The high-profile data-handling fiascos of recent months
have underlined the importance of data protection. The loss of
millions of child benefit records by HM Revenue and Customs, and
the mislaying of laptops and security dossiers by MoD staff - as
well as the recent disclosure of BNP members' details are part of
the same problem - institutional failures to define and implement
basic compliance procedures in line with the requirements of the
Data Protection Act, writes Alan Calder, chief executive
ofIT Governance
Limited.
Complying with the requirements of the Data Protection Act - the
core UK legislation around data protection - is a key challenge for
Whitehall departments and commercial organisations alike. A much
tougher regulatory regime is now coming into place, which builds on
the major fines recently levelled by the Financial Services
Authority, such as the £980,000 penalty served on the Nationwide
Building Society and a £1.26m fine incurred by Norwich Union - both
criticised for failing to adequately protect personal data. Added
to this, there is the recently passed Criminal Justice and
Immigration Act, which brings in a regime of 'substantial' fines
for organisations that fail to meet their compliance
obligations.
The
IT Governance
Data Breaches Report identifies that spectacular data breaches
are not caused by the misdemeanour of a junior employee but arise,
rather, from systemically inadequate information security
arrangements at the organizations where the incident occurs.
The Attrition database of data loss and data theft incidents
shows a ten-fold increase in the number of reported data breaches -
in the US, the UK and across Europe - since 2004. The peaks in
reported data breaches following the disclosure of nationally
significant breaches such as the UK's HMRC data loss, suggests that
there were - and probably still are - many data breaches that go
unreported and research suggests that organizations are reluctant
to officially report data breaches unless they have already been
exposed. The evidence suggests that waiting to be found out is not
the best strategy
Data protection is receiving so much attention for three
reasons: Identify theft is a low-risk, high return option for
organized crime. Traditional crime, including violent robbery and
theft, has clearly identifiable risks. It is easy to be recorded on
video by CCTV, seen by witnesses or caught by means of DNA, and the
returns are relatively low. High-tech crime creates real problems
for the police force and is, conversely, relatively low-risk for
the criminal.
Contributing factors include the perpetrator's anonymity, the
speed at which crimes can be committed, the volatility or
transience of evidence, the trans-jurisdictional nature of
cybercrime and the high costs of investigation. Legal and
regulatory compliance initiatives, such as the EU Data Protection
directive and California's data breach disclosure law, SB1386, have
both formalised the concept that personal data must be legally
protected, and introduced penalties for failing to do so.
The recent amendments to the UK Data Protection Act (DPA), and
changes to regulatory activity across the EU that are introducing
significant financial penalties for non-compliance with the
Directive, make this a particularly urgent issue for UK
organisations. The proliferation of mobile data storage devices -
laptops, USB sticks, PDAs - has changed the boundaries of where we
store our data and effectively eliminated "fixed fortifications" as
an effective tool for preventing data breaches.
The Ponemon report (2007) commented that "the investment
required to prevent a data breach is dwarfed by the resulting costs
of a breach" and " the return on investment (ROI) and justification
for preventative measures is clear". Costs of data breaches - legal
costs, the costs of restitution, brand damage, lost customers and
so on - are significant; for financial services organisations, it
was about £55 per compromised record.
Whilst not involving legal compliance, if an organisation has a
credit card-related data breach and is found not in compliance with
the Payment Card Industry Data Security Standard (PCI DSS), there
are potentially severe contractual and financial penalties,
including a bar on the business accepting payment cards.
All these factors make the protection of personal data a key
business and compliance responsibility. There are nine key steps
that every organization should take:
As a minimum:
- Encrypt all personal data on laptops; whole disk encryption is
a more secure solution than folder or file level encryption, and
FIPS 140-2 is the recognised standard for encryption engines.
- Encrypt all removable and portable media that might contain
personal data, including USB drives, CD-Roms and magnetic backup
tapes.
In addition:
- Establish rigorous procedures to ensure the physical
destruction of redundant computer drives, magnetic media and paper
records prior to disposal, and ensure that disposals are made in
line with a formal data retention timetable.
- Organizations that accept credit and other payment cards should
also comply with the PCI DSS.
- Provide regular training and awareness on legal
responsibilities for all staff that deal with personal data.
- Deploy outward-bound channel (email, instant messenger)
filtering software with customised dictionaries for relevant
legislation such as Data Protection Directive, PCI, etc
- Establish a vulnerability patching programme and implement
anti-malware software.
- Implement a business-driven access control policy, combined
with effective authentication.
- Develop an incident management plan that enables the
organization to respond effectively to any data breaches.
IT Governance Limited is exhibiting atInfosecurity Europe
2009on 28-30 April 2009 at Earls Court,
London.
Read Alan
Calder's report Data Breaches: Trends, Costs and Best Practices
>>
Read more articles from Infosec 2009 >>