The data breach at HM Revenue & Customs (HMRC), which placed 25 million people at risk of identity theft, has brought information governance back to the fore.
Early indications suggest that risk management failures and human error were to blame. Those risk managers who fail to take data security seriously run the risk of being on the receiving end of heavy financial losses and often fines. Securing personal information is not just savvy commercial practice, but a legal requirement.
All organisations store sensitive personal data electronically, whether within a computer network or on removable media such as CDs. This may involve customer transactions or may simply be personal employee information, such as bank and health details. These details will often be shared with other organisations as companies outsource functions, particularly in accounting and human resources.
The ever-changing business environment has a direct effect on a company's risk profile, often changing in unison as new business models develop. The expansion of global supply chains and the heightened dependence on outsourcing means that security risks are becoming harder to quantify and prevent. The new risks associated with relying on networks and using digital data must be addressed by risk managers in the same manner they would consider the more traditional risks.
One of the most interesting issues raised by the HMRC incident is that it demonstrates that companies are not exempt from security breaches by simply having a security policy in place. Good data security is reliant on strict internal guidelines with regard to the handling of data and the use of privacy-enhancing technologies that are then implemented via comprehensive staff training. This ultimately will lead to a data culture being created.
Essentially, it is the responsibility of the board. A lack of training will lead to basic mistakes creeping in to day-to-day working practices. In the case of the HMRC breach, these were a failure to separate the crucial data, a failure to encrypt the data, and a failure to send the data via a secure digital transfer system.
If a private corporation had been the culprit instead of HMRC, the financial loss to that firm would have been substantial, possibly running into hundreds of millions of pounds to cover costs such as consumer notification, call-centre capacity (to deal with customers whose records had been compromised), ongoing third-party credit monitoring, claims for identity fraud, litigation expenses and damages and regulatory defence and settlement.
Most organisations probably do not have sufficient, if any, insurance for such an event, as normal property and liability policies only provide cover for tangible assets and specifically exclude the new risks associated with data and IT networks. Specialist data privacy and network security policies have been developed, particularly in the London insurance market, to address these exposures including providing coverage for notification expenses and regulatory fines and penalties.
Organisations should take heed and look to address this gap in insurance coverage. New powers given to the Data Commissioner's Office permits them to undertake uninvited data audits. Firms that are found to be complacent in their approach to security management will be named and shamed and may well face adverse media attention resulting in a lack of consumer confidence and ultimately a fall in share price.
Jeremy Smith, Head of Cyber IT and Risk, Jardine Lloyd Thompson
This was first published in January 2008