Johannesburg, 11 Jun 2015
Increasingly common nowadays is the news that corporate company X has lost the personal data of its loyal customers, says Wale Arewa, CEO of Xperien. Apart from corruption, it is the most common source of reputation risk today!
The digital universe is growing 40% a year into the next decade; vast amounts of this information is personal information, intellectual property and other trade secrets stored by companies. All this data needs to be kept safe. Savvy companies realise the value of sharing information so they invest millions of rands in access control, encryption, malware, anti-virus and firewalls to prevent hacking, ultimately to protect themselves against data loss.
However, when computers come to the end of their service, it usually spells the end of service for the security features installed on the equipment. It is at this stage that computers are most vulnerable to data loss that could lead to reputation risk.
Protecting your data when computers reach the end of useful life is simple if the proper processes are implemented. This will be achieved by either digital or physical destruction of the data that resides on the hard drive of computers, but unlike network security software that can easily identify computers that are risky, there is no software that provides risk information for computers once they are out of service.
Failure to implement a professional process will expose your company to the peril of data loss. Hardly a week goes by without the media exposing incidents of data loss. For the companies concerned, it defines their character, deficiencies and their capabilities. This can result in longer damage for an organisation that does not implement effective data security for its IT equipment. It is for this reason that Parliament has enacted the Protection of Personal Information Act 4 of 2013 (the POPI Act). Companies are now required by law to have data protection, officers, policies and processes.
Data protection legislation is good for business because the peril of non-compliance could be far greater than any penalties prescribed by the legislation, ie, reputational risk can, in extreme cases, result in business closure.
Let's define reputational risk:
Reputational risk, also referred to as reputation risk, is a risk of loss resulting from damages to a firm's reputation, in lost revenue, increased operating, capital or regulatory costs, or destruction of shareholder value, consequent to an adverse or potentially criminal event even if the company is not found guilty. Adverse events typically associated with reputation risk include ethics, safety, security, sustainability, quality, and innovation. Reputational risk can be a matter of corporate trust.[1]
This type of risk can be informational in nature that may be difficult to realise financially. Extreme cases may even lead to bankruptcy (as in the case of Arthur Andersen). Recent examples of companies include: Toyota, Goldman Sachs, NatWest and BP. The reputational risk may not always be the company's fault, as per the case of the Tylenol cyanide panic, after seven people died in 1982. [2] - Wikipedia.
Preventing reputational risk due to loss of personal information can easily be mitigated if companies comply with the provision of the POPI Act. This law lays the groundwork for the development of a process that will protect both the companies and potential victims.
In 2014, data was up 49%; this rate of increase would suggest all companies will eventually be exposed to this risk. An area commonly overlooked by most corporate companies is security of data when computers are disposed. For this reason, the POPI Act is actually a very good piece of legislation because it focuses attention on areas traditionally ignored by industry. If companies comply with the provisions of the POPI Act, it will mitigate the risk of data loss that may lead to reputational loss and promote sustainability in the company.
The POPI Act is good for business because:
* The Act requires the role and responsibility to be channelled through an information officer.
* It compels a responsible party to have a procedure that will be updated according to best practice,
* It sets the criteria to develop executive policy.
Ultimately the Act will not protect you against reputational risk, but it will certainly mitigate the risk of reputational loss. If you want to comply with the provisions of the POPI Act, you can consider outsourcing all IT-related disposals to a professional service provider.
Most of the direct risk from computers at the end of life comes from hard drive theft nobody likes to talk about. Below are some of the scenarios that may exist in your organisation.
* Messy storerooms - computer and made difficult to access and count because syndicates remove the internal hard drive.
* Hotswap drives - vanishing from live servers.
* Couriers - deliver computers that have missing hard drives.
All these scenarios expose you to data loss. The POPI Act has decreed the appointment of a regulator whose main objective will be to expose companies that suffer data loss and this is reputation risk.
Xperien has been implementing solutions to prevent these types of losses for organisations since 1999. That's 14 years before the act was gazetted. Its policies and procedures, if followed, will remove the risk of data loss in the disposal of your IT equipment.
Xperian can be contacted on telephone number +27 11 462 8806 and e-mail address: itad@xperien.co.za.
Share