Local data management company CommVault attributes the recent £2.3 million fine, imposed on Zurich Insurance for a data breach, to the lack of strict regulation and enforcement in SA.
International insurance group Zurich Insurance was recently fined for losing the personal details of 46 000 South African and Botswana clients.
Britain's Financial Services Authority (FSA) explained that Zurich Insurance had outsourced some data work to the company's South African unit, which lost an unencrypted backup tape, in August 2008.
The FSA said the loss wasn't discovered until a year later, potentially exposing details of customers' identities - in some cases bank account and credit card information - and other financial data.
CommVault explains that the loss was only discovered a year later, and only when the UK branch of the company started becoming aware of the breach, because there is no requirement under South African law to disclose data leaks to local customers.
“Questions must be asked about why this sensitive data was not encrypted, why the local company didn't tell anyone about the breach until the UK office started investigating, and what the state is of its internal corporate governance structure,” says Bryan Balfe, business development director at CommVault Systems.
Underrated threat
Most companies still do not realise the risks of poor data management, says Balfe.
“Companies need to realise the value of their data and how it should best be managed to avoid huge costs for storing, hunting down and retrieving lost information and, in the worst cases, public embarrassment or litigation by not being able to locate critical data on time,” advises Balfe.
“High levels of organic growth, over the last 10 years, have kept companies so busy tending to operations that there hasn^1t been time to plan effectively. This includes the way information is managed, as opposed to stored or transferred,” he explains.
Balfe advises CEOs to question their CIOs on issues regarding data management, such as how long data should be kept, audited, kept safe, stored, and how regularly retrieval should be tested.
He adds that companies need a pre-planned way around data recovery problems, instead of routinely incurring enormous non-budgeted crisis expenses for e-discovery that does not fix the underlying problem.
Lessons learnt
Balfe acknowledges that cost is an obstacle to encryption as it is a fairly demanding piece of the data management puzzle, but argues that the IT investment is irrelevant versus the reputation cost of a breach.
He advises the local industry to learn from Zurich Insurance's costly mistake. “Any sensitive data leaving a building must be encrypted. If it is not, consider the risk to a business's competitiveness, brand and financial security should a breach occur.”
Companies need to take better care of data and take responsibility when there is a failure to try and contain the potential risk of fraud to end customers, he warns.
Balfe argues that SA's regulatory bodies need to start taking more notice of data protection - until then, financial services companies and others are not under any obligation to inform customers when their personal information has been compromised.
“Ultimately, it is the CEO and not the CIO that will be the one carrying the can for data foul-ups, so it's worth giving encryption another look,” says Balfe.
“Saying either, 'I didn't know,' or 'it didn't seem necessary', won't serve as mitigation when disaster strikes,” he concludes.
Related story:
A life sentence
Share