Compliance Institute was featured in media coverage in ifsc.ie (Online)
More than one in two (53pc) compliance professionals believe that data protection rules have been breached in their organisation at one time or another. An even greater number (62pc) acknowledged that they are aware of such breaches having taken place in organisations they previously worked in.
A new survey by Compliance Institute, which polled 230 Compliance Professionals working primarily in Irish financial services organisations nationwide, found that almost one-fifth (19pc) of those asked said they were aware of more than one instance of a data breach situation in their organisation.
Two-thirds (65pc) of compliance experts, reported that they believe certain data protection breaches go unreported to varying degrees.
When asked to identify what they believe are the factors contributing to organisations not reporting data protection breaches, nearly half of those surveyed (48pc), believe that businesses, for the most part, do not intentionally neglect to report breaches. 46pc however, thinks that concerns about potential damage to their brand reputation might lead organisations to keep such violations confidential. Fewer survey participants said that penalties linked to data breaches and scrutiny from regulatory authorities was a contributing factor.
Michael Kavanagh, CEO of the Compliance Institute commented on the survey findings, “The reality is that data breaches can occur within even the most vigilant and secure organisations, underscoring the need for constant diligence in safeguarding sensitive information. Recent reports give weight to the contention that no organisation is 100pc impervious to a breach”. The Compliance Institute points to two examples of the vulnerabilities of even the most accountable organisations.
Mr. Kavanagh continued, “In August of this year, the Central Bank of Ireland, the nation’s financial services watchdog suffered an archiving error data breach that impacted the retention of certain data on borrowers' credit reports stored within the Central Credit Register (CCR)[1]. Following this, the Data Protection Commission (DPC) has initiated an inquiry into the breach.
Also, earlier this year, a disclosure made under the Freedom of Information Act revealed that Revenue said there had been 256 data breaches throughout last year, with a further 119 in the period from January to June 2023”.
Findings from the Compliance Institute’s Data Breach Survey revealed:
A majority of surveyed compliance professionals (65pc) assert that breaches frequently go unreported, with a substantial quarter (24pc) going so far as to believe that "many" breaches are left unaddressed.
Less than half (48pc) express confidence that organisations would not wilfully fail to report a breach.
The predominant deterrent for reporting appears to be the fear of damaging brand reputation (46pc), closely followed by the apprehension of being held accountable (44pc). Additionally, a significant four in ten (40pc) are of the opinion that penalties and regulatory scrutiny act as disincentives for reporting incidents.
Mr. Kavanagh added,“Organisations have distinct obligations and responsibilities in safeguarding data, and even when they diligently meet their legal requirements, errors can occur. These errors typically include IT blunders, human oversight, and malicious cyber activities, among various other potential pitfalls. Expecting absolute invulnerability from every organisation is unrealistic, particularly considering the relentless pace at which cybercriminals advance their tactics to steal data. The response protocol an organisation takes following a breach holds equal importance to its pre-emptive security measures”.
From May 25, 2018, the General Data Protection Regulation (GDPR) mandated that organisations promptly notify the relevant supervisory authority of any personal data breach that poses a risk to affected individuals. This notification must be executed within a stringent timeframe of 72 hours from the moment the organisation becomes aware of the breach[2].
Mr. Kavanagh explained, “Reporting a breach ensures that individuals affected by the breach are informed promptly. Early reporting can help mitigate the damage caused by a breach and reduce the potential harm to data subjects and the organisation's reputation. Furthermore, reporting breaches provides an opportunity for the business to assess vulnerabilities, identify weaknesses in security protocols, and take corrective measures to prevent future incidents from occurring”.
Mr Kavanagh concluded, “When a data breach goes unreported, individuals or businesses whose sensitive information is comprised remain unaware leaving them vulnerable to theft, fraud, and other malicious activities. Furthermore, a lack of regulatory compliance can result in hefty fines and damage to customer trust, as transparency and accountability are the cornerstones of a professional relationship. Moreover, unreported incidents prevent organisations from learning from their mistakes and taking the necessary steps to strengthen data security defences.
If you believe that a privacy incident has occurred in your workplace, it is vital to promptly report it to your company’s Compliance Officer or your line manager”.
[1] Central Bank of Ireland - Public Statement: Update on Central Credit Register error
[2] Data Protection Commission - Breach Notification