Data protection compliance is very much on internal audit's radar. However in the latest instance Sage, a FTSE 100 company, announced a data breach (11 August) and at the same time announced that its share price had fallen 3.9%.
Such an announcement clearly brings home the message to internal audit and to our stakeholders – ie board and audit committees – that data breaches aren't simply a reputational issue or a potential sanction issue, they can actually impact on the value of the business and impact on potential shareholders investing in the business.
According to the announcement, published on IT Governance, Sage notified roughly 280 of its UK business customers that their data, including employee financial and salary data, may have been affected by a breach.
According to The Antisocial Engineer the breach was conducted by an employee but it is unclear, at this point in time, whether the data was stolen or just viewed. The announcement confirms that City of London police are investigating the case, and the ICO has been informed, although there is nothing as yet on the ICO website.
From an internal audit perspective there are several actions that could be considered:
|1. Does your organisation use Sage?|
|2. Does your organisation know whether or not the payroll data of employees been accessed?||It appears, from the announcement that employees financial and salary data may have been accessed, ie there is a risk of identity theft|
|3. Does your organisation outsource any of its financial functions including payroll?||If so there is a need to confirm whether or not the provider uses Sage and if so what action they have taken or are taking|
|4. If your organisation uses Sage what action now needs to be taken to mitigate the risk to employees and others?||Perhaps a communication from finance/HR to advise staff to monitor their accounts in case of identity theft|
|5. Develop a response plan if employee data has been breached|
It would also be useful to prepare a briefing to internal audit stakeholders to ensure they are aware of the Sage data breach. Remind them of the true cost of a data breach: reputational, remediation costs, sanctions and also that share prices may also fall, as was the case with Sage.
Experian have produced some useful guidance in this area: Data Breach 'A Customer First' Approach for Response Effectiveness
ICAEW's member magazine Economia also reported the Sage story