By Stewart James, 17 September 2008 08:00
COMMENT
To prevent the loss of sensitive data, organisations must change their cultures, says lawyer Stewart James - from the bottom up.
Safeguarding data for government departments has never been an easy task but the last few weeks could lead to greater regulatory and commercial scrutiny than ever before.
In August PA Consulting, working as an external contractor on the Home Office JTrack system, was forced to admit to the loss of data files containing the personal details of tens of thousands of prisoners and other offenders. Within a couple of weeks the Home Office announced its decision to terminate its contract with PA Consulting as a direct result of that loss - and is considering whether to terminate further contracts it has placed with the company. In the meantime PA Consulting has dismissed employees who had been working on the JTrack project.
In 2007 an investigation by the Independent Police Complaints Commission into the loss of child benefit records by HMRC revealed failures in institutional practices and procedures concerning the handling of personal data, including a lack of understanding of the importance of data handling. As a result of this episode the Cabinet Office implemented new procedures and measures and has published a policy for information security.
Government will be focusing its attention now on the information security practices, procedures and policies of private sector suppliers. Certainly the Home Office has declared its intention to apply the lessons learned to future contracts where sensitive data is to be provided to external consultants. In July the use of the security provisions contained in its 'model IT services agreement' were made mandatory by the Office of Government Commerce for all future public sector ICT contracts.
Steps have been taken to introduce data breach reporting obligations through both national and European legislation. In the US such reporting obligations provide an amnesty for the organisation that notifies the authorities of the loss. However, this does not protect the person most at risk: the subject of the lost data.
What is required is a cultural change - these losses have occurred through human error and there is a clear need to develop policies, educate employees and then to enforce the rules.
Reports by a number of independent research organisations indicate the pervasive use of memory sticks to store and transport confidential information. They also indicate that the majority of employees store work-related files on computer hard drives.
Memory sticks are inherently easy to lose because of their small size; they are also equally convenient when used to facilitate the process known as 'data leakage'. If such devices are to be permitted by an organisation then appropriate controls must be used - the minimum standard should be to ensure that information held on the device is always encrypted.
Laptop computers, PDAs and other mobile computing devices are necessary tools in the modern commercial environment. However, these devices are easy to steal and it must be remembered they can contain a large amount of personal data and confidential commercial information in the form of emails and contact lists as well as work files.
Data loss
Key issues
1. Information security is a boardroom issue that affects the survivability of an organisation
2. Most data losses arise out of a cultural failure to ensure information security - to correct such failings requires strong leadership from the executive
3. Information assurance involves the activities necessary to ensure the integrity, confidentiality and availability of corporate data
Encryption is part of the solution again but equally individual responsibility must be accepted in exchange for the right to use a laptop - being mugged is a very different situation from leaving a laptop on display in the back of a parked car, for instance.
Information assurance is vital to ensure the integrity, confidentiality and availability of corporate data. Guidance on establishing the necessary policies and procedures to achieve a good level of security is provided by the ISO 27000 series standards. Unfortunately, information assurance is, like any other form of insurance policy, seen as an overhead that does not contribute to the profitability of an organisation.
The consequences of a failure of information security is clearly a boardroom issue - the loss of business for PA Consulting, whether or not the Home Office terminates its remaining contracts, and the loss of reputation it has suffered in the process is severe.
This is not, therefore, a problem that should be delegated - this is a risk that affects the very existence of an organisation and cultural change requires strong leadership from the executive.
Stewart James is a partner at law firm DLA Piper.
DLA Piper is the world's largest global legal services organisation with more than 3,700 lawyers across 64 offices and 25 countries. Its award-winning technology, media and commercial practice employs 70 partners specialising in IT, telecoms, media, sport and IP law. Experts in convergence between the technology, communications and media sectors, it advises some of the world's leading multinational entertainment, media, sport and technology companies.
Comments
There are 5 comments. Join the discussion
1. Joseph Webster
I can only agree with your placement of responsibility for data breaches on executive management. However, the most fundamental threat responsible for the vast majority of actual damages due to data loss is the lack of management (or mismanagement) of the trust relationships between the organization and it's employees and partners. That is most assuredly a C-level responsibility.
2. Charles Smith
You may outsource the work to a third party organisation, but you cannot outsource the responsibility.
This data loss issue has now been around for years. There is no excuse. The people who approved the contract with PA had a duty to ensure that proper security measures were in place.
3. Alistair Thomas
The best collection of commonb sense I've seen on this subject for some time. Yes, responsibility starts at the top and deals with purpose. Why have the data? How to use it? Who's trusted? How to secure its use for the intended purpose etc.
The infrastructure/system then has to deny misuse.
Why does sensitive data have to be downloaded/copied from "source" in a connected world? (accepting distributed data, backup, resilience etc)? Laptops should be terminals with no ability to store anything but approved and non sensitive productions based on the data. Sensitive reports get the same severe and need-to-see only treatment as the data itself.
You can limit people's level of access. You could monitor who has accessed the data, and if you extended usage to include approved project codes, you could even store details of what purposes the data was accessed for. Sure this level of security will be slow, possibly even erratic remotely, but better safe than sorry. When did convenience become a key driver where security is concerned?
4. Alastair Warren
Why isn't government, or anybody else using BS7799, or its ISO counterpart?
5. Steve Mathews
I have always believed that whilst boards of management, whether commercial or governmental, have no pain to fear from the results of poor governance of personal data under their control, they will take no action. Profit or cost 'priorities' will always intervene. So the risk analysis parameters stemming from BS7799, to which I contributed, are inherently sensible, they need incentives to ensure management focus on prevention of loss at least as much as cost and profit.