Even Facebook, often perceived as being fairly cavalier with its users’ personal data, is rolling out new security.
They probably needed to do this. Research from the Huffington Post last year showed that only 3% of US adults have “a lot” of trust in Facebook while 62% trust Facebook “nor very much” or “not at all”.
Consumers may be right to be suspicious of the way that Facebook looks after their data. But while Facebook has apparently been hacked, this suspicion is probably more due to the way they use data, and not because they have a tendency to lose it.
Facebook holds huge amounts of personal data. And so do banks. But while people worry about Facebook they are oddly sanguine about their bank. In fact according to recent research from Capgemini trust levels for UK banks are at 83%, compared with 28% for ecommerce firms and just 12% for telcos.
The trust gap
That’s good news for the banks. In fact, while only 3% of adults think their own bank has been hacked, some 26% of banks have reported a breach – indicating a massive difference between what consumers think and reality. This high level of trust may at least in part be because banks are failing to tell consumers that they have been breached.
But will this trust last? It is significant that the gap between reality and perception is lowest in the USA where mandatory breach reporting requirements are far higher than they are in Europe or countries like India.
This is set to change, in Europe at least. The GDPR, due to come into play in May 2018, requires reporting of breaches to consumers where significant damage to consumers has occurred (or is likely to occur) as a result of a breach. This is different from the current requirements under the Data Protection Act which does not contain a requirement to notify consumers.
Of course if the breach goes undetected, then it can’t be reported! And the Capgemini research indicated that only 21% of banks were confident they were highly likely to detect a breach. This is worrying. Not just because detecting a breach is important. But because a failure to detect breaches may well indicate a failure in other areas of data security.
It hardly comes as a surprise that just under a third (31%) of UK banks and insurers take between three months and a year to patch and manage vulnerabilities on critical systems. And fewer than half of them (45%) have fully automated cyber threat intelligence processes.
As consumers we can only hope that GDPR acts as a wake up call to banks, prodding them into greater and more effective efforts to protect our data. And if it doesn’t, well then banks need to reflect that fully 80% of UK consumers say they are likely to switch banks and insurers in case of a data breach.