Most businesses who have suffered a data breach will tell you it was one of the most challenging times of their professional careers. Data breaches are human events, both for the impacted customers and the incident response team in charge of executing the response. As such, human emotions come to the surface and can inhibit […]
GDPR: Banks, Breaches, and Billion Euro Fines. Why The 72 Hr Notification is the Biggest Risk for Businesses
Incidents of data breaches are rising, not a day goes past without a new incident hitting the news, worse they are almost impossible to prevent. We now live in a society where it’s a matter of when, not if a breach will hit. Data breaches already present a significant career risk for executives, with customer, brand, regulatory and financial consequences. But the real question is how will new regulation in General Data Protection Regulation (GDPR) heighten these risks for financial institutions?
With under a year to go before the regulation comes into force, we commissioned Consult Hyperion to quantify the potential impact of GDPR on European financial institutions, and distill 10 years of AllClear ID best practice on how to effectively respond to a data breach.
The research GDPR: Banks, Breaches and Billion Euro Fines forecasts that European financial institutions could face fines totaling €4.7 billion in the first three years under GDPR. This forecast is conservative and excludes compensation claims, costs associated with lost customers, damaged reputations and senior executive resignations.
|Data Breach Forecast and GDPR Fines|
|Type of bank||Total number of banks||Forecast average fine (millions)||Forecast breaches||Estimated fines (millions)|
|Total Year One = €1,554m|
|Total Over Three Years = €4,662m|
Under GDPR financial penalties for a data breach are substantial. Institutions can receive fines of up to 2% of the previous year’s global annual revenues for a first offence and 4% for repeat offences where the regulator has previously ordered remedial action. There are also possible criminal penalties for executives deemed responsible.
The 72-hour notification challenge
GDPR’s 72-hour breach notification requirement means managing and responding to a data breach in an open and effective manner is critical. Regulators have significant discretion in the level of penalties they can levy, and are required to take planning, customer notification and mitigation into account in the decision.
Tim Richards, Principal Consultant at Consult Hyperion mentions that “The highest risk item in the GDPR is the 72-hour breach notification requirement, and banks are not mitigating this,” He continues to state “Data breaches are an unfortunate fact of life for financial institutions, and our analysis suggests that there have been no fewer than 27 data breach incidents among European Tier 1 banks in the last decade, with some banks as multiple offenders, potentially liable for fines at the 4% level. This indicates an 8% chance that any Tier 1 bank will suffer a data breach in any given year. These figures, we believe, are conservative, and banks are not prepared for the consequences under GDPR.”
A regulatory cocktail
Compounding the GDPR issue for financial institutions are a range of other new European regulations – ePR, AMLD4 and AMLD5, and PSD2. Each of these individually creates a compliance headache, and combined they constitute a minefield as complying with one regulation exposes potential liabilities under the others:
- GDPR imposes 72-hour notification and mitigation requirements on data breaches
- ePR extends the definition of personal data to cover anything that can be used to contact a customer
- PSD2 requires that banks open up APIs to allow third-parties to access customer data with the appropriate consent of the customer – using two factor authentication – and potentially exposes legacy core banking systems via new digital channels
- AMLD4 and AMLD5 requires additional customer data to be stored and held for up to five years after any business relationship has ended
In summary, these regulations mandate institutions hold more data and make it available over open interfaces, just when data loss becomes especially dangerous.
Target vs. Home Depot
The US retail chains Home Depot and Target both suffered serious data breaches, but the results of these in terms of executive loss and quarterly earnings could hardly be more different. The quality of the response to a breach makes a huge difference.
|Population Affected||40 million||56 million|
|Time to Notify||Weeks||Days|
|Quality of Response||Low||High|
|∆ in US Same Store Sales (QoQ%)||-0.4%||+5.8%|
|∆ in Quarterly Earnings||-46%||+14%|
12.31.13 – 2.28.14
9.1.14 – 10.31.14
|Executive Loss||CEO + CIO||None|
Target’s quarterly earnings dropped 46% and its CEO and CIO resigned, while Home Depot’s earnings actually increased, and they suffered no executive losses.
Don’t plan to fail
The report offers pragmatic advice to financial institutions to mitigate the risk of a data breach and ensure compliance. Three key crucial elements are required – the expertise to deal with breach-specific issues including identity theft, the specialized manpower to handle the volume of queries generated when the breach is publicized, and the infrastructure for secure communication channels to notify customers.
We know a poorly managed customer notification in the wake of a breach makes you look like a fool. Financial institutions are myopically focused on preventative measures, ignoring the importance of the resilience. History tells us that companies that have dealt with data breaches poorly have seen loss of customers, reduced earnings and board level resignations, while those with a prepared plan and a managed response have sidestepped these issues.
GDPR raises the stakes even higher. With only 72 hours to react, financial institutions that have not invested in response readiness will face the most serious fines and collateral business damage.
To take a deeper look at the research, you can download it here: https://www.allclearid.com/business/resource/banks-breaches-billion-euro-fines/