To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://management.silicon.com/itdirector/0,39024673,39169286,00.htm

HMRC's missing discs: Just a warning shot
Real breaches could topple governments...

By Stewart Room

Published: Tuesday 27 November 2007

The outcry over the missing 25 million child benefit records rumbles on. But the HMRC's wayward discs were a mere dry run, argues Stewart Room. Wait until we see the consequences of a really bad data breach.

Public outrage about the HMRC's catastrophic data protection failure is justified. But the scale of the problem has yet to be understood. Yes, the HMRC case acts as an important wake-up call but it represents only the tip of the iceberg of poor information handling.

Shoddy practices are widespread, extending throughout the private sector as well as the public sector. Data security is an international problem. It is a climate change-type issue scale-wise - but not enough is being done to tackle it.

Evidence for these conclusions can be found in the US experience, where laws obliging organisations to report security breaches laws are widespread. This type of legislation leaves organisations with no room to hide. If the US legislative agenda were to be rolled out across Europe, countless examples like the HMRC incident would be regularly reported.

Fortunately, we have not experienced the full potential of a data security breach. If we do, governments could topple and economies could be dumped into recession.

For instance, what would happen if there was a catastrophic failure of data security within the heart of the already-creaking financial services sector, rather than at the periphery? Would we see a mass run on banks on a scale that would render the Northern Rock a happy memory? Sure we would - there would be widespread panic.

And what would the consequences of a catastrophic failure of data security within the communications sector be? Or within law enforcement? Or within other critical national infrastructure?

The HMRC case presently points to just one form of security risk - human error. The others - malicious activity whether human or technological, and failure of technology through hardware or software failure - have not been exposed by HMRC.

These other risks arguably carry with them the potential for far greater damage than can be caused through mere negligence.

At the heart of the problem is a fundamental disconnect between the law, its application and business priorities. The law, in the UK represented by the Data Protection Act, is not fit for purpose. It is the embodiment of ideas from the late 1960s and it is well past its sell-by date.

The HMRC case tells us the law's focus on geographical considerations - Europe adequately protects data but other regions do not - and its promotion of contractual solutions, such as consent to processing being a criterion for legitimacy, cannot provide sufficient protection. Data protection laws need to be fundamentally re-evaluated, with technological solutions being brought to the fore.

The disconnect is also represented by the law's unforgivable approach to sanctions. Yes, there will always be a place for the carrot approach to compliance - comply with data protection laws and you will maintain trust, reputation and brand.

But at the moment there needs to be a significantly bigger stick. Data controllers need to fear the law, but at the moment they have very little reason to do so.

For instance, the regulator, the Information Commissioner, does not have the power to fine errant organisations. What is the justification for this given that the FSA was able to fine Nationwide £1m for a security breach in February this year?

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below, emailing us at editorial@silicon.com or signing the 10 Downing Street e-petition.

Similarly, the law's approach to criminal penalties makes a mockery of data protection. The chances of being convicted for a criminal offence are virtually zero. Finally, those of us who suffer the effects of a security breach find it virtually impossible to bring court proceedings for compensation.

Of course, we should not forget the government has just announced the Information Commissioner will be given the right to audit public bodies, which on any analysis is an improvement on the present position. But we can be forgiven for being cynical about the benefits that this will actually deliver, because the commissioner has neither the staff nor resources to make much use of this power.

Worst still, how can the commissioner properly follow up a spot check when he cannot levy fines or bring criminal proceedings? And what is the justification for the private sector's immunity from inspection?

These failings of law mean that organisations feel little real incentive to get their houses in order. Thus, the compliance function within the organisation, if it exists, is disconnected from the boardroom.

Extraordinary events aside, data protection gets insufficient airtime within most organisations. It is still considered to be a cost base rather than a profit centre and that drives the subject down the order of priority. Once the current uproar fades, the status quo will remain.

It is inevitable that Europe will begin building Data Protection Directive Version 2. But while waiting for that process to start, national governments must equip the regulators and the courts with the powers that they need to get organisations into shape.

The message needs to be delivered that HMRC is an alarm bell, not the worst case scenario. Touch wood, so far we have got off lightly. If sufficient action on information security is not taken urgently, next time the outcome could be far, far worse.

Stewart Room is a partner at Field Fisher Waterhouse LLP and the president of the National Association of Data Protection Officers