IT strategy: Breach bum

In recent years there has been a disturbing string of high-profile blunders
that has seen portable hard drives and memory cards containing sensitive data
being lost in a variety of locations. Unfortunately, as the cost of these
pocket-sized storage devices plummets and their use becomes more widespread,
experts are warning this already serious data loss trend is set to get much
worse.

KPMG’s latest Data Loss Barometer report notes that 2008 was the worst year
on record for information accidents, with 92 million individuals across the
globe directly affected. However, it warns that ‘we ain’t seen nothing yet’,
estimating 190 million people around the world are set to fall foul of data loss
incidents in 2009.

Private sector businesses of all sizes are guilty of allowing staff to
transport sensitive data on thumb drives. But it is government departments that
have been particularly vigorous offenders, with an estimated 30 million-plus
public records “lost” in the past two years alone. Given that there were 25
million personal records sent into the great blue yonder by HM Revenue &
Customs in November 2007 in just one incident alone, this is almost certainly a
conservative estimate.

We have seen the loss of the personal details of every family in the UK with
a child under the age of 16 and a contractor for the Home Office mislaying a
portable media device detailing the records of every prisoner in England and
Wales. The latest in this long and ignominious series of blunders occurred when
a worker lost a memory stick with sensitive patient information pertaining to
more than 6,000 prisoners.

In light of this, the Cabinet Office published its Data Handling Procedures
in Government report last year advising that all sensitive data being
transferred onto portable memory devices should be encrypted.

However, data obtained recently through a Freedom of Information Act inquiry
by UK public relations firm Lewis indicates the government’s guidance is being
widely ignored by its own departments.

The Department of Health and the Department for Transport both admitted
allowing staff to use portable memory drives without encryption. Other
departments, including the Department for Children, Schools and Families, and
the Ministry of Justice, indicated that they advocate encryption of data on
removable media, but did not clarify whether the measure is mandatory or simply
recommended.

Despite the fact that existing legislation, most notably the Data Protection
Act, covers the need for encryption, law firm Eversheds says that implementation
of existing guidelines is “the most challenging aspect” for government and the
wider business community. And it is clear that, unfortunately, the scale of this
problem goes far beyond Whitehall. The vast number of records involved and the
sensitivity of some of the data that has been lost by government departments has
made for sensational headlines ­ but it is fair to suppose this is just the tip
of the data-loss iceberg, with private firms haemorrhaging data in a similar
fashion.

Such was the concern of the Information Commissioners Office, which was
instrumental in compiling another report, the Data Sharing Review, in July last
year. Undertaken by Richard Thomas, the Information Commissioner and Dr Mark
Walport, the director of the Wellcome Trust, this report proposes a wide-ranging
set of recommendations including the need to: “Clarify and simplify the legal
framework governing data sharing, including provisions to guarantee better and
more authoritative guidance for practitioners.”

This should set alarm bells ringing for businesses, too. Apart from the
danger of commercial or reputational damage associated with a data loss
incident, legal experts agree it is likely to only be a short time before
elements of the Data Sharing Review and the Data Handling Procedures in
Government are implemented.

Such a move is likely to dramatically increase penalties for data loss
incidents, leaving firms open to potentially hefty fines or criminal charges if
they do not comply with tightened data security legislation.

The threat of such penalties must make firms and public sector organisations
finally wake up to the fact that they have a duty of care over the data which
has been entrusted to them. There can be no technical excuses.

Enterprise encryption is not rocket science and the technology has advanced
significantly over recent years. In fact, basic levels of protection can be
relatively inexpensively implemented without creating serious management or
performance issues.

However, as with so many IT projects, considering the human factor is
paramount. An important caveat is that the technology must be literally
foolproof, in the sense that it needs to be deployed in such a way that it is
not possible for lazy members of staff to circumvent it. This means that every
time data is copied to a portable media drive or laptop, it is always encrypted
­ without exception.

We have all been warned.