A glitch in big-four bank First national Bank's (FNB's) mobile app has exposed personal information of customers applying for home loans using the digital platform. It was discovered that if an FNB client used the mobile app to apply for a home loan, they would easily see the personal details of other home loan applicants. The exposed data includes personal identifiable information, such as names, identity numbers and contact details. An FNB client who discovered the exposed data has since informed the Information Regulator, asking it to take the necessary measures against the big-four bank. "I wish to lodge a complaint against First National Bank in respect to a breach of personal information through their banking application," the client reported to the regulator. "Whilst applying for a home loan through the service, I noticed that I was able to access other individuals' personal information, such as ID numbers, contact details and various financial information, which is visible to other applicants, including my personal information. "I have documented this by way of screenshots and have evidence to support this data breach. I believe my rights in terms of the POPI Act [Protection of Personal Information Act] have been infringed and poses a huge personal security risk," stated the client. "Your e-mail contents have been noted and will be addressed with the responsible party," says a complaints and investigations officer of the Information Regulator in an e-mail.Under South Africa's data privacy law, the Protection of Personal Information Act (POPIA), organisations must inform the Information Regulator if they expose the personal information of data subjects to unauthorised third parties without their approval. FNB has acknowledged exposing the personal information of its clients, saying it is in the process of notifying the relevant authorities, as well as those who have been impacted. While the financial institution has rushed to disable the app functionality in question, it did not disclose how many customers were impacted. Says the bank in a statement: "FNB is aware of a technical error that made the information of certain home loan applicants, such as full names and ID numbers, visible to other home loan applicants who logged in via our digital channels. FNB takes the privacy and protection of customer information very seriously, and the affected functionality has since been temporarily disabled to resolve the root cause of the issue. We are in the process of contacting the affected customers and the appropriate regulator. Customers requiring any assistance can contact us through Secure Chat on the FNB app." FNB recently made sweeping changes to its brand, including a redesign of its popular banking app. The FNB app, introduced more than a decade ago, saw its active transacting base exceed 4.7 million customers, based on results for the year ended 30 June 2022. The data exposure comes at a time the Information Regulator is receiving an unprecedented number of reports about data breaches in South Africa. Speaking during the Governance, Risk and Compliance 2023 conference last week, advocate Pansy Tlakula, chairperson of the Information Regulator, revealed that data breaches are a big problem in this country - much bigger than people think. "Every public body, every private body that has suffered a security compromise or data breach has to notify us - there is no threshold. Even if one person was breached, they still have to notify us. If you look at 500 (it's 564 to be precise), it means that in a month, this country suffers about 56 data breaches - major and minor ones," she revealed. "I think we are one of the highest in the world with data breaches."POPIA sets down firm frameworks that companies have to abide by to avoid fines, criminal persecution and potential reputation loss. Breaching the rules and regulations outlined by this Act can have serious financial implications for the business - repercussions that can cost a fortune and have long-lasting consequences, such as reputational damage. The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.Apply your knowledge of the governance of the risk management programme to (10) discuss the three (3) layers of involvement to manage information risk in the above FNB case..Write an answer for 10 marks.Operational level,Strategic layer,Tactic layer..write based on only these 3 layers listed

Question

GPT-4o mini · Answer

To effectively manage information risk in the case of the First National Bank (FNB) data breach, a comprehensive approach through three layers of involvement—operational, tactical, and strategic—is essential. Each layer contributes uniquely to reducing risk and ensuring compliance with relevant regulations, such as the Protection of Personal Information Act (POPIA).

1. Operational Level

At the operational level, the primary focus is on the implementation of day-to-day practices that ensure data privacy and security. This includes several components:

Data Access Controls: FNB must ensure that sensitive customer information is accessible only to authorized personnel. The glitch that allowed home loan applicants to view each other's information indicates a failure in access control mechanics, which should be rigorously enforced.
Employee Training: Staff must be adequately trained in data protection and privacy practices, particularly those who handle customer information. Regular workshops and reminders about the importance of safeguarding customer data can mitigate human error.
Incident Response Protocols: Establishing clear protocols for identifying, reporting, and managing data breaches will enhance operational response capabilities. This involves setting up a dedicated team to handle incidents and ensuring they are well-versed in responding swiftly to data exposure situations.

2. Tactical Level

The tactical layer involves the implementation of specific processes and technologies designed to manage information risk effectively. In FNB's context, this could include:

Technology Solutions: Deployment of robust IT security solutions like encryption, intrusion detection systems, and constant monitoring to identify anomalies or unauthorized accesses. Enhancing the application’s architecture to prevent similar glitches from exposing sensitive information is crucial.
Audits and Assessments: Regularly scheduled audits of information systems and processes can help identify vulnerabilities before they lead to breaches. Risk assessments should not only focus on technology but also on workflows that handle sensitive data, ensuring they align with best practices.
Change Management: Any modifications to digital platforms, like app updates or feature changes, should undergo rigorous testing (including penetration testing) to prevent potential vulnerabilities from being introduced. FNB must implement a structured change management process to evaluate risks associated with enhancements.

3. Strategic Layer

At the strategic level, the focus is on long-term planning and alignment with organizational goals and regulations:

Governance Framework: Establishing a clear governance framework that outlines roles, responsibilities, and accountability for data protection. This can include appointing a Chief Data Protection Officer (CDPO) to oversee compliance with POPIA and other data protection regulations.
Culture of Data Privacy: Developing an organizational culture that prioritizes data privacy and security. This requires leadership to actively promote the importance of protecting customer information and embedding these values into the organization's mission and operations.
Stakeholder Engagement: Engaging stakeholders, including customers, regulators, and partners, to build trust and transparency in the organization’s data handling practices. FNB needs to communicate effectively about measures taken to resolve the breach and improve data security, which includes regular updates on compliance with data protection standards.

In conclusion, managing information risk at FNB necessitates a layered approach that encompasses operational efficiency, tactical technological interventions, and strategic governance. Each layer reinforces the others, ultimately leading to a more resilient framework for data protection that aligns with law and enhances customer confidence in the bank's commitment to safeguarding their personal information.