Consulting » IT Strategy: A little mishap

Do you worry about leakage? Because, if not, you probably should. It can be
embarrassing and, in many cases, illegal. Just ask Jeffrey Kindler, chief
executive of American drug company Pfizer, who’s company has been at the wrong
end of newspaper headlines all summer because of Pfizer’s apparent inability to
get to grips with the issue.

And then there’s the NHS. Leakage in the NHS, you probably won’t be too
surprised to hear, can reach biblical proportions and there are several recent
stories that illustrate this rather nicely, one of which was a rather
embarrassing case involving a celebrity…

I am, of course, talking about data leakage. And yes, you’ve guessed it, the
security industry has invented a neat new acronym to go along with it: DLP,
which stands for data leakage protection or data loss prevention, depending on
which particular salesman you happen to be talking to.

So what exactly is the problem? In one of Pfizer’s cases (and there are
several) laptops which contained confidential employee data as well as
proprietary company information were stolen from the locked car of a contractor
who, at the time, was working for the company.

As for the NHS? Well, the sexy story is that scores of NHS employees viewed
the electronic records of a celebrity who was admitted into hospital? So what,
one might reasonably ask. The problem is that looking at anyone’s medical
records is unprofessional at best, almost certainly immoral and illegal at

But there are many, seemingly mundane, stories from the NHS which, with
greater inspection, pose far more serious problems. A survey carried out by
Pointsec Mobile Technology together with the British Journal of Healthcare
Computing and Information Management in summer last year found that half of NHS
professionals use their own devices to store confidential patient information.
And 20% of those devices are then left unencrypted and without password
protection. USB sticks proved to be the most popular device for storing this
sensitive information for very sensible reasons – they are, after all, extremely
reliable, mobile and easy to use.

But fast-forward a year to July this year, and you come across a story of a
USB stick containing highly sensitive and confidential patient information being
stolen from a junior doctor. “The trust had an obligation to personally inform
the patient and now faces a compensation claim,” said Matthew Daunt, a doctor
from the Nottingham University Hospitals Trust, from where the USB device was

And these stories are just the tip of the iceberg. Ameritrade, a US stock
brokerage, recently had information on more than 6.3 million customers stolen
and the global job site,, experienced a similar embarrassment around
the same time.

The problem is so bad that I’ve been unlucky enough to receive several emails
on the subject. One such email was an invitation to meet the market leader in
DLP to discuss the launch of its latest product. Another was from an
“incredulous” security company which was complaining about how certain other
companies had allowed this type of thing to happen. Yet another was an invite to
Orlando to talk about the issue with a couple of hundred other “security
professionals” (I think they must have had a data integrity issue – I’m a deputy
editor, not a security professional). And the list goes on…

The frustrating thing is that there lies hidden somewhere within the spurious
scare-mongering a real business issue. Companies are beginning to lose control
of their data. Laptops and other mobile devices are being left in the backs of
taxis, in pubs and in hotels.

Even the House of Lords recognises how important the issue is. In August, its
Science and Technology Committee published its findings on personal internet
security. Again, so what, one may well ask. Well, this is actually quite
important, because the House of Lords recommends the UK bring in a ‘data breach
notification law’ which would require companies that leak personal information –
whether because of a hacked website, stolen laptop or lack of security – to
inform the authorities.

The law is already in place in 35 US states, which probably goes a long way
to explain why the vast majority of stories originate from the other side of the
Atlantic. The fact we haven’t yet got such a law also lends weight to the theory
that the stories above are only the tip of the iceberg. As Richard Clayton, a
Cambridge University IT security expert who acted as special adviser to the
Lords, says: “It’s a simple, low-key law, but it produces all the right
incentives for taking security seriously.”

So, while it’s obvious that there’s a serious issue here, must the IT
security industry really use it to force through another marketing campaign? I
would argue not. And, just for the record, no I don’t want to meet someone to
talk about data leakage. I did that ten years’ ago – back then it was called a
security breach.