Search results

Introduction: The insurance industry is vulnerable to attacks as it deals with the personal information of its consumers and puts the insurance company’s business at risk in the event of data breach or abuse. To ensure the security of customer data, insurance companies must comply with various data protection requirements, including requirements imposed by laws, regulations, and standards. Following such a wide range of conditions can be challenging for insurance providers. For a long time, risk management has controlled data protection to ensure compliance with data protection law and ensure that data are processed correctly and that people’s fundamental rights are protected effectively.

Purpose: This chapter explains the role and significance of risk management. An organised way to identify and assess risks, mitigate or avoid risks as much as possible, and then manage and accept the remaining risks, implemented in data protection as needed, explained by the supervisory authority, is implemented by the responsible organisation. This document highlights the growing consensus surrounding risk management as an essential tool for adequate data protection. Furthermore, it addresses vital considerations that affect the role of risk in data protection law and practice.

Need for study: There is an increasing consensus towards the role and significance of risk management in data protection in the insurance market. As a result, regulators and legislators are focussing on valuable and new attention on standardising and expanding data protection in risk management practices. This paper has attempted to identify critical issues and principles of risk management in data protection.

Methodology: Secondary data analysis was conducted in this study by reviewing literature related to data protection, risk management, and the insurance sector. Again, science direct was used as a source of information. For this study, the literature review approach was chosen since it allows us to trace the growth of the subject matter and identify the patterns that have formed through time.

Findings: The insurance industry comprises general insurance and life insurance. It is found that there are various studies conducted on the privacy violation and data breaches of individuals in the insurance industry. The study also identifies the factors causing privacy issues and recommends improving data privacy management in the insurance market.

Practical implications: The current study can be referred to by academicians, marketers, industry people, and policymakers. In addition, the study encourages companies and academicians to investigate further the process of data protection in the insurance industry.

A distinction must be drawn between a dismissal on the one hand, and on the other a repudiation of a contract of employment as a result of a breach of a fundamental term of that contract. When such a repudiation has been accepted by the innocent party then a termination of employment takes place. Such termination does not constitute dismissal (see London v. James Laidlaw & Sons Ltd (1974) IRLR 136 and Gannon v. J. C. Firth (1976) IRLR 415 EAT).

This research examines the relationship between the timeliness in announcing the discovery of a data breach and consumer trust in an e-commerce company, as well as later trust-rebuilding efforts taken by the company to compensate users impacted by the breach.

A survey experiment was used to examine the effect of both trust-reducing events (announced data breaches) and trust-enhancing events (provision of identity theft protection and credit monitoring) on consumer trust. The timeliness of the breach announcement by an e-commerce company was manipulated between two randomly assigned groups of subjects; one group viewed an announcement of the breach immediately upon its discovery, and the other viewed an announcement made two months after the breach was discovered. Consumer trust was measured before the breach, after the breach was announced, and finally, after the announcement of data protection.

The results suggest that companies that delay a data breach announcement are likely to suffer a larger drop in consumer trust than those that immediately disclose the data breach. The results also suggest that trust can be repaired by providing data protection. However, even after providing identity theft protection and credit monitoring, companies that fail to promptly disclose a breach have lower repaired trust than companies that promptly disclose.

This study contributes to the literature on e-commerce trust by examining how a company's forthrightness in reporting a data breach impacts user trust at the time of the disclosure of the data breach and after subsequent efforts to repair trust.

Medical confidentiality derives from the Hippocratic Oath and has been affirmed in most codes of professional conduct, including the Irish Medical Council's guide to professional conduct and ethics. The Irish Data Protection Act 1988 and Amendment 2003 bring this responsibility into a legal forum. The aim of this audit is to assess how comprehensively medical tutors/consultants instilled knowledge and appreciation of confidentiality and data protection to medical students in a prominent Dublin University Hospital.

Breaches in data protection legislation by final year medical students were identified by means of a questionnaire. Changes were made to the curriculum (presentations, notices on students' e‐learning interface and induction manual) and to the exams in psychiatry, to increase awareness of data protection legislation. Students at the same point in their education were re‐assessed one year later to see if the interventions were helpful in increasing knowledge and improving adherence to data protection legislation.

Significant breaches of the data protection legislation at baseline and follow up were identified. Examples include: “Data shall be kept for one or more specified, explicit and legitimate purposes” – when asked if they would inform patients that assessments were for submission of a case report, 44 per cent at baseline and 56 per cent at follow‐up said yes. “Appropriate security measures shall be taken against unauthorised access” – 52 per cent password‐protected their computer at baseline and 59 per cent did at follow‐up. Of those that had no password protection at baseline, 70 per cent of their computers were used by others, with little change in this at follow‐up (68 per cent). At baseline 52 per cent kept a copy of reports on USB devices compared to 46 per cent at follow‐up. 26 per cent admitted to losing a USB device in the past. “Data should not be kept longer than is necessary for that purpose” – 63 per cent admitting keeping electronic copies of case reports on their computers following submission at baseline and 64 per cent at follow‐up. “Data should be made anonymous” – 96 per cent at baseline and 100 per cent at follow‐up used initials when submitting case reports to make the data anonymous.

What was disappointing was that, while knowledge and awareness of obligations under data protection legislation improved following intervention, breaches in compliance still remained.

This is the first such audit in Ireland on the provision of educational training in the area of data protection legislation to medical students. It is likely that that such breaches by medical students reflect the tip of the iceberg in relation to probable breaches amongst registered healthcare professionals. The challenge now facing the medical profession and healthcare services is to effect behavioural change to improve compliance with data protection legislation.

Privacy concerns and data security are changing the risks for businesses and organisations. This indicates that the accountability of all governance participants changes. This paper aims to investigate the role of external auditors within data protection practices and how their role is evolving due to the current digital ecosystem.

By surveying the literature, the authors embrace a practice-oriented perspective to explain how data protection practices emerge, exist and occur and examine the auditors’ position within data protection.

Auditors need to align their tasks to the purpose of data protection practices. Accordingly, in accessing and using data, auditors are required to engage moral judgements and follow ethical principles that go beyond their legal responsibility. Simultaneously, their accountability extends to data protection ends for instilling confidence that security risks are properly managed. Due to the changing technological conditions under, which auditors operate, the traditional auditors’ task of hearing and verifying extend to new phenomena that create risks for businesses. Thus, within data protection practices, auditors have the accountability to keep interested parties informed about data security and privacy risks, continue to transmit signals to users and instill confidence in businesses.

The normative level of the study is a research limitation, which calls for future empirical research on how Big Data and data protection is reshaping accounting and auditing practices.

This paper provides auditing standard setters and practitioners with insights into the redefinitions of auditing practices in the era of Big Data.

Recent privacy concerns at Facebook have sent warning signals across the world about the risks posed by in Big Data systems in terms of privacy, to those charged with governance of organisations. Auditors need to understand these privacy issues to better serve their clients.

This paper contributes to triggering discussions and future research on data protection and privacy in accounting and auditing research, which is an emerging, yet unresearched topic.

The purpose of this paper is two-fold: to explore the legal issue of the importance of personal data protection in the digital economy sector and to propose a legal framework for personal data protection as a consumer protection strategy and accelerate the digital economy.

This study is legal research. The research approach used was the comparative approach and statute approach. The legal materials used are all regulations regarding personal data protection that apply in Indonesia, Hong Kong and Malaysia. The technique of collecting legal materials is done by using library research techniques.

The value of Indonesia’s digital economy is the biggest in the Southeast Asia region, but data breach is still a big challenge to face. The Indonesian Consumers Foundation (Yayasan Lembaga Konsumen Indonesia) recorded 54 cases of a data breach in e-commerce, 27 cases in peer-to-peer lending and 5 cases in electronic money. Based on the results of a comparative study with Hong Kong and Malaysia, Indonesia has yet no specific Act that comprehensively regulates personal data protection. Indonesia also does not have a personal data protection commission. Criminal sanctions and civil claims related to data breaches have not yet been regulated.

This study examines the data breach problem in the Indonesian digital economy sector. However, the legal construction of personal data protection regulations is built on the results of a comparative study with Hong Kong and Malaysia.

The results of this study can be useful for constructing the ideal regulation regarding the protection of personal data in the digital economy sector.

The results of the recommendations in this study are expected to develop and strengthen the protection of personal data in the Indonesian digital economy sector. Besides aiming to prevent the misuse of personal data, the regulation aims to protect consumers and accelerate the growth of the digital economy.

Indonesia needs to create a personal data protection act. The act should at least cover such issues: personal data protection principles; types of personal data; management of personal data; mechanism of personal data protection and security; commission of personal data protection; transfers of personal data; resolution mechanism of personal data dispute and criminal sanctions and civil claims.

This paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended to adequately meet, data protection requirements set by the General Data Protection Regulation (GDPR); it also indicates security management actions an organisation needs to perform to fulfil GDPR requirements. Thus, ISO/IEC 27001:2013 compliant organisations, can use this paper as a basis for extending the already existing security control modules towards data protection; and as guidance for reaching compliance with the regulation.

This study has followed a two-step approach; first, synergies between ISO/IEC 27001:2013 modules and GDPR requirements were identified, by analysing all 14 control modules of the ISO/IEC 27001:2013 and proposing the appropriate actions towards the satisfaction of data protection requirements. Second, this paper identified GDPR requirements not addressed by ISO/IEC 27001:2013.

The findings of this work include the identification of the common ground between the security controls that ISO/IEC 27001:2013 includes and the requirements that the GDPR imposes; the actions that need to be performed based on these security controls to adequately meet the data protection requirements that the GDPR imposes; and the identification of the remaining actions an ISO/IEC 27001 compliant organisation needs to perform to be able to adhere with the GDPR.

This paper provides a gap analysis and a further steps identification regarding the additional actions that need to be performed to allow an ISO/IEC 27001:2013 certified organisation to be compliant with the GDPR.

Cloud computing has disrupted the information technology (IT) industry. Associated benefits such as flexibility, payment on an on-demand basis and the lack of no need for IT staff are among the reasons for its adoption. However, these services represent not only benefits to users but also threats, with cybersecurity issues being the biggest roadblock to cloud computing success. Although ensuring data security on the cloud has been the responsibility of providers, these threats seem to be unavoidable. In such circumstances, both providers and users have to coordinate efforts to minimize negative consequences that might occur from these events. The purpose of this paper is to assess how providers and users can rely on social media to communicate risky events.

Based on the Situational Theory of Publics and trust, the authors developed three research questions to analyze stakeholders’ communication patterns after a security breach. By gathering Twitter data, the authors analyzed the data security breach faced by the Premera Blue Cross’ Web application.

The results indicate that Premera acted as the main source of information for Twitter users, while trustworthy actors such as IT security firms, specialists and local news media acted as intermediaries, creating small communities around them. Theoretical and practical implications are also discussed.

Social media could be used for diffusing information of potential threats; no research has assessed its usage in a cloud-based security breach context. The study aims to fill this gap and propose a framework to engage cloud users in co-securing their data along with cloud providers when they face similar situations.

This paper aims to increase understanding of pertinent exogenous and endogenous antecedents that can reduce data privacy breaches.

A cross-sectional survey was used to source participants' perceptions of relevant exogenous and endogenous antecedents developed from the Antecedents-Privacy Concerns-Outcomes (APCO) model and Social Cognitive Theory. A research model was proposed and tested with empirical data collected from 213 participants based in Canada.

The exogenous factors of external privacy training and external privacy self-assessment tool significantly and positively impact the study's endogenous factors of individual privacy awareness, organizational resources allocated to privacy concerns, and group behavior concerning privacy laws. Further, the proximal determinants of data privacy breaches (dependent construct) are negatively influenced by individual privacy awareness, group behavior related to privacy laws, and organizational resources allocated to privacy concerns. The endogenous factors fully mediated the relationships between the exogenous factors and the dependent construct.

This study contributes to the budding data privacy breach literature by highlighting the impacts of personal and environmental factors in the discourse.

The results offer management insights on mitigating data privacy breach incidents arising from employees' actions. Roles of external privacy training and privacy self-assessment tools are signified.

Antecedents of data privacy breaches have been underexplored. This paper is among the first to elucidate the roles of select exogenous and endogenous antecedents encompassing personal and environmental imperatives on data privacy breaches.