Personal Data Breaches Are Unforgivable

This week I’m in New York on a short visit but my attention has been grabbed by events in the UK HM Revenue and Customs, i.e. the announcement of a loss of discs containing personal data on 25 million citizens.

Following on from so many high profile data breaches earlier this year it seems quite incredible that such a breach could occur. But such mistakes will happen from time to time in any organisation that does not maintain an aggressive campaign of user education, mandatory controls and regular auditing.

This is unlikely to be an isolated incident. It’s well understood in the safety world that behind every major incident, there are likely to be on average 29 minor incidents, three hundred near misses and perhaps thousands of bad practices. A similar pattern can be expected for security incidents.

Unfortunately UK Government has been slow off the mark at catching up with the better practices of industry. In particular they have for too long resisted proven measures such as accredited certification, which is the only effective way of “closing the loop”, i.e. checking that corporate policies and standards are actually implemented in practice.

So it’s understandable and not really surprising to hear about a breach of this kind. But given the well publicized citizen concerns and learning points from previous breaches, it’s not forgivable. Action must be taken urgently to raise the bar on security standards for the public sector.