Security breaches and dual standards

Private industry acts while public sector hides behind a cloak of secrecy.

When it comes to how security breaches are treated, a gap is opening up between the public and private sectors.

In the last week or so, we have seen several breaches occurring in the public sector with little apparent repercussion for the organisations involved. By contrast, we have seen a firm of stockbrokers publicly named, shamed and fined -- not for suffering a breach, but for having unsafe processes.

The latest spate of public sector blunders started with two sets of highly sensitive Cabinet office papers being left on commuter trains. One set was found by a member of the pubic and given to the BBC; the other went to the Independent on Sunday. Both were returned to their rightful owners without any harm resulting.

The individuals involved are understood to have been suspended from their jobs, but the punishment stops there.

Then a laptop belonging to Hazel Blears, a government minister, was stolen from her constituency office in Salford. This could be bad luck, but she had asked for confidential information to be emailed to the machine, in breach of the rules. The laptop was password protected, but the files were not encrypted. Ms. Blears continues in her job.

Then we heard that six laptops containing personal information about 20,000 National Health Service (NHS) patients had been stolen from St. George's Hospital in Tooting, South London. Patient information, including brief medical notes, names, dates of birth and postcodes, had apparently been stored on the laptops as a temporary measure because of a problem with the computer network. The machines were password-protected and had been placed in a secure locked cabinet in a secure room at the hospital.

Again, it looks like bad luck, but it shows how corners can be cut when something, like a network, goes down suddenly. However, the case appears to have been glossed over, from a public point of view at least.

Contrast that with the treatment this week of stockbrokers Merchant Securities, which suffered a fine of £77,000 from the Financial Services Authority. The company offers a personal service to its private clients, and staff built up enough of a rapport with customers to recognise their voices when they called, so dispensed with the need to put them through any formal identification process.

No personal data was lost by Merchant Securities, but the FSA took exception to the casual approach to security and decided to punish the company. Not only that, but it published a full report on the case, and the reasons for the punishment.

Most people believe the severity of the response is a sign of things to come. "The FSA made clear that they meant business when they launched their recent report on data security," said Malcolm Marshall, a partner at KPMG's security practice. "Edna Young of the FSA pointed out that they had not conducted the report as an academic exercise, and this is further evidence of this," he said.

Marshall said the judgment should alert firms to the fact that the FSA will take action even when no data has been lost or no obvious problems have occurred. "Many security failings are not complex technical issues - they are often caused by staff or contractors failing to understand what their basic responsibilities are - this appears to be the case this time," he added.

Phil Cracknell, an independent security consultant, predicted that mandatory breach disclosure would be introduced in the UK within 12 months. "It could have all been avoided if the industry had regulated itself properly," he said. "The regulations are just commonsense stuff we've been saying for years. Companies that fall foul of the regulations are making basic schoolboy errors, so there is not a lot of sympathy for them."

But will mandatory disclosure, if it happens, apply to the public sector? That remains open to question. The question of punishment is also a problem – if the public loses confidence in a bank, they can take their business elsewhere. But if we don't trust HMRC anymore, we cannot choose to pay our taxes elsewhere. And what would be the point of fining a public body or the NHS anyway if the fine comes out of public coffers?

We clearly need some form of publicly accountable and independent body to do for the public sector what the FSA is doing in the finance industry. But I won't hold my breath for it to happen.

Read more on IT risk management