Lessons to learn from a year of data breaches

In the year since the HMRC data breach, many more have been made public – here’s a roundup of 11 lessons (we should have) learned.

By Nicole Kobie, 17 Nov 2008 at 15:03

gallery

Financial firms didn’t need the research to realise data breaches can be costly, however. As such companies are governed by the Financial Services Authority – which has the power to fine – they know all too well the costs associated with such mishaps.

Merchant Securities Group was fined £77,000 even though it didn’t even have a security breach, but simply because its methods risked enabling one.

At the time, Margaret Cole, the director of enforcement at the FSA, said: “It is unacceptable that despite increased awareness of data security issues, a firm should be so careless about its systems for protecting customers’ personal details. People have a right to expect their details to be kept secure and firms should be committed to treating their customers fairly in all aspects of their business.”

Right on, Margaret. Right on.

Lesson 11: The ICO needs more power
Of the 277 data breaches the ICO has investigated over the past year, it’s taking action against 30 organisations. That’s not a lot.

The actions it can take generally consist of sending an angry letter demanding changes to processes, to ensure the guilty body learns to comply with the Data Protection Act. For the most part, this means deleting unnecessary data and encrypting portable media devices – which is what the watchdog made Virgin Media do in the wake of a lost disc.

Under the threat of prosecution, most organisations seem to just buy some encryption software and get on with business. Not really much of a deterrent, is it?

Members of the government and the information commissioner himself have all called for stronger powers. Thomas said last year that his limited powers were a "very bizarre situation, unlike virtually all the other data protection authorities around the world and most other regulatory bodies, such as the Financial Services Authority."

Indeed, until the watchdog gains the power to fine like the FSA or data breaches become criminalised, it’s going to continue to be little more than a source of good advice often ignored – and some nasty letters now and then.

1 2 3 4 5

Email to a friend

Print this page

< Previous Security : Analysis & Insight Next >

4 comments

You need to Login or Register to comment.

Data Breaches and Theft - a Solution?

I like to pass along things that work, in hopes that good ideas make their way back to me. Data breaches and thefts are due to a lagging business culture – and people aren’t getting the training they need. As CIO, I look for ways to help my business and IT teams further their education. Check your local library: A book that is required reading is \"I.T. WARS: Managing the Business-Technology Weave in the New Millennium.\" It also helps outside agencies understand your values and practices. The author, David Scott, has an interview that is a great exposure: http://businessforum.com/DScott_02.html - The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action. In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a breach.

By Ip_johnfranks999 on Tuesday Nov 18

Data Breaches and Theft - a Solution?

By Ip_johnfranks999 on Tuesday Nov 18

RE:

Fudge and fear I\\\'m afraid. Of course it is wrong that data should be lost and the hints are common sense about what to do. But there is absolutley no evidence in the article or elsewhere that the data has been misused. Regulation should be commensurate with risk, and risk is not a matter of guessing but INFORMED judgment.

By cping5000 on Friday Nov 21

How about avoiding the problem in the first place?

All of the breaches mentioned have one thing in common; data being stored on a physical device that was \"portable\". Whilst a PC may not be seen as portable, it was still a \"local\" device that was able to be removed from a place of work with private data on it. As well as a security risk, locally stored data is also a massive headache for businesses attempting to achieve a \"single point of truth\" for the company data and records. Storing information locally leads to multiple \"versions\" of the truth, leading to confusion and inefficiency. The fact that the data can also find its way into the wrong hands is the icing on the cake. Centralised, cloud based platforms that offer data integrity AND data security are the way forward. They offer a single point of truth for all data, a complete audit trail of activity for all users and data and are easily accessed, but only by the relevant personnel.

By tristan66 on Monday Nov 24