Legal Eye: Who's to blame for data loss?

To prevent the loss of sensitive data, organisations must change their cultures, says lawyer Stewart James - from the bottom up.

Safeguarding data for government departments has never been an easy task but the last few weeks could lead to greater regulatory and commercial scrutiny than ever before.

In August PA Consulting, working as an external contractor on the Home Office JTrack system, was forced to admit to the loss of data files containing the personal details of tens of thousands of prisoners and other offenders. Within a couple of weeks the Home Office announced its decision to terminate its contract with PA Consulting as a direct result of that loss - and is considering whether to terminate further contracts it has placed with the company. In the meantime PA Consulting has dismissed employees who had been working on the JTrack project.

In 2007 an investigation by the Independent Police Complaints Commission into the loss of child benefit records by HMRC revealed failures in institutional practices and procedures concerning the handling of personal data, including a lack of understanding of the importance of data handling. As a result of this episode the Cabinet Office implemented new procedures and measures and has published a policy for information security.

Government will be focusing its attention now on the information security practices, procedures and policies of private sector suppliers. Certainly the Home Office has declared its intention to apply the lessons learned to future contracts where sensitive data is to be provided to external consultants. In July the use of the security provisions contained in its 'model IT services agreement' were made mandatory by the Office of Government Commerce for all future public sector ICT contracts.

Steps have been taken to introduce data breach reporting obligations through both national and European legislation. In the US such reporting obligations provide an amnesty for the organisation that notifies the authorities of the loss. However, this does not protect the person most at risk: the subject of the lost data.

What is required is a cultural change - these losses have occurred through human error and there is a clear need to develop policies, educate employees and then to enforce the rules.

Reports by a number of independent research organisations indicate the pervasive use of memory sticks to store and transport confidential information. They also indicate that the majority of employees store work-related files on computer hard drives.

Memory sticks are inherently easy to lose because of their small size; they are also equally convenient when used to facilitate the process known as 'data leakage'. If such devices are to be permitted by an organisation then appropriate controls must be used - the minimum standard should be to ensure that information held on the device is always encrypted.

Laptop computers, PDAs and other mobile computing devices are necessary tools in the modern commercial environment. However, these devices are easy to steal and it must be remembered they can contain a large amount of personal data and confidential commercial information in the form of emails and contact lists as well as work files.

Data loss
Key issues

1. Information security is a boardroom issue that affects the survivability of an organisation

2. Most data losses arise out of a cultural failure to ensure information security - to correct such failings requires strong leadership from the executive

3. Information assurance involves the activities necessary to ensure the integrity, confidentiality and availability of corporate data

Encryption is part of the solution again but equally individual responsibility must be accepted in exchange for the right to use a laptop - being mugged is a very different situation from leaving a laptop on display in the back of a parked car, for instance.

Information assurance is vital to ensure the integrity, confidentiality and availability of corporate data. Guidance on establishing the necessary policies and procedures to achieve a good level of security is provided by the ISO 27000 series standards. Unfortunately, information assurance is, like any other form of insurance policy, seen as an overhead that does not contribute to the profitability of an organisation.

The consequences of a failure of information security is clearly a boardroom issue - the loss of business for PA Consulting, whether or not the Home Office terminates its remaining contracts, and the loss of reputation it has suffered in the process is severe.

This is not, therefore, a problem that should be delegated - this is a risk that affects the very existence of an organisation and cultural change requires strong leadership from the executive.

Stewart James is a partner at law firm DLA Piper.

DLA Piper is the world's largest global legal services organisation with more than 3,700 lawyers across 64 offices and 25 countries. Its award-winning technology, media and commercial practice employs 70 partners specialising in IT, telecoms, media, sport and IP law. Experts in convergence between the technology, communications and media sectors, it advises some of the world's leading multinational entertainment, media, sport and technology companies.