Data Security Session at CERC – good start, but not enough time. We need to do more work in relocation.
I was fortunate enough to be part of a panel at the recent Canadian Employee Relocation Council’s annual conference: Protecting Assignee Data Through the Supply Chain. I had the pleasure of speaking with Mirela Marin of Manulife Financial and Waqas Akkawi of SIRVA Global Relocation. This topic is incredibly important. All Points Relocation Service Canada is a boutique relocation provider and as such I was there to represent small business. I explained how arduous a task it is to both be secure and to maintain that security. When SIRVA and Manulife think of data security down through the supply chain they are specifically thinking about small business, and that is what I was invited to the panel.
So many great subjects were covered in the discussion and I was proud to be part of it. Unfortunately this was a bigger topic than the time allotted and there were a number of subjects that remained untouched.
Who is responsible for a breach?
Mirela articulately spoke to her concerns about the potential loss of one of her assignees’ data and that she needed assurance as to who would be responsible if that happened the small business or her much larger relocation provider? The answer was the larger relocation provider would be financially responsible. Unfortunately by the time that blame and damages are assessed under either the GDPR or PIPEDA, that transferee’s data has been stolen. In addition, the relocation company can subrogate some of the cost to the sub-contractor as that is how many of the Data Transfer Agreements read. Any serious fine could put the sub-contractor out of business.
PIPEDA is different
Even though GDPR holds the larger relocation provider (the controller of information in GDPR parlance) responsible for the breach, this does not necessarily reflect the application of PIPEDA fines. These take effect in November and will result in fines up to $10,000 per breach. Under these circumstances, if a small business sub-contractor of a large relocation company had a data breach, the fine would be against the small business, not the large relocation provider. We did not have time to discuss this in our session.
But the data is out!
Again – to the person whose data has been stolen due to a breach, finding out who is financially responsible is moot. Their data has been stolen. The point I was making on the panel was that our industry is simply not ready for the new world of data security and is not prepared from a security perspective. I have had many small businesses tell me that they have great faith in their IT employees, but an IT employee and a security expert are two very different things. Once upon a time, a good firewall, anti-malware and anti-virus packages bought from the internet were sufficient. Now they are not even close to sufficient to keep your company secure from a data breach.
Ask yourself these questions
Ask your person responsible for security if they are familiar with security tools such as a SIEM, continuous monitoring service, Endpoint protection, IDS and IPS and DLP. If they answer no to any of these, you are not protected. Large relocation companies have sent out Data Transfer Agreements to some of their relocation sub-contractors, holding these companies responsible for maintaining a high level of security and for any data breach. I made the point on the panel that many small businesses were signing these Data Transfer Agreements without actually being prepared from a security perspective.
Not all providers are being asked about their security.
Since becoming involved with data security at All Points Relocation Service Canada I have also discovered that important players in our industry have not received these Data Transfer Agreements. The evidence appears to be that neither movers nor real estate lawyers have been asked to sign Data Transfer Agreements. Yet, in both cases, they may handle seriously private material. For a cross-border move, a mover will handle a colour copy of a passport and a work permit. The real estate lawyer is privy to detailed financial, mortgage and title information. These companies need to have the same level of security that is being asked of immigration firms, relocation firms and destination service providers.
And small businesses are the easy way into private data for hackers. A small business is known to be a far easier target than the larger clients whom they serve. At one point Waqas noted the resources at his disposal. Small business can’t possibly have these resources at hand. But because they are attractive targets it is even more important that they be data secure. And even if the larger relocation company is responsible from GDPR’s perspective a data breach may be very disruptive to our industry’s supply chain full of small businesses. According to the National Cyber Security Alliance, one in five small businesses fall victim to cybercrime each year. And of those, some 60 percent go out of business within six months after an attack.
Even though the start date for GDPR has come and gone, we are still a long way from being a data secure industry. It is my contention that no matter how many Data Transfer Agreements have been sent and signed, audits must be done and these have to go beyond quarterly electronic questionnaires. They require site visits and penetration tests. To be honest, most small businesses need more time and possibly need to sell themselves to larger companies with greater resources. Yes, we have had a while to prepare for GDPR, but getting secure is a huge task for small businesses.
Adding a security regime can be tough for small business
And, I pointed out in the panel discussion, that ours is a mature industry and many of these companies operate on thin margins. Asking them to place a data security regime on top of that is very hard. It is a large expense and a lot to learn. As mentioned, above, however, there are open source tools available that can be knit together by a talented security professional. This still costs a lot of money, but a lot less than enterprise solutions available to the larger companies. Not only do I believe that small companies can be secure, I believe it is now the price of entry to playing in relocation at all.
Proper Vetting is required for a restful sleep
At one point in the discussion, Mirela from Manulife said that she was kept up at night due to a possible breach at a supplier in the supply chain. In my opinion, her fear is sound. Our transferees’ data is no more secure down through the supply chain after the institution of GDPR and all those Data Transfer agreements now than it was before they were in place. It is up to the large relocation management companies to properly police our industry and I believe in order to create a fair playing field, this means penetration testing of all suppliers. It is not fair that some suppliers are investing in top level security while others are not. And more important, it is not fair to the assignee whose data is stolen.