Directors’ personal data is gold dust for cyber criminals

8 Jun 2016 02:52 PM

Blog posted by: Ian Davies - Deputy Chairman of BMT Group and Senior Independent Director at the Institute of Chartered Accountants in England and Wales, 08 June 2016.

Dear Mr or Mrs Private Company Director – do you know who you are handing your personal information to and why?

For all of you, there is an information security risk when third parties are asking for your personal details. Why? Do you know how securely they will treat your information? With hacking activity today, it needs only a postcode and a date of birth for criminals to access private financial information.

It could be banks asking for personal details of holding company directors or subsidiary guarantees in other countries. Yet, if the overseas operation is small, banks demanding details of holding company directors is entirely disproportionate. Similarly, if the company pension scheme has a change of fund manager, the latter can come harvesting directors’ personal details – again, wholly unnecessary and something private company directors need to be diligent about.

While it seems rare for directors to question why outside organizations need their personal data in relation to company matters, they should without reservation be demanding evidence for why it’s needed, how it will be secured and eventually disposed of safely.

How has this hunger for information from company directors become a generally accepted practice?

It is a laxity on the part of those asking for it: instead of realizing what the risks are, they err on the side of having too much rather than too little information. The example of the British Pregnancy Advisory Service is a cautionary tale. It lost the names and addresses of people making contacting for advice and was fined £200,000 for holding on to information it didn’t need to. Only prosecutions by the Information Commissioner’s Office, or significant adverse publicity, seem to make organizations act more responsibly with the data they hold.
 
However, directors are equally culpable in thinking they should just hand over personal data when asked as a necessity of doing business. Handing over information without considering the implications is like falling into a trap.

So, what should directors – or a company secretary – do to reduce the risk of personal data falling into the wrong hands?

• Take a stand and ask for answers in writing from whoever is requesting the information
• Ask the critical questions:
  • Why do you need the information?
  • Where are your going to store it?
  • How long are you going to hold it?
  • What is your protocol for removing it when no longer required?
• Be aware of what can happen when data goes missing, for example, having your identify stolen. This can usher in a period of hell if it happens to you. Try completing a transaction on a new home when your identity is stolen after exchange of contracts, the bank freezes your accounts and you’re left with a 15% interest charge on the outstanding amount owed. This type of occurrence is not a fiction.
• Think like hackers think – encourage your friends to not send a “Happy 50th Birthday” message to you via social media, as that reveals your date of birth and cyber criminals are trawling the internet for this type of information.
• Take action in the event that a bank refuses to rescind guarantees your business might have needed at start-up stage but no longer. Changing your bank means you won’t need new guarantees and the threat of that alone should bring an apology and capitulation from your existing bank. Otherwise, they will attempt to hang on to information and guarantees for as long as they can, without justification.

To give directors confidence that their personal information is well-protected, it might need a new “kite mark” scheme denoting good practice in holding data securely. Even without that, there is existing guidance – best practice like Cyber Essentials – explaining how to hold and expunge data in relation to transactions.

Organizations adopting a recognizable “Gold Standard” in plain English for how to deal with information would give business people more confidence in handing over personal information.

But indiscriminate disclosure of such data to careless organizations is making company directors and their financial affairs hostages to misfortune.

See our RESILIA™ section for more information about cyber security and data protection.

Download our cyber resilience guide, Are your people playing an effective role in your cyber resilience? (PDF, 165KB).

Read Ian Davies' previous blog post for AXELOS, Cyber Resilience: what does it mean to the board and why do they need to care?.