Another day, another data loss: its the wetware stupid.

This time its yet another paper file left on a train. Do read the report of the Home Affairs Select Committee in full. Then re-read it, remembering that the largest single death toll from a data leakage was when a Columbian Drug cartel analysed the billing records of the local telephone company to identify the location of the Drug Enforcement Agency Safe Houses from the calls from the US embassy. They then slaughtered everyone in them, including most of the DEA team.   

The story dates from the 1960s and was recounted in “All the President’s Men”. It was not until the warlord who organised the operation changed sides that the American’s learned that it was not an inside betrayal that had wiped out their war against drugs – but neglect, by staff with no idea how the information they routinely handled could be abused.

Now ponder the security systems for the material used by those organising all those surveillance systems that will supposedly make us all safe(r) – includng that which they have demanded from files of business, telcos and Internet Service Providers. 

Now compare these with the way the financial services industry uses technology to support the basic people disciplines (wetware) that have underpinned global correspondence banking, securing transactions and communications from thieves, fraudsters, pirates and warlords along the world’s great trading routes, since the days of ancient Babylon.

The report of the Home Affairs Select Committee is the first in a series of reports due for publication in the near future. These include: :

  • the report and recommendations of the  Independent Reviewer, the synopsis of which is on the CSIA website
  • the Hannigan report and recommendations commissioned by the Secretary to the Cabinet, currently being circulated  for comment.
  • the review by Kieran Poynter of PWC into the situation at HMRC, triggered by the lsot discs.
  • the review by Sir Edmund Burton into MoD information security, triggered by the loss of unecrypted laptops.
  • the reports commissioned by the welsh and Scottish Assemblies.
  • the review by the Information Commissioner and the Director of the Wellcome Trust

What is missing is an exercise to follow up the recommendation by Sir James Crosby that Government look at the track record and practices of the financial services industry.

Last week the Personal Identity and Data Sharing Working Group of EURIM organised a showcase covering the practical experience of those running large scale systems which have NOT had significant data breaches and has asked the exhibitors to write up the examples used, especially the people processes, for wider circulation. At the event, the Parliamentary Chair of the working group, Philip Dunne MP, an ex-banker and also chair of the All-Party Corporate Governance Group, described plans to distil that experience into “practice notes” that could be used by the relevant professions to hold their members to account – i.e. going well beyond “mere” codes of conduct.