Data protection: IT chiefs' growing burden

New legislation in the US and a string of security breaches could see companies start to change the way they keep their...

New legislation in the US and a string of security breaches could see companies start to change the way they keep their customers' data private and secure.

The importance of data privacy is growing. In the past, it was possible to maintain reasonable control over who could view data because access tended to be available only through individual systems and applications with a known set of users. Rarely was there a need to distinguish between those who could update data and those who could view it, as they were usually be the same people. As a result, security breaches were relatively rare.

But advances in technology have brought about new problems. Data can now be downloaded locally from spreadsheets and databases, various middleware products can transfer data between applications or to local datamarts, and datawarehousing has made it possible to assemble data accessible by many people in an organisation. In most cases, these technologies were deployed without any thought about security.

The internet further extended the use of shared data through credit card details and e-mail addresses, and increased the importance of data privacy. Few people are happy at the idea of their e-mail address being freely distributed and everyone who enters their credit card details on the internet expects the information to be held securely.

Data must be held in accordance with legislation which mandates a level of privacy. Almost all countries in Europe have enacted some form of data protection legislation for personal data.

Although these laws vary, the general principles are similar. The data must be accurate, secure, processed for limited purposes and in accordance with the data subject's rights. Many European countries even require special authorisation for exporting data abroad, even though masses of data is transferred across country borders every second.

Laws on data protection

In the US the legal situation is more complex. The recently enacted Health Insurance Portability and Accountability Act concerns data protection for health records. The Sarbanes-Oxley Act and Gramm-Leach-Bliley Act are both primarily concerned with financial regulation but also have implications for data privacy.

However, what may prove to be the most influential piece of legislation is the California Senate Bill 1386, which came into law at the beginning of July.

This bill demands that organisations have to immediately notify Californians if their confidential information has been compromised because of a security breach on any computer system storing their data.

This law is specifically intended to deal with identity theft - the fastest growing crime in the US. As far as the Bill is concerned, confidential information could include a social security number or driving licence or credit card information.

But this law does not just apply in California - it applies to any company worldwide holding information on Californian residents. The likelihood is that this law will eventually migrate to all the states in the US, and where the US leads, the UK will follow.

Problems of data protection

Most data privacy laws have only recently come into force and thus many organisations are now vulnerable to legal action if they fail to protect data.

Unfortunately, few organisations can protect data in a thoroughly efficient way. One of the difficulties with data privacy is that before any automated data privacy procedures are implemented, any scheme for data privacy requires certain knowledge of the identity of those with access to a system. If this cannot be done, it cannot be said for sure who can access the information.

This is the capability that identity management systems seek to provide. The major reason for investing in this technology is to manage passwords and computer access as well as securing data.

However, that only covers one half of the problem. In order to manage data privacy effectively, the data also needs to be tracked. You need to know who has been looking at or copying any given piece of data and to actively prevent anybody who does not have the right to access the data.

Policies need to be in place to cover the use of any data that warrants protection. As far as I am aware, there is only one company that offers such a service, a recent US start-up called Liquid Machines. However, as this is fairly infant technology it does not yet run on all platforms.

How IT will be affected

Legislators across the world are enacting tougher data privacy and data protection legislation, while most if not all organisations simply do not have the means to implement what the law is demanding. The IT industry is not yet providing the necessary technology.

One problem that will result from the need to protect data is the difficulties companies may find themselves in when they breach the law. For example, the Californian Senate Bill 1386 was prompted by a hack that took place at the Stephen P Teale Data Center in California in 2002.

The datacentre runs the payroll for the State of California. For a considerable length of time the hacker (or hackers) had access to confidential information such as the names, addresses and bank account details of 265,000 employees.

The datacentre did not notify anybody about the security breach for many weeks, leaving state employees ignorant about the risks and open to identity theft attacks.

It is not rare to hear of a security breach of this nature. In fact, the statistics indicate that such breaches are happening frequently. But as the law changes, such breaches will lead to lawsuits - especially in the US, where litigation is a national sport.

Robin Bloor is chief executive at Bloor Research

Read more on Hackers and cybercrime prevention