Report,” negligence or human error was the primary root cause of data breaches. Forty percent of incidents involved a negligent employee or contractor (human factor), the root cause of 38 percent of incidents involved a malicious or criminal attack and 22 percent experienced system glitches, including a combination of both IT and business process failures.

Most breaches occur because people have not followed policies set by their employer and their employer has not focused enough, at the most senior level, to implement and maintain robust security and compliance policies. Such negligence not only costs business in terms of lost revenue, but is also career limiting for those involved. The massive breach of the Target US retail chain in November and December 2014 led to the dismissals of both Target’s CIO and CEO. According to a US Senate report on the breach, “Target managers missed information provided by its anti-intrusion software about the attackers’ escape plan, allowing attackers to steal as many as 110 million customer records.”

We can see this in contact centres where the culture is not entirely positive and where employees are exposed to the risk of transgressing to the dark side. The temptation, especially for an individual on a zero hours contract and earning close to the minimum wage, in a harshly managed or oppressive environment, to sell data to a stranger in a car park for £50 per card number and CVV, is simply too real and too much for some people. Firms tend to underestimate this risk, even though the threat is real and well documented. According to Detective Chief Inspector Mark Wilkie of South Yorkshire Police, “call centre internal compromise is the biggest form of up and coming fraud in the UK.”  Detective Chief Inspector Derek Robertson of Strathclyde Police stated that “one in ten of Glasgow’s financial call centres has been infiltrated by criminal gangs and 100% suffer from criminal fraud.”

Is the UK expected to face the same data breach threats as the US?

Yes. The UK will be targeted more and more, just as the US is already. However, the US is behind the UK in terms of security because it has not adopted Chip and PIN to the same level or as quickly as Europe. Chip and PIN has reduced fraud significantly in the UK. Personal data fraud is global and the UK is exposed to the same threats from organised crime as any other nation.

The new EU rules

In January 2012, the European Commission proposed a comprehensive reform of 1995 data protection rules in the EU. Following that the European Data Retention Directive was launched following the terrorist attacks in 2004 in Madrid, and then 7/7 in London. This directive aims to harmonise EU Data Standards in an attempt to collect communication data and prevent cyber terrorism. On 8th April 2014, the Court of Justice of the European Union in Luxembourg ruled that whilst it acknowledged that the legislation genuinely satisfied the objective of a competent EU Governments general interest, namely the fight against serious crime and, ultimately, public security, the Court was of the opinion that, by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of ‘proportionality’.

This development forced European data legislators to reconsider their position and aim to produce a single data protection law, the EU General Data Protection Regulation, which was given a general release as a first draft in January this year and published on 24 June 2015 subject to agreement between the Council of Ministers, the European Parliament and the European Commission. The published timetable for final sign off is December 2015, with full enactment to EU law by December 2017. Whilst the ruling will not become law for two years but it would be best practice to begin to implement now.

Under the new EU Data law, what will companies have to do to protect customer data?

It’s important to understand that this legislation applies to all EU firms and all global firms trading in the EU. The 7 key points or behaviour changes that come out of the new EU data protection legislation are:

1. Stop unnecessary data processing. Change marketing culture to reduce the processing and retention of customer data to a minimum.
2. Start communicating what the new legislation means to ALL employees and be especially clear what it means to customer facing staff, including your contact centre and review existing customer data policies to ensure that they are written in ‘clear and plain language’.
3. Continue to focus on data security and start by conducting full security audits and impact assessments of the new legislation plus audit against other significant external standards compliance including PCI DSS if the firm processes, stores or transmits payment card data.
4. Start thinking about Governance, getting data security as a fixed item on the Board Agenda and the Board ensuring the appropriate metrics are in place to measure progress and compliance. If the firm has more than 250 employees, the new legislation dictates the appointment of a Data Protection Officer (DPO).
5. Start updating or put in place ‘Breach Discovery’ a ‘Breach Response’ plans and test them. A data breach will have to be reported to data protection agencies and customers as soon as possible, which the latest draft states as ‘within 24 hours’. Should this be passed in the final draft, it will mean significant upgrades in incident management processes and detection and response capabilities.
6. Start preparing to meet “right to be forgotten”, “right to erasure” and the “right to data portability” requirements. This will mean reviewing and implementing data classification, retention, collection, destruction, storage and search requirements for all customer management processes including contact centre and marketing functions. It will also mean securing ‘explicit consent’ from individuals and detailing how this information will be used by them and any third parties.
7. Start reviewing your legal and commercial position if your company relies on intergroup transfers or sharing of data, especially if your firm relies on revenue streams from processing customer data or transmission to other 3rd parties.

What does this mean for the consumer?

Companies will have to be accurate and explicit about what they do with customer data and be in a position to present this information to their customers on demand. This means a consumer will be able to ask an organisation to:

1. Tell them why their company has a legitimate interest in keeping their data. This maybe a statutory (FCA) or contractual requirement in their terms of sale.
2. Explain their consumer rights in full including the right of the consumer to have the ‘right to be forgotten’.
3. Explain what data profiling has taken place highlighting the significance, consequence and logic involved. This will include an explanation of any ‘big data’ processing that has taken place and the internal records available showing how the individual consumer data has been treated. i.e. automated processing of personal data to assess personal aspects, such as performance at work, economic situation, health, personal preferences etc.
4. Explain new ‘portability’ rules on how their private information can be transferred from one company to another.

What the implications in terms of breach and subsequent fines?

This is far from clear at this draft stage. Fines are proposed to be linked to percentage of global turnover and range, depending on “the nature, gravity and duration of the infringement” from 0.5% to 2% (with 5% mentioned in earlier drafts) Minimum fines are also mentioned from Euro 250,000 to Euro 1,000,000.

Governments will also be able to prevent fines being served on businesses “where the infringements are already subject to criminal sanctions in their national law”.

Under the rules on fines being considered, data protection authorities (DPAs) would have to ensure that the fines they issue are “effective, proportionate and dissuasive”.

What redress will customers have?

The key point is that this is EU legislation and not a directive, which means there is no requirement for a long adoption process in each EU member country. This also means that EU citizens can pursue claims through their national courts.

In terms of process, EU customers can ask the company to provide information, and if they do not get a satisfactory reply, they can contact the Information Commissioners Office at www.ico.org.uk. As a first point of action, there is a standard letter template available on the website to help customers write to the company to make a formal complaint. Customers can also check if the organisation is registered under the Data Protection Act, has a registration number and a named Data Controller .to address the compliant to. Today, aproximately 400,000 UK companies are registered.

If a customer has had their credit card details stolen, the losses are typically recovered by the credit card company and the customer is not expected to pick up the cost of a data breach.

If a customer has had their identity stolen it might be difficult for them to quantify what lost they suffered as a result and their first point of call would be the ICO who will be able to give clear and precise advice on the most reasonable interpretation of the current and new data protection legislation when it becomes law in 2017. They could find out from the ICO whether they had a basis for making a claim.