The Liberal Democrat party dubbed 2007 the worst year
ever for data protection and privacy, as almost 37 million Britons
saw their records lost into the ether.
Some 25 million records were lost as a result of the
government's well-documented
child benefit debacle. Although you are less likely to hear if
a bank or retailer has suffered a breach, a good number of the
remaining 12 million were down to several well-known brands
mislaying records.
Nationwide and Leeds building societies, Monster.com and of
course
TJ Maxx were among the big names hitting the headlines,
inviting people to worry about whether their data is safe stored on
databases.
As it stands, the UK Data Protection Act and the information
commissioner Richard Thomas are often seen as powerless enforcers
of the law, as those who are penalised can walk away with nothing
worse than a small fine and a slap on the wrist.
"The so-called 'toothless' law is starting to bite," says Robin
Hollington, director of consulting at Global Secure Systems.
"However, the information commissioner has had too few powers of
enforcement. Other than the financial sector enforcement of
Nationwide and Norwich Union, with fines made by the FSA, few
organisations have felt the tangible cost of non-compliance.
The most critical consequence of unauthorised data disclosures
remains that of loss of customer confidence and reputation damage.
Those responsible for data within organisations can already be held
accountable, and face criminal charges. But that is if the person
whose data has been compromised can prove they have suffered harm
or distress as a result."
Despite the large number of firms handling data these days,
there are still relatively few cases where companies are prosecuted
for breaching data protection laws. This begs the question, are
they all behaving themselves, or is the law ineffective?
Tough justice
Politicians say the law needs to change. An extremely bad year
for data breaches has given them reason to beef up the Data
Protection Act and make people or organisations in charge of such
data more accountable for mistakes.
The government is now trying to make it a criminal offence to
neglect or repeat data breaches. Parliament's justice committee has
backed the move, also arguing that large-scale users of personal
data - such as corporations - should pay for the increased workload
in enforcing this law.
At the moment, all UK organisations pay an annual fee of £35 to
handle personal data. But if the changes were accepted, higher
fines could give the Information Commissioner's Office (ICO)
further resources to follow up on more cases, and changes in the
law could lead to bigger fines and the possibility of custodial
sentences.
The information commissioner's team could also be given
permission to perform spot checks on how companies handle their
data. Could firms end up paying more money to use customer data?
And would the threat of higher penalties affect IT staff?
"This will have a massive impact on security professionals,"
says Andy Maurice, director of consultancy at records manager Iron
Mountain Europe. "They will need to take into consideration how
their organisation handles personal information in all stages of
its life-cycle, as well as the different formats that this
information can exist in."
"The security professional now needs to consider information
life-cycle management in its entirety, reviewing all of the
internal and external locations that an organisation could
potentially leak sensitive information," he says. "Until recently,
this has been a rather reactive process. It is now mandatory for
all EU bodies to have a data protection officer in place, which is
a clear indication that data protection is now taking centre stage.
Those organisations that stand out as champions of data protection
will be those that have evolved their business processes."
But are those business processes really evolving? And do their
staff treat data with the necessary respect? Research indicates
this is not the case. A survey by Dynamic Markets on 300 managers
and employees at UK and Irish companies where most staff use
computers found that 16% of employees tell lies to cover up
mistakes that resulted from the wrong version of information being
presented to colleagues and customers. The report, commissioned by
Tower Software, also claimed that 67% of employees say people in
their organisation might have unknowingly presented the wrong
version of information in this way.
Research carried out in November by Ipsos Mori on 1,000 British
adults for the antivirus giant Symantec found that almost
two-thirds of the public distrusts the government's data-handling
ability, and 61% distrust the methods corporations employ. Almost
half (46%) say that data-protection laws are inadequate.
Tough on carelessness
Although these studies reflect the message from the sponsors
that people need to invest more in security, they also add weight
to the government's stance to get tougher on carelessness. Unclear
rules, however, might lead to employees ending up in jail if they
mislay a laptop or a pack of CDs containing data.
Andrew Dyson, a partner at law firm DLA Piper, argues that this
certainly would not be the case. "The principal Data Protection Act
is for those people who deliberately breach data - it is people
hacking and those who misuse data," he says. "On a corporate level
it is only if it is very sensitive data and someone has been very
reckless. I think that [jail] is unlikely to be relevant [for
company people] as this is targeted at people who illegally access
data."
For a long time, legal eagles and security folk have talked
about the possibility of a breach disclosure law in the UK. The law
would mean that if a company lost any customer data, the people
affected would have to be told.
The legal systems of several US states including California
already include such legislation, requiring companies operating
there to tell their customers if a data breach occurs. The
Californian law,
SB-1386, and its equivalents have forced companies to confess
breaches on several occasions.
But the prospect of a similar regulation in the European Union
still looks unlikely, Dyson says. In many ways, companies have to
tell their customers about breaches anyway - as this is one of the
best routes to better security, he says. But that does not
necessarily mean you find out how your data was stolen. And it does
not exactly inspire confidence in a firm.
Ignorance is bliss?
Having said that, last year the House of Lords pushed for
consultations over data-breach notification rules instead of
waiting for orders from the European Commission. But although that
is still in the early stages of processing, the British Standards
Institution (BSI) has started work on yet another security
benchmark.
"To this end, the BSI has started work on the development of a
formal British Standard on Data Protection," Hollington says. "The
aim of this proposed standard will be to provide organisations with
a method of assessing and demonstrating their compliance with the
requirements of the Data Protection Act."
The information commissioner has given his full support to the
proposal to develop a British Standard on Data Protection. The BSI
envisages the standard being used by organisations as a tool to
assist in addressing their obligations under the Data Protection
Act.
"Security professionals should be asking themselves, 'why are we
not getting better at controlling the risks?' Both the risks and
the countermeasures are embedded within recognised best practice
standards including ISO27001/2, but still there is a general lack
of respect for or adoption of security procedures by staff,"
Hollington says.
Any changes to the information commissioner's powers remain to
be seen - and even if the Data Protection Act is changed, it could
be some time before the ICO becomes more powerful than other
regulatory bodies. In fact, DLA Piper's Dyson says that companies
in the financial services industry are more likely to come under
fire from the Financial Services Authority (FSA). This is because
the FSA can implement faster, tougher penalties on companies'
errors.
"Last year,
Nationwide had a laptop stolen," he says. "The information
commissioner and the FSA looked at it. In the end, the information
commissioner passed it over to the FSA because it has more power."
Nationwide ended up paying £980,000: "There is no way the
information commissioner could have done that."
Nervous analysis
Any change in legislation could also have an effect on the way
data is used. Phil Becket, a director in Navigant Consulting's
disputes and investigations practice, says the widespread use of
data analytics could soon come under scrutiny.
"Currently, the data protection regulations include a caveat
excluding investigators from complying with the regulations," he
says. "Although this is unlikely to change, I expect companies and
organisations to become far more nervous about permitting data
analysis, data matching and PC imaging as a result of the
criminalisation of data loss."
"Companies may be less willing to permit these investigative
techniques even though they are no less able to permit them because
of the perception that it is against the rules," Becket says.
This article was originally published in Infosecurity
magazine