RSS feedsDo you worry about leakage? Because, if not, you probably should. It can be embarrassing and, in many cases, illegal. Just ask Jeffrey Kindler, chief executive of American drug company Pfizer, who’s company has been at the wrong end of newspaper headlines all summer because of Pfizer’s apparent inability to get to grips with the issue.
And then there’s the NHS. Leakage in the NHS, you probably won’t be too surprised to hear, can reach biblical proportions and there are several recent stories that illustrate this rather nicely, one of which was a rather embarrassing case involving a celebrity…
I am, of course, talking about data leakage. And yes, you’ve guessed it, the security industry has invented a neat new acronym to go along with it: DLP, which stands for data leakage protection or data loss prevention, depending on which particular salesman you happen to be talking to.
So what exactly is the problem? In one of Pfizer’s cases (and there are several) laptops which contained confidential employee data as well as proprietary company information were stolen from the locked car of a contractor who, at the time, was working for the company.
As for the NHS? Well, the sexy story is that scores of NHS employees viewed the electronic records of a celebrity who was admitted into hospital? So what, one might reasonably ask. The problem is that looking at anyone’s medical records is unprofessional at best, almost certainly immoral and illegal at worst.
But there are many, seemingly mundane, stories from the NHS which, with greater inspection, pose far more serious problems. A survey carried out by Pointsec Mobile Technology together with the British Journal of Healthcare Computing and Information Management in summer last year found that half of NHS professionals use their own devices to store confidential patient information. And 20% of those devices are then left unencrypted and without password protection. USB sticks proved to be the most popular device for storing this sensitive information for very sensible reasons – they are, after all, extremely reliable, mobile and easy to use.
But fast-forward a year to July this year, and you come across a story of a USB stick containing highly sensitive and confidential patient information being stolen from a junior doctor. “The trust had an obligation to personally inform the patient and now faces a compensation claim,” said Matthew Daunt, a doctor from the Nottingham University Hospitals Trust, from where the USB device was stolen.
And these stories are just the tip of the iceberg. Ameritrade, a US stock brokerage, recently had information on more than 6.3 million customers stolen and the global job site, Monster.com, experienced a similar embarrassment around the same time.
The problem is so bad that I’ve been unlucky enough to receive several emails on the subject. One such email was an invitation to meet the market leader in DLP to discuss the launch of its latest product. Another was from an “incredulous” security company which was complaining about how certain other companies had allowed this type of thing to happen. Yet another was an invite to Orlando to talk about the issue with a couple of hundred other “security professionals” (I think they must have had a data integrity issue – I’m a deputy editor, not a security professional). And the list goes on…
The frustrating thing is that there lies hidden somewhere within the spurious scare-mongering a real business issue. Companies are beginning to lose control of their data. Laptops and other mobile devices are being left in the backs of taxis, in pubs and in hotels.
Even the House of Lords recognises how important the issue is. In August, its Science and Technology Committee published its findings on personal internet security. Again, so what, one may well ask. Well, this is actually quite important, because the House of Lords recommends the UK bring in a ‘data breach notification law’ which would require companies that leak personal information – whether because of a hacked website, stolen laptop or lack of security – to inform the authorities.
The law is already in place in 35 US states, which probably goes a long way to explain why the vast majority of stories originate from the other side of the Atlantic. The fact we haven’t yet got such a law also lends weight to the theory that the stories above are only the tip of the iceberg. As Richard Clayton, a Cambridge University IT security expert who acted as special adviser to the Lords, says: “It’s a simple, low-key law, but it produces all the right incentives for taking security seriously.”
So, while it’s obvious that there’s a serious issue here, must the IT security industry really use it to force through another marketing campaign? I would argue not. And, just for the record, no I don’t want to meet someone to talk about data leakage. I did that ten years’ ago – back then it was called a security breach.
