5 minute read 8 Nov 2018
Businessman entering keycode open office door

How companies are working to secure their data


EY Americas

Multidisciplinary professional services organization

5 minute read 8 Nov 2018
Related topics Tax Cybersecurity Law

Show resources

Businesses and governments are racing to stay ahead of thieves and protect personal data. What should your business consider?

The age of criminals sneaking into buildings in the dead of night to steal secrets is over. Should infiltrators want to take information from a company in the 21st century, they are likely to break in completely undetected in broad daylight, taking several months to explore every room and high-security vault to assess what is worth stealing. Then – and only then – will the hackers strike.

The security guards one might expect to be monitoring cameras or pacing hallways are instead hunched up over their computers, poring over web traffic on the group network, hoping to spot anomalies. In the face of ever-developing threats, companies must be vigilant to equip themselves against cyber criminals who are moving faster than most national governments can keep up with.

“You can’t realistically stop an infiltration of a network by a hacker if they really want to get in – I don’t care how good your encryption and your security is,” says Scott DePasquale, Chairman of the Rhode Island Cybersecurity Commission.

Companies cannot expect to get by on annual refresher courses; they must promote good cyber hygiene as rigorously as conventional hygiene is promoted in restaurants.

“What you can prevent is them taking and exfilling [extracting] that data and information out.” A sophisticated hack can be catastrophic for a company. If it is executed with skill and precision, companies can lose sensitive product information to corporate espionage, reams of consumer information to malicious hacking syndicates and potentially a significant chunk of its share price once the world finds out – and find out it will.

For tax departments, data loss is particularly dangerous. Company data will contain tax information which is only required to be disclosed to tax authorities. Companies do not want this commercially sensitive information stolen and disclosed publicly. The tax world has recently seen the leakage of confidential documents, first in Hong Kong and then later in Luxembourg. Both leaks triggered extensive press coverage, much of it negative for companies.

Guarding personal data

As if the threat of data loss were not enough, companies operating in the European Union (EU) will soon have to contend with harmonized legislation designed to protect consumers from having their data lost, stolen or exploited.

“Personal data protection, as of today, is not a priority in practice,” says Fabrice Naftalski, an EY Practice Group Leader – IP/IT Data privacy. “Confidentiality is a priority because companies want to protect their know-how, their strategic information, their financial information – but they are not very interested in the protection of personal data. That’s something that needs to be improved in the management of transactions.”

The EU’s data protection regulation (the Regulation) asks much more of companies when it comes to data privacy and security, making them more accountable in their role as data custodians.

“It’s not accountability as in the US, [where] very often when you speak from accountability you refer to self-regulation,” says Naftalski. “Under the EU Regulation, companies will have to implement specific procedures, specific tools, as provided by the regulations. There will be less flexibility.”

The Regulation was first presented in January 2012 by the European Commission and is expected to be voted on by the EU Parliament in late 2015 or early 2016. A two-year transition period will follow, giving companies time to prepare to be compliant. Impact assessments will be required for sensitive data processing.

Two years is not a long time to overhaul IT systems designed to store data rather than delete or obscure it. And although compliance with the Regulation will make data far safer, the penalties proposed in draft versions of the Regulation would impose fines of €1 million (US$1.13 million) or 5% of a company’s global turnover, groupwide, should companies fail to adequately protect customer data. Customer information will have to be deleted after a certain time period, and it may become compulsory for every company to appoint someone to take responsibility for data protection.

The easiest way to protect consumer data is to delete it as soon as it is no longer required. “German law says that if you don’t need data anymore, then you must delete it, and if you must retain it, then you limit the access,” says Peter Katko of EY.

“For instance, you may buy what could be considered ‘embarrassing items’ online. Then you pay, and then warranty periods expire, so there is no more need for the online retailers to actually keep this data.”

This presents a unique challenge for tax departments, however. Many jurisdictions require companies to retain data for 10 years or more.

“Maybe you returned the items and the retailer deducted the loss in the books because they had to unwind the purchase contract, and then after eight years the tax authority questions this,” hypothesizes Katko. “You must prove this scenario, and therefore you have the retention.”

Incentives versus regulation

Governments outside of Europe will be carefully watching the progress of the EU Regulation, but the approach will certainly not be mimicked worldwide. In the US, a more free-market approach is favored; bills are moving through the House of Representatives and the Senate that seek to remove legislation preventing data sharing with the Government.

“I think incentives are better than regulations,” says Chairman of Rhode Island’s Cybersecurity Commission DePasquale. “What we need to do is make sure that organizations don’t perceive sharing, engagement and addressing the issue as a big liability.”

DePasquale is also an advocate of information sharing between companies and governments, an area that is already beginning to open up. “If you’re financial services, if you’re in-house for a defense contractor, you want to be sharing threats with others,” he said.

Staff must also be trained to avoid threats while in the office. “The weakest link in an organization is the insider, and the insider threat can either be nefarious or unwitting,” says DePasquale. “If one of your employees or one of your stakeholders opens up an email that they shouldn’t, or they open up an attachment, they can give a hacker immediate administrative access to the system, unwittingly.”

Companies cannot expect to get by on annual refresher courses; they must promote good cyber hygiene as rigorously as conventional hygiene is promoted in restaurants.

Security is now the responsibility of everyone – not just the poor fellow on the night desk who gets the blame when an opportunist thief shimmies in through an upstairs window and steals the CEO’s golf clubs.

Key action points

  • Invest in the right technology: The best technology is necessary not only to guard against hackers, but to achieve compliance with the new EU data protection regulation.
  • Invest in the right skills: Every organization needs people with the skill set to assess the malicious threats and potential threats that can arise from data privacy issues. Every company should identify someone to take ultimate responsibility for data protection.
  • Invest in staff: Make certain staff are not only given adequate training, but constantly made aware of the importance of data protection, particularly when working remotely. Good cyber hygiene should be systemic.


Companies need to invest in the right technology, staff and skills to protect their data.

About this article


EY Americas

Multidisciplinary professional services organization

Related topics Tax Cybersecurity Law