The data breach at HMRC, which placed 25 million people at risk of identity theft, has brought information governance back to the fore. Early indications suggest that risk management procedural failures and human error were to blame.
Those risk managers who fail to take data security seriously run the risk of being on the receiving end of heavy financial losses and often fines. Securing personal information is not just savvy commercial practice, but it is a legal requirement.
All organisations store sensitive personal data electronically, within a computer network or on removable media such as CDs. This may involve customer transactions or may simply be personal employee information, such as bank and health details. These details will often be shared with other organisations as companies outsource functions, particularly in Accounting and Human Resources.
The ever-changing business environment has a direct effect on a companies risk profile, often changing in unison as new business models develop. The expansion of global supply chains and the heightened dependence on outsourcing means that security risks are becoming harder to quantify and prevent. The new risks associated with relying on networks and using digital data must be addressed by risk managers in the same manner they would consider the more traditional risks.
One of the most interesting issues raised by the HMRC incident is that it demonstrates that companies are not exempt from security breaches by simply having a security policy in place. Good data security is reliant on strict internal guidelines with regards to the handling of data and the use of Privacy Enhancing Technologies (PETs) that are then implemented via comprehensive staff training. This ultimately will lead to a data culture being created. Essentially it is the responsibility of the board. A lack of training will lead to basic mistakes creeping in to day to day working practices. In the case of the HMRC breach these were a failure to separate the crucial data, a failure to encrypt the data, and a failure to send the data via a secure digital transfer systems.
If a private corporation had been the culprit instead of HMRC the financial loss to that firm would have been substantial, possibly running into hundreds of millions of pounds to cover costs such as consumer notification, call centre capacity (to deal with customers whose records have been compromised), ongoing third-party credit monitoring, claims for identity fraud, litigation expenses and damages and regulatory defence and settlement.
Most organisations probably do not have sufficient, if any, insurance protection in this event, as normal property and liability policies only provide cover for tangible assets and specifically exclude the new risks associated with data and IT networks. Specialist data privacy and network security policies have been developed, particularly in the London insurance market, to address these exposures including providing coverage for notification expenses and regulatory fines and penalties.
Organisations should take heed and look to address this gap in insurance coverage. New powers given to the Information Commissioner's Office permits them to undertake uninvited data audits. Firms that are found to be complacent will be named and shamed and may well face adverse media attention resulting in a lack of consumer confidence and ultimately a loss in share price.
Jeremy Smith, Head of Cyber IT and Risk, Jardine Lloyd Thompson
About Jeremy Smith
Jeremy joined JLT in 2007 and is responsible for cyber risks at Jardine Lloyd Thompson Limited. He began his career in insurance in 2002 with Zurich, one of the leading global insurers, initially working as a Professional Indemnity Underwriter. In 2006 Jeremy created the IT Risks division at Zurich Professional in response to demand from the IT community for more specialist Underwriting. Over the past year Jeremy has been instrumental in the development of Jardine Lloyd Thompson's Cyber Products and has been active in raising awareness of digital risks and their associated exposures.
This was first published in January 2008