Thedata breach at HMRC, which placed 25
million people at risk of identity theft, has brought information
governance back to the fore. Early indications suggest that risk
managementprocedural failuresand human error
were to blame.
Those risk managers who fail to take data security seriously run
the risk of being on the receiving end of heavy financial losses
and often fines. Securing personal information is not just savvy
commercial practice, but it is a legal requirement.
All organisations store sensitive personal data electronically,
within a computer network or on removable media such as CDs. This
may involve customer transactions or may simply be personal
employee information, such as bank and health details. These
details will often be shared with other organisations as companies
outsource functions, particularly in Accounting and Human
Resources.
The ever-changing business environment has a direct effect on a
companies risk profile, often changing in unison as new business
models develop. The expansion of global supply chains and the
heightened dependence on
outsourcing means that security risks are becoming harder to
quantify and prevent. The new risks associated with relying on
networks and using digital data must be addressed by risk managers
in the same manner they would consider the more traditional
risks.
One of the most interesting issues raised by the HMRC incident
is that it demonstrates that companies are not exempt from security
breaches by simply having a security policy in place. Good data
security is reliant on strict internal guidelines with regards to
the handling of data and the use of Privacy Enhancing Technologies
(PETs) that are then implemented via comprehensive staff training.
This ultimately will lead to a data culture being created.
Essentially it is the responsibility of the board. A lack of
training will lead to basic mistakes creeping in to day to day
working practices. In the case of the HMRC breach these were a
failure to separate the crucial data, a failure to encrypt the
data, and a failure to send the data via a secure digital transfer
systems.
If a private corporation had been the culprit instead of HMRC
the
financial loss to that firm would have been substantial,
possibly running into hundreds of millions of pounds to cover costs
such as consumer notification, call centre capacity (to deal with
customers whose records have been compromised), ongoing third-party
credit monitoring, claims for identity fraud, litigation expenses
and damages and regulatory defence and settlement.
Most organisations probably do not have sufficient, if any,
insurance protection in this event, as normal property and
liability policies only provide cover for tangible assets and
specifically exclude the new risks associated with data and IT
networks. Specialist data privacy and network security policies
have been developed, particularly in the London insurance market,
to address these exposures including providing coverage for
notification expenses and regulatory fines and penalties.
Organisations should take heed and look to address this gap in
insurance coverage. New powers given to the Information
Commissioner's Office permits them to undertake uninvited data
audits. Firms that are found to be complacent will be named and
shamed and may well face adverse media attention resulting in a
lack of consumer confidence and ultimately a loss in share
price.
Jeremy Smith, Head of Cyber IT and Risk, Jardine Lloyd
Thompson
About Jeremy Smith
Jeremy joined JLT in 2007 and is responsible for cyber risks at
Jardine Lloyd Thompson
Limited. He began his career in insurance in 2002 with Zurich,
one of the leading global insurers, initially working as a
Professional Indemnity Underwriter. In 2006 Jeremy created the IT
Risks division at Zurich Professional in response to demand from
the IT community for more specialist Underwriting. Over the past
year Jeremy has been instrumental in the development of Jardine
Lloyd Thompson's Cyber Products and has been active in raising
awareness of digital risks and their associated exposures.