Another day, another data breach. Actually, another day, another blog about another data breach. Hey, at least it means I don’t have to think too hard about what to write about! Flippant remarks aside, there are some interesting aspects of this latest breach that I think are worthy of comment.
Of course, I am talking about the breach of L-driver details – see here.
1. The data breach occured from a third party vendor (see my blog entry from November 28 where I talk about this subject and what I do to try to minimize the risk).
2. The data itself would not necessarily be classified as “high loss impact” consisting as it did of no credit card or bank account data, national insurance numbers, or other high value information.
Ruth Kelly says that the Department of Transport was making changes to the way it handled data – including more electronic transfer and “secure couriers”. She’s missing the point. It wasn’t the DoT’s handling of the data that caused the breach. They should have better ensured that their partner had adequate controls in place….In fact, let’s step back a bit further: the message is to ensure that you know about the security controls implemented by your vendors before you start giving your data to them. This is simple – you ask them. And if it’s really important data then you also go and visit them to see for yourself. I ask third party vendors all the same questions I would ask of one of my own organisations’ business units and the decision criteria is based on them meeting the same standards expected internally.
This latest incident also demonstrates that any data breach, regardless of the contents of the data, is likely to result in embarassment if the compromise is made public. Of course, the fact that this is another government agency involved means that the impact is greater because they are already in the public eye on this subject. This serves to demonstrate a point I like to make which is that it’s important to be aware that the value of data can change over time. Three months ago, basic – non-critical information – such as that exposed in this latest incident would not have had a high loss impact. Now, because of the previously reported incidents the impact (on reputation) is much higher than common sense says it should be because the government are already in the frame as being poor data custodians.
Within our own organisations, an example might be data about mergers and acquisitions. Such information is of a potential high loss impact prior to the acquisition but probably little or lesser value subsequent to the event. So, controls can be relaxed later to something a little less expensive. The value of data can also go up and well as down….
I hope the pressure remains on our government to sort out their processes. Excuses and apologies dont cut the mustard. All we want is some simple assurance that this government – which excels in collecting data about us and every aspect of our lives – has the ability to behave as a responsible guardian of it.