Imagine the situation. You run for a train and just manage to catch it, only to find that in the rush you've left your laptop and a collection of USB sticks in the Starbucks coffee shop where you had been sitting.
Sensitive company information relating to both customers and staff is on the laptop, which is password-protected, and also on the USB sticks, which are not protected. To make matters worse, it is 4 p.m. on a Friday, and you can't get a signal on your mobile phone.
So what do you do?
This was the scenario presented to a group of security professionals and managers this week at a conference organised in London by consultancy RiskAdvisory Software Inc. and law firm Herbert Smith LLP.
In workshop sessions, delegates were asked to consider two aspects of the event: what action to take immediately, and what to do in the company to ensure it wouldn't happen again.
Some delegates were lucky. In their organisations, it was possible to call one number to activate a pre-planned incident response process. If they were in that position, they just had to find a working phone (which might require them to get off the train at the next stop), and everything would be taken care of, including informing the police, contacting Starbucks, and getting the laptop disabled.
Other not so lucky professionals had to work out their own course of action. For instance, should they try first to contact Starbucks or report the loss immediately to their line manager? The victim worked for a publicly listed company, so there were implications for the share price; some kind of defensive PR plan was needed.
Implementing a data loss prevention plan
What emerged from the session was that if you have a plan in place for data loss prevention (DLP), as for disaster recovery, then you have a much better chance of keeping the damage to a minimum. Communication is essential, but this depends on having a suitable corporate culture. According to one conference panel member, Cheryl Hennell, head of IT security for BT Openreach, a no-blame culture encourages people to report mistakes rather than try to hush them up. Her company operates a helpline for this very purpose.
The second part of the exercise -- what preventive action to take -- focused on security awareness, policy enforcement, and a review of how data is handled. The poor chap in the example had loaded customer and staff files on his laptop because he was planning to visit a number of regional offices. As some people spotted, he could just as easily have accessed the information from company offices rather than exposing it to loss or theft.
Another panel member, Christopher Rees, who heads the information assurance practice at Herbert Smith, crystallised the problem. "You should treat data as if it were cash. Would you go around the country with a briefcase full of cash -- of course not. You should treat data in the same way."
Lost your laptop and USB sticks? Don't panic. And tell the ICO
After all the discussion, Rees then asked what turned out to be the killer question: "Did anyone suggest informing the Information Commissioner?"
Blank stares all round. No one had thought to mention disclosure to the Information Commissioner's Office (ICO), but as Rees explained, this is absolutely essential.
When personal data goes missing, he said, it is essential to inform the ICO quickly, and explain how you are taking all reasonable steps to reduce the impact. The ICO will soon have the power to impose fines on companies that treat personal data recklessly, and those fines could be up to 10% of annual turnover.
Provided you are open with the ICO and show you have a process in place to protect those individuals affected, then you are likely to be treated leniently. Companies that try to conceal a breach can expect to feel the full force of the ICO's powers, he said.
More information and resources about data loss protection:
- Quiz: Data loss prevention
- Guide: How to implement a data loss prevention plan
- More data loss prevention news and tips