Directors’ personal data is gold dust for cyber criminals

8 Jun 2016 02:52 PM

Blog posted by: Ian Davies - Deputy Chairman of BMT Group and Senior Independent Director at the Institute of Chartered Accountants in England and Wales, 08 June 2016.

Directors’ personal data is gold dust for cyber criminals

Dear Mr or Mrs Private Company Director – do you know who you are handing your personal information to and why?

For all of you, there is an information security risk when third parties are asking for your personal details. Why? Do you know how securely they will treat your information? With hacking activity today, it needs only a postcode and a date of birth for criminals to access private financial information.

Ian DaviesIt could be banks asking for personal details of holding company directors or subsidiary guarantees in other countries. Yet, if the overseas operation is small, banks demanding details of holding company directors is entirely disproportionate. Similarly, if the company pension scheme has a change of fund manager, the latter can come harvesting directors’ personal details – again, wholly unnecessary and something private company directors need to be diligent about.

While it seems rare for directors to question why outside organizations need their personal data in relation to company matters, they should without reservation be demanding evidence for why it’s needed, how it will be secured and eventually disposed of safely.

How has this hunger for information from company directors become a generally accepted practice?

It is a laxity on the part of those asking for it: instead of realizing what the risks are, they err on the side of having too much rather than too little information. The example of the British Pregnancy Advisory Service is a cautionary tale. It lost the names and addresses of people making contacting for advice and was fined £200,000 for holding on to information it didn’t need to. Only prosecutions by the Information Commissioner’s Office, or significant adverse publicity, seem to make organizations act more responsibly with the data they hold.
However, directors are equally culpable in thinking they should just hand over personal data when asked as a necessity of doing business. Handing over information without considering the implications is like falling into a trap.

So, what should directors – or a company secretary – do to reduce the risk of personal data falling into the wrong hands?

To give directors confidence that their personal information is well-protected, it might need a new “kite mark” scheme denoting good practice in holding data securely. Even without that, there is existing guidance – best practice like Cyber Essentials – explaining how to hold and expunge data in relation to transactions.

Organizations adopting a recognizable “Gold Standard” in plain English for how to deal with information would give business people more confidence in handing over personal information.

But indiscriminate disclosure of such data to careless organizations is making company directors and their financial affairs hostages to misfortune.

See our RESILIA section for more information about cyber security and data protection.

Download our cyber resilience guide, Are your people playing an effective role in your cyber resilience? (PDF, 165KB).

Read Ian Davies' previous blog post for AXELOS, Cyber Resilience: what does it mean to the board and why do they need to care?.