Another week, another few million records lost

gallery

The Home Office is understood to be disappointed that the loss, which happened at a contractor’s premises, was reported in some quarters as a Government data breach.

Penalties for breaches

Opposition politicians have called for criminal penalties for those who expose private data. A more realistic proposal might be to introduce legislation, along the lines of the Database Security Breach Notification Act, or SB-1386, which requires companies to tell their customers if their personal data has fallen into the wrong hands.

SB-1386 is generally credited with forcing US companies to tighten their data security measures, not least because data breaches are almost guaranteed widespread, negative publicity.

As a result, organisations doing business in the US have had to increase their use of encryption and other data protection technology, as well as updating policies on how data is handled.

These are measures that UK organisations would to well to copy, says Philip Wicks, a security expert at IT services firm Morse. “Policies and procedures should be put in place, as well as technology controls that either stop people being able to download sensitive information onto these devices or ensure that the data is encrypted," he warns. "At the moment there seems to be a culture of letting anyone download anything onto a memory stick. This simply isn't sensible.”

But the loss of Home Office prison data, perhaps more than the appearance of Graphic Data’s storage drives on eBay, raises the question of how much power companies – and governments – have to enforce security rules on employees, business partners or third party contractors. The tightest security policies will be of no use if they can be overridden or ignored.

Nor are sanctions, contractual, criminal or otherwise, of much practical value to either to individuals or organisations that suffer data losses. Although the board might be clamouring for penalties, the chief information officer (CIO) or chief information security officer (CISO) needs to think about how better to protect the organisation from further damage.

In many cases the key response of an organisation to a breach or non-compliance with data protection policies will be to understand what went wrong, to limit exposure and to ensure that it does not happen again, says Seamus Reilly, a director in the Technology and Security Risk Services team at Ernst & Young. “In many cases an organisation will be more interested in getting non compliances fixed rather than looking to penalise an outsource partner, if one has been involved,” he said.

But CIOs also need to look at how systems, and quite possibly outsourcing contracts, are designed and whether data security has been given enough emphasis.

“As part of any outsourcing approach an organisation needs to ensure that it can convey to its outsourcing provider the type and value of the data that it is entrusting to it,” added Reilly. “It also needs to ensure that the policies and security countermeasures in place in the outsource provider matches or exceed those the organisation uses providing internally.”

Ultimately, compliance with data protection policies relies on everyone understanding the value of personal information.

That in turn depends on trust: trust between outsourcer and client, between employer and employee and between the public and those we allow to handle our data. After the events of the last few days, IT professionals will have to work even harder to rebuild that relationship.

Email to a friend

Print this page