The lessons of Nationwide's lost laptop

gallery

Well-planned incident management will include people whose role it is to ensure effective communications with other departments, such as legal, marketing, corporate affairs as well as IT and business operations.

"We are now seeing specific communication roles being built into incident management models. They are there to monitor and communicate what is going on to other parties. If companies don't have that in place, then they should consider it," he says.

The big question then is when to communicate with the customers, the people who may be affected by the security breach. In many states of the US, full disclosure is already mandatory where personal data security is breached, and it is likely that the EU will adopt similar legislation some time over the next couple of years.

But for the moment, there is no such obligation here, and our financial services companies have tended to go to any length to avoid bad publicity.

Marcus Alldrick knows some of the reasons for the reticence, having worked as head information security at Abbey Bank before joining KPMG. First, there is the danger of provoking a copycat attack - thieves might be tempted to target other laptops from the company that suffered the original breach.

There is also the danger of first-party fraud, with customers putting in false claims. "If you announce that a number of customer accounts have been compromised, then you run the risk of people claiming their accounts have suffered fraudulent activity, whereas they are in fact the perpetrator," he says.

A big announcement will also alert the thief to the value of the data held on the machine.

Rather than selling it down the pub for a few pounds, he might be tempted to find a higher bidder for the information.

Nevertheless, the Nationwide case does seem to have had a salutary effect on the rest of the financial services industry. When an employee of the Halifax Bank recently suffered the theft from his car of a briefcase containing paper documents with customer details on them, the bank was quick to make a pubic announcement. No customer would suffer financial loss, it said, and its procedures would be reviewed. And yes, it did already encrypt files on laptops. The fast response defused the situation quickly, and on balance, probably made the Halifax look like a company that really cared about its customers.

Email to a friend

Print this page