The
data breach at HM Revenue & Customs (HMRC), which placed 25
million people at risk of identity theft, has brought information
governance back to the fore.
Early indications suggest that risk management failures and
human error were to blame. Those risk managers who fail to take
data security seriously run the risk of being on the receiving end
of heavy financial losses and often fines. Securing personal
information is not just savvy commercial practice, but a legal
requirement.
All organisations store sensitive personal data electronically,
whether within a computer network or on removable media such as
CDs. This may involve customer transactions or may simply be
personal employee information, such as bank and health details.
These details will often be shared with other organisations as
companies outsource functions, particularly in accounting and human
resources.
The ever-changing business environment has a direct effect on a
company's risk profile, often changing in unison as new business
models develop. The expansion of global supply chains and the
heightened dependence on outsourcing means that security risks are
becoming harder to quantify and prevent. The new risks associated
with relying on networks and using digital data must be addressed
by risk managers in the same manner they would consider the more
traditional risks.
One of the most interesting issues raised by the HMRC incident
is that it demonstrates that companies are not exempt from security
breaches by simply having a security policy in place. Good data
security is reliant on strict internal guidelines with regard to
the handling of data and the use of privacy-enhancing technologies
that are then implemented via comprehensive staff training. This
ultimately will lead to a
data culture being created.
Essentially, it is the responsibility of the board. A lack of
training will lead to basic mistakes creeping in to day-to-day
working practices. In the case of the HMRC breach, these were a
failure to separate the crucial data, a failure to encrypt the
data, and a failure to send the data via a secure digital transfer
system.
If a private corporation had been the culprit instead of HMRC,
the financial loss to that firm would have been substantial,
possibly running into hundreds of millions of pounds to cover costs
such as consumer notification, call-centre capacity (to deal with
customers whose records had been compromised), ongoing third-party
credit monitoring, claims for identity fraud, litigation expenses
and damages and regulatory defence and settlement.
Most organisations probably do not have sufficient, if any,
insurance for such an event, as normal property and liability
policies only provide cover for tangible assets and specifically
exclude the new risks associated with data and IT networks.
Specialist data privacy and network security policies have been
developed, particularly in the London insurance market, to address
these exposures including providing coverage for notification
expenses and regulatory fines and penalties.
Organisations should take heed and look to address this gap in
insurance coverage. New powers given to the Data Commissioner's
Office permits them to undertake uninvited data audits. Firms that
are found to be complacent in their approach to security management
will be named and shamed and may well face adverse media attention
resulting in a lack of consumer confidence and ultimately a fall in
share price.
Jeremy Smith, Head of Cyber IT and Risk, Jardine
Lloyd Thompson