Data handling policy key to avoiding data loss

A lost Home Office memory stick containing unencrypted files and information on 84,000 prisoners in England and Wales shows the need of government involvement in data handling policies and leakage regulations.

The latest embarrassing blunder -- a lost memory stick containing details of all 84,000 prisoners in England and Wales -- shows that personal data is still treated with reckless abandon.

After the loss of the HMRC disks last year, and the subsequent enquiry into how it happened, there was an expectation that standards would be tightened. But this week's little accident shows that the day-to-day data handling policy is still painfully lax.

The facts are these. On Monday this week, PA Consulting Group reported to the Home Office that a memory stick holding information about criminals had been mislaid. By Tuesday, PA confirmed it was lost.

PA had been given the data as part of a research project on tracking offenders through the criminal justice system. The data was unencrypted, and included details of around 10,000 prolific offenders, as well as information on all 84,000 prisoners in England and Wales. It also included information from the Police National Computer on 33,000 people with six or more convictions in the last 12 months, including their names, addresses, dates of birth and release dates.

In a statement, the Home Office said the data was "held in a secure format on site and downloaded onto a memory stick for processing - which has since been lost".

Security professionals were quick to point out that such accidents were completely avoidable. Graham Cluley, senior technology consultant at antimalware firm Sophos Plc, said: "Although companies can't stripsearch employees in order to prevent confidential data leaving the business premises each day, they can take steps to help fight data loss. Research has shown that approximately 95% of data loss is accidental-- like in this most recent case -- so companies need to take action to reduce the chances of an accident happening in their organisation."

Apart from encrypting information, he said one simple technique is to truncate some fields -- for instance putting XXXXs in credit card numbers or National Insurance numbers, or cutting out any fields that are not needed for processing.

"Implementing strong access control measures can help reduce the risks of unauthorised access, or accidental data leakage to devices that may not be properly secured," Cluley said. "Maintaining an information security policy that covers access control, network and physical security is a must."

Andrew Clarke, a senior VP for security management firm, Lumension Security Inc., said that much good work had been done in government to improve security following the HMRC debacle. He said the report 'Data Handling Procedures in Government', which the Cabinet Office published in June 2008, contained valuable recommendations for government to follow.

"The data handling processes that they've been developing after HMRC are robust and rigorous. They have thought long and hard about it, and they have got their act together within the Government," he said. "They just need to make sure the rules permeate down the chain of command and to partners and sub-contractors."

Clarke said the case underlines the need for a data handling policy to be backed up by technology, so that security is automatically applied wherever possible. "The onus is on the information security department not just to put in place measures to protect data but to make sure data protection is done automatically without users having to think about it. They need to be more proactive. The human element is always a weak point in any process."

Ian Jackson, managing director of security consultants Imerja Ltd., was scathing about the loss. "Sir Gus O'Donnell, Head of Home Civil Service, issued a mandate in June stating that all data leaving the government's office should be encrypted," he said. "You would think that this ruling would have been filtered down to agencies working for the government but clearly with PA Consulting this has not been the case. However, blaming an individual for any loss of data is simply not acceptable. The accountability must be held at the highest level where responsibility ultimately lies for communicating and enforcing a strong data and security policy."

Jackson said a few simple rules could have prevented any problem. He added that all personally identifiable data should be password protected at a minimum, and if the information was transferred outside a secure IT environment, it should be encrypted.

"Encryption technology is easy to deploy and doesn't affect the performance of the device so why isn't it being used?" he said. "Supporting this technology should be a proper data handling policy and appropriate education. All information should be properly classified so that everyone knows who has access to it, who can modify it, how it can be sent and how it should be destroyed."

Read more on Security policy and user awareness