Leader: Is one data leak one too many?

It's been a week of security leaks – from military documents in the Netherlands to Homeland Security breaches in the US. Yesterday we learned about the 230,000 possible spies in Poland whose identities were made available on the internet.

The nature of storing data online or offline is that there is potential for it to be breached or leaked – accidentally or through maliciously gaining access.

In determining what security they need in place companies or organisations must consider what level of exposure they have to risk. High risk sectors – such as banks or government departments – will hopefully have security to match.

It's understandable if a small firm of labourers who use a computer to print off invoices and manage their payroll perhaps worry less about the steel gates of cybersecurity. It's inexcusable if those whose data could be life or death don't take every possible measure.

But do we think enough about the worse case scenario – what happens when, not what if, those defences are breached?

Very few people will admit it but part of the planning stage for any security system must be the question 'what can we afford to lose and under what circumstances?' Some may hide behind 'acts of God' as the only toleration; others may be willing to take greater risks in a trade-off against efficiency and interoperability. Companies will closely define their risks. But do companies or organisations ever say – especially internally – 'we cannot under any circumstances afford to lose anything'? In truth it's unlikely.

Take those three recent examples. The Homeland Security breach actually did little other than reveal the extent of Stateside paranoia. The Dutch military leak came close to exposing a number of phone-tapping exercises which could have had serious implications. But by the far the worst was the third. The lives of Polish citizens have now been put at risk – their Prime Minister claims – by the publication of names of individuals linked by the secret police to spying commissions during the communist heyday of Poland.

In the Dutch case, if a workplace culture has been created where staff are inclined, or even able, to take such information home then the breach was inevitable and the 'what-ifs' were more of a 'when'.

And the 'what-ifs' can even get worse. Recently silicon.com covered a web initiative by the UK police to allow the anonymous reporting of paedophiles. Which is a great idea for as long as the innocent aren't wrongly identified due to the leaking of speculative neighbours' suggestions, or individuals wrongly exposed by somebody with a grudge.

Of course through these methods the police will hopefully catch more paedophiles but if the data falls into the wrong hands – those members of the public with all-too-frequent mob-rule tendencies – then you start to fear for innocent lives.

But we can't run from these issues or put them off. There has to be a balance because the benefits doubtless far outweigh the worst-case 'what-ifs'.

silicon.com would never advocate remaining in the dark ages simply for fear of what might happen if things go wrong online. However, putting information online means its potential exposure to those who would abuse that data increases.

But we would advocate establishing more carefully which databases represent where genuine 'zero' tolerance is required regarding breaches. Invariably it is not going to be where companies or cash are most at risk but where human lives will genuinely be put at risk, especially if they are jeopardised by false positive identification.