Monday, 24 March 2008

Your life details in their hands


Things might be looking up on the electronic data protection front. It's four weeks since the last security lapse (a confidential Home Office disc was found on a laptop computer that was sold on ebay).

The Mod is taking action on the security of third-party records and last November, the Prime Minister announced that Government will give the Information Commissioner the power to conduct spot checks on Government Departments, to do everything in his and Government's power to secure the protection of data.

There is still some way to go before the public's confidence is restored. A survey of 1,000 members of the public, which was sponsored by Symantec and conducted by IPSOS Mori, found 62 per cent of respondents felt their personal data being held by government departments was at risk.

William Beer, Symantec's European security practice director, commented: "Public confidence has been shaken. Six out of 10 people is a sizeable majority but I won't say the results surprised us. This is impacting people and it's not to do with their behaviour online. With this breach, it wasn't possible to change their behaviour to improve security. If this had been a merchant or online store, people could consider not doing a transaction."

Beer also said: "The new databases are causing a fair amount of legitimate concern in the public's eyes. If the government can't manage the current data set, how will it manage more sensitive data like biometrics?"

The public does not have much confidence in corporations to guard data either, the survey found, with 61 per cent of respondents saying they did not trust businesses to safeguard personal details.

Beer called for a UK data-breach notification law, which would require organisations that suffer a data breach to notify affected parties. He said the law would incentivise companies to better look after their data and that technical means were not enough to secure data.

He said: "It's a myth that technology is a silver bullet. Encryption will definitely help but there are times when you can't use it - there may be issues with keys, or passing the data set. There is a lot of focus needed on awareness [among end users of potential security problems, which is] often a challenging part of a security project. Companies have policies in place and technology in place but the weak link is the individual."

Roll-call of shame

Here is a round-up of incidents which I have gleaned from the last twelve months of reports. There are almost certainly many more which I have missed:
- Learner driver details go missing;
- Nationwide fined nearly £1m for security lapses;
- Countrywide Insurance in Cardiff;
- Stolen laptop puts 16,000 council staff at risk;
- Banks putting customer details out with the refuse;
- Norwich Union has "issues with" Indian offshore security;
- Halifax mortgage data stolen;
- TK Maxx credit card details;
- Patient details on a flash memory device;
- MoD lose Navy data on laptops;
- Court data on CD-ROM is lost in the post;
- and the big one by the Revenue.
Note that commercial and financial services organisations are culprits alongside government.

1 comment:

Frank H Little said...

The increased awareness of security leaks has caused MPs to drag historical data out of government. Sarah Teather's office gleaned the information that over a thousand government laptops and mobile phones have been lost or stolen since 2001.

The Department of Justice and its predecessors had the worst figures,
having lost 342 laptops and mobiles.