How safe is your data? - on-line or off?

Next week will see the annual Get Safe On-line campaign and also the Internet Governance Forum in Rio de Janeiro – at which the need to improve security will be a major thread. Last week the government response to the report of the House of Lords select committee enquiry on Personal Internet Safety was published. The doctrine of Ministerial Infallibily means that no department can publicly accept in full the recommendations of a committee that it did not appoint. The wording of the response is, however, such that I would expect all the main recommendations to have been adopted before the next General Election – provided they have the necessary support and commitment from industry: users as well as suppliers.

Of course the public has not yet lost confidence in the Internet. But there is a very real risk that they would, if they felt they had to themselves bear the risk of things going wrong. The 2007 Oxford Internet Institute Survey shows concern over content in parallel with a high level of satisfaction with the services provided. The convenience of on-line transactions greatly outweighs the current risk of on-line and other computer assisted fraud – provided someone else is carrying the risk. And they usually are. The cost is being borne by the Banks (card not present fraud) and Government (tax and benefit fraud). And the cost to banks is trivial compared to the cost of their on-line customers reverting to branch banking. In the case of financial services, at least, the House of Lords recommendation that liability and responsibility sit with those in the best position to take action can be seen as “merely” a confirmation of the status quo.

The House of Lords, as the UK’s final Court of Appeal has itself acted accordingly. Outlaw-Com recently carried a report headed “Lords back protection for overseas card transactions” . The Banks are quoted as saying that the over-turning of a Court of Appeal decision to make customers liable for fraudulent overseas transactions on UK-issued credit cards made no difference, because they would reimburse them anyway. The author, however, concluded: “had the ruling gone the other way it could have dented confidence in e-commerce, which relies more heaviliy than off-line business on cross-border consumer trading”. The ruling is all the more significant because the roll out of chip and pin has sharply reduced card fraud in the UK and Western Europe. Meanwhile the faudulent use of UK card details in Asia and the Americas is rising sharply, thus increasing the pressure for more effective international co-operation against on-line fraud.

Next week we can expect a hike in fear levels and messages to consumers to protect themselves on-line. But the “leakage” of personal information, including bank and card details from the data centres and websites of employers, government departments and e-tailers is a far more serious problem. Hence the recent attempt in California to make e-tailers liable to card-issuers for the cost of reissuing cards when their customor files have beeen lost or stolen or copied. Hence also the interim recommendations of the US Presidential Task Force on ID theft and the exercise that is gathering pace to review UK public sector information assurance. The Land Registry has now joined the litany of insecure on-line systems that has had to be withdrawn for lack of adrquate security.

But we must remember that the costs of e-crime and ID fraud are still insignificant compared to the damage that a “rogue” trader or “over-ambitious” Chief Executive can inflict, even on a global business. More-over the biggest risk remains “digititis” (e.g. over-centralised, inter-twined and integrated networks brought down by finger trouble during routine maintenance or upgrade), followed by mother nature (e.g storm or flood removing the power supply to data or switching centre or flu incapacitating key staff) and accident (fire, explosion or rogue JCB operator removing the centre or the landlines that connect it with the rest of the world).

We need holistic approaches to the interlinked issues of consumer confidence, information assurance and on-line security. And these need to be based on realism as to the scale and nature of the risks and much better co-operation between those who wish to see their customers deal with them on-line. Active support for exercises like Get Safe On-line should be part of that co-operation.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Do you know, it seems like only last week that the Prime Minister was lecturing us on his plans for national security and, I don't know if it's because I'm going senile, but I don't remember him mentioning this idea of spreading our personal data around like this?

Is this what they mean by a distributed database?

Of course, it was only last week that the Prime Minister hauled Admiral Lord West over the coals. Who? You know jolly well -- the sailor who was court martialled for losing confidential data and went on to become our national security adviser. Or did he become a clerk at HMRC? I can't remember.

This comment added by Philip Virgo: There but for the grace of god go how many CIO/CEOs in both public and private sectors? One of the tragedies of data loss is that those who identify and report it get publicly crucified. Those who keep quiet and cover up tend to get away with it. At teh very simplest level, how many organisations keep track of their off-site back-up records until they are destroyed - let alone encrypt all data leaving the centre?