Despite the new privacy laws like GDPR and the Data Protection Act 2018, personal data is collected extensively in regulated industries to uncover suspicious persons. Money services firms for instance have a duty to monitor your ongoing behaviour if you transact with them. What’s more your data is not always kept securely as in the case of the large credit reference company Equifax.
When Equifax was hacked, its data stores contained a wealth of personal information on 143 million US citizens and it was not just credit card details and background credit history. The company lost information relating to gender, date of birth, phone numbers, driver’s licence number, email addresses, social security numbers, payment card numbers, photographs relating to identification documents and tax identification numbers. Passport information was also stolen which the company originally denied. The cause was a failure to keep its software patches up to date. Recent company reports indicate that it has cost them 1.3 Billion dollars in legal fees and defending the breach.
Some firms in the in the UK collect more information than you may think. Companies who perform Money Transfer, Foreign Exchange services, Accountants, Estate agents, Gambling providers, High Value Dealers and their small agents and franchisees are bound by HMRC know your client rules (KYC). They are required to perform customer due diligence (CDD), and the larger the transaction value the more personal information is required (enhanced diligence known as EDD). They are legally obliged to perform these checks and they don’t need your consent.
They may ask for proof of identify information such as passport and driving licence details, NI numbers, photographic id, utility bills etc. which is made known to you at the time of collection however additional information such as criminal records, sanction lists or politically exposed persons may be sought and combined and if they find something suspicious, and they are not obliged to tell you under “tipping off” rules.
They also check to see if you are sanctioned. Sanction lists containing suspicious persons names can be obtained from Interpol most wanted, the US treasury HM Treasury, the Bank of England Watch list, and the World Compliance Watch list for instance. These lists attempt to identify nationals, entities and groups who are in prohibited from making financial transactions. These lists are shared internationally. It adds up to a lot of personal information held about you.
The government through HMRC and the FSA makes it mandatory that these information categories are checked for financial transactions to enforce anti-money laundering (AML) rules and prevent the terrorist financing and organised crime activity.
Companies who store this information and don’t protect themselves properly with information security measures are putting your privacy at risk. This is particularly concerning for small micro companies such as Foreign Exchange Agents, Money Transfer Franchises and Agents or Estate Agents who might only have a handful of employees and cannot afford to employ proper cyber security professionals. HMRC mandates this information is stored for six years.
Seven and a half thousand small business had a data breach or incident in the last year. Having said that Equifax is a large company. Attackers made nine thousand queries on out of date unpatched software that went unnoticed.
If you have your identity stolen via a data breach and a loan taken out in your name, I think most of us would be rightly concerned about the lack of privacy and security surrounding your information. The effects can be devastating financially and can have an effect on your mental health and family wellbeing.
Worryingly once you have had your identity stolen the mainstream advice is to go to a company like Equifax to credit monitor your own financial activity for suspicious activity or put a freeze on your credit. This is the very same company who was compromised and did not report a data breach for two months.
Companies covered by these HMRC rules have an ethical duty to protect their customer’s data. Figures published by the Government 2019 cyber study on data breaches state that only 32% have done a cyber risk assessment in the last year and around 32% of businesses reported a cyber breach. Only 16% of firms have a cyber security incident process in place. It is still uncommon for firms to check their suppliers for cyber risks even though they have a legal duty to do so.
If you would like some help with fixing your GDPR or security problems, please contact me for a free no obligation chat. I can guide you to achieve best practice and compliance.
Comments