IT strategy: Breach bum

In recent years there has been a disturbing string of high-profile blunders that has seen portable hard drives and memory cards containing sensitive data being lost in a variety of locations. Unfortunately, as the cost of these pocket-sized storage devices plummets and their use becomes more widespread, experts are warning this already serious data loss trend is set to get much worse.

KPMG’s latest Data Loss Barometer report notes that 2008 was the worst year on record for information accidents, with 92 million individuals across the globe directly affected. However, it warns that ‘we ain’t seen nothing yet’, estimating 190 million people around the world are set to fall foul of data loss incidents in 2009.

Private sector businesses of all sizes are guilty of allowing staff to transport sensitive data on thumb drives. But it is government departments that have been particularly vigorous offenders, with an estimated 30 million-plus public records “lost” in the past two years alone. Given that there were 25 million personal records sent into the great blue yonder by HM Revenue & Customs in November 2007 in just one incident alone, this is almost certainly a conservative estimate.

We have seen the loss of the personal details of every family in the UK with a child under the age of 16 and a contractor for the Home Office mislaying a portable media device detailing the records of every prisoner in England and Wales. The latest in this long and ignominious series of blunders occurred when a worker lost a memory stick with sensitive patient information pertaining to more than 6,000 prisoners.

In light of this, the Cabinet Office published its Data Handling Procedures in Government report last year advising that all sensitive data being transferred onto portable memory devices should be encrypted.

However, data obtained recently through a Freedom of Information Act inquiry by UK public relations firm Lewis indicates the government’s guidance is being widely ignored by its own departments.

The Department of Health and the Department for Transport both admitted allowing staff to use portable memory drives without encryption. Other departments, including the Department for Children, Schools and Families, and the Ministry of Justice, indicated that they advocate encryption of data on removable media, but did not clarify whether the measure is mandatory or simply recommended.

Despite the fact that existing legislation, most notably the Data Protection Act, covers the need for encryption, law firm Eversheds says that implementation of existing guidelines is “the most challenging aspect” for government and the wider business community. And it is clear that, unfortunately, the scale of this problem goes far beyond Whitehall. The vast number of records involved and the sensitivity of some of the data that has been lost by government departments has made for sensational headlines ­ but it is fair to suppose this is just the tip of the data-loss iceberg, with private firms haemorrhaging data in a similar fashion.

Such was the concern of the Information Commissioners Office, which was instrumental in compiling another report, the Data Sharing Review, in July last year. Undertaken by Richard Thomas, the Information Commissioner and Dr Mark Walport, the director of the Wellcome Trust, this report proposes a wide-ranging set of recommendations including the need to: “Clarify and simplify the legal framework governing data sharing, including provisions to guarantee better and more authoritative guidance for practitioners.”

This should set alarm bells ringing for businesses, too. Apart from the danger of commercial or reputational damage associated with a data loss incident, legal experts agree it is likely to only be a short time before elements of the Data Sharing Review and the Data Handling Procedures in Government are implemented.

Such a move is likely to dramatically increase penalties for data loss incidents, leaving firms open to potentially hefty fines or criminal charges if they do not comply with tightened data security legislation.

The threat of such penalties must make firms and public sector organisations finally wake up to the fact that they have a duty of care over the data which has been entrusted to them. There can be no technical excuses.

Enterprise encryption is not rocket science and the technology has advanced significantly over recent years. In fact, basic levels of protection can be relatively inexpensively implemented without creating serious management or performance issues.

However, as with so many IT projects, considering the human factor is paramount. An important caveat is that the technology must be literally foolproof, in the sense that it needs to be deployed in such a way that it is not possible for lazy members of staff to circumvent it. This means that every time data is copied to a portable media drive or laptop, it is always encrypted ­ without exception.

We have all been warned.