Alan Calder, IT Governance: Learn To Avoid Data Fiascos, Or Risk New FSA Penalties
Alan Calder, Chief Executive of independent information security experts IT Governance, explains how complying with data protection legislation is a challenge many organisations are still struggling to meet.
For every action there is an equal and opposite reaction – and after prolonged inaction on the issue of safeguarding private data many public and private sector organisations may be about to feel some harsh consequences.
The UK’s financial services regulator, the Financial Services Authority, has signalled to retail banks that it may be prepared to start punishing board-level executives for failures by their organisations to adequately protect customer information. This move is bred of a frustration that executives may still be palming-off overall security responsibilities onto the IT department, instead of accepting that the buck must stop with them. Under this new regime, chief executives, compliance officers and board-level IT directors could all be held individually accountable, truly a culture shock for the complacent.
In an age when ‘identity theft’ has become an everyday term we might have thought that banks would recognise that protecting customer information is a fundamental aspect of customer care. Then again, having learned of the poor judgements and sheer folly that caused the present financial train wreck, it is clear that the many of basics of risk management simply haven’t had a look in.
Given that much of our national banking sector is now under public sector ownership or influence, it is to be fervently hoped that the FSA’s fine words might be turned into deeds. If the issue is allowed to drift further, while more and more data is concentrated under ever fewer market titans, the risks to personal data in the UK can only worsen.
Worryingly, however, Her Majesty’s Government doesn’t exactly have a great track record when it comes to protecting personal data either. The loss of millions of child benefit records, the constant mislaying of MoD laptops and dossiers, and so forth, are all part of the same problem – an institutional failure to define and implement basic compliance procedures in line with the requirements of the Data Protection Act (DPA).
Such slackness is partly what has prompted the much tougher regulatory regime that is now coming into place, heralded by instances such as the major fines levelled by the FSA on Nationwide Building Society (£980,000) and Norwich Union/Aviva (£1.26 million), both criticised for failing to adequately protect personal data. Added to this there is the recent introduction of the Criminal Justice and Immigration Act, which brought in a system of ‘substantial’ fines for organisations failing to meet their compliance obligations.
Meanwhile, 2007’s Poynter Report confirmed what had been plain to anyone following the string of data losses occurring in the public sector: these aren’t just the acts of rogue employees (and it frankly beggars belief that this was the original explanation offered for the HMRC fiasco). Instead, they are emblematic of a continued failure to properly embed data security procedures and training into the organisational culture.
Indeed, research suggests that many data breaches go unreported and managers are very reluctant to officially report data breaches unless they have already been exposed.
It’s not like this stuff is going to go away, after all. Identify theft and other data abuse are low-risk, high return options for organised criminals: viz the perpetrator’s anonymity, the speed at which crimes can be committed, the volatility or transience of evidence, the trans-jurisdictional nature of cybercrime and the high costs of investigation. Traditional crime, in contrast, including violent robbery and theft, has clearly identifiable risks: it is easy to be recorded on video by CCTV, seen by witnesses or caught by means of DNA, and the returns are relatively low. High-tech crime creates real problems for the police force and is, conversely, relatively low-risk for the criminal.
Which makes it even more astonishing how few organisations are willing to commit the relatively modest investment needed to start fighting back. Doing nothing costs money in any case. The costs of data breaches – legal, restitution, brand damage, lost customers and so on – are significant and it has been suggested that for financial services organisations this can run up to around £55 per compromised record, in a context where breaches many involve deca-thousands of such exposed files. According to a January study on information economies by McAfee, data breaches cost the world’s companies an estimated £700bn in 2008.
And while not involving legal compliance, if an organisation has a credit card-related data breach and is found to be in non-compliance of the Payment Card Industry Data Security Standard (PCI DSS) there are potentially severe contractual and financial penalties waiting in the wings, including a bar on the business accepting payment cards.
All these factors make the protection of personal data a key business and compliance responsibility. Fixing the problems calls for more than some extra IT investments – this is a root and branch managerial job to achieve data protection compliance, involving training, process change and the adoption of best practices. It isn’t a matter of choice – the public and private sectors owe it to us, as their customers, to protect our data. Hopefully, the FSA’s warning will have the positive side-effect of prompting a drastic rethink by all organisations working with client data.
And yet, compared to many of the investments made by the public sector and companies, this all comes at a bargain price. Poynter told us “the investment required to prevent a data breach is dwarfed by the resulting costs of a breach” and that “the return on investment and justification for preventative measures is clear”.
The verdict is obvious: any organisation not addressing its information security needs with a formal compliance regime is plainly risking not just horrendous financial penalties – it may be putting its very survival on the line.