Data Loss and Privacy Risk - A Top Priority in 2008

Introduction

The loss of a laptop containing medical records for 5,000 people was just one of a drip-feed of data privacy breach news stories in the past year. Public sector incidents alone led to over 37 million UK citizens having their personal data lost or stolen.

The leakage of 25 million child benefit records at HMRC last November was the world's 5th largest reported data loss incident. With incidents at the DVLA, the MoD, NHS and US Government agencies, it seemed the issue of lax data security was a public sector problem.

But private enterprise also grabbed headlines in 2007, dubbed "The worst ever year for data protection" by website The Register. TK Maxx lost 5 million UK credit card records, Monster.com had details of 3 million customers taken, at loans.co.uk 250,000 private customer records were stolen & sold and Leeds Building Society lost data on its entire workforce.

Commercial Concerns

Loss of customer data is not the only worry in the private sector. A rising tide in Merger & Acquisitions and intensely competitive market has flagged the protection of commercially sensitive data as an equally strong concern.

Company directors and senior public officials are now taking steps to review policies, implement sensitive data procedures and assess the risks of their organisations losing private or commercially sensitive data. Sectors at high risk include Retail, Financial Services, Utilities and Professional Services.

Legislation & Standards

Protecting customers' data privacy and that of the company not only makes sound business sense but is also becoming the subject of industry, government & EU regulation. According to security consultancy Vigitrust, laws such as the European Union Data Protection Directive and equivalent U.S. regulations have resulted in information security becoming a board level action item.

It would be a mistake for UK & European organisations to ignore U.S. legislation in this area as it may also be binding on companies trading with US consumers. Regulations such as California Senate Bill 1386 apply to "any person or business that conducts business in California" even if they are located outside the U.S.

Many organisations are pursuing ISO 27001 accreditation, the Information Security Standard (formerly BS7799). Larger retailers are striving to meet the Payments Card Industry (PCI) standard pioneered by Visa & MasterCard to address identity theft.

The public sector responded to its 'annus horibilis' by mandating data encryption on all laptops, but also by disseminating Information Governance standards on data privacy to all public bodies and practical assistance such as the 'Information Governance Toolkits'.

Risk mitigation software vendor The Irish company, best known for detecting & reporting on illicit image abuse, has been conducting 'Discovery Audits' to detect unprotected sensitive data on company networks since 2007; its auditors found such unprotected data in over 36% of all IT resources scanned, including 46% of PCs, 32% of e-mail accounts and 30% of file servers. In each case, it required at least 20 instances of suspected privacy data to be detected in a document before being logged as 'suspect'.

Risk assessment - Where to start?

Best practice begins with a risk assessment to detect actual data breaches or the existence of 'data at risk'. In order to help corporations gain visibility of this risk, The Irish company offers a complimentary 'Discovery Audit' to detect and report on the presence of sensitive data at rest.

The Irish company Privacy Auditor software will scan for sensitive data such as Credit Card, Bank Account or National Insurance numbers, encryption keys etc. held in plain text on e-mail, desktop PCs, laptops and file servers. The Irish company Privacy Auditor can, on request, remove or encrypt such data for the client.

During this engagement, the organisation may nominate specific sensitive data or documents to be detected on its network, such as commercially sensitive financial data. A comprehensive report is delivered, together with suitable recommendations.

With the public focus on risk & compliance in the treatment of sensitive data, an early risk assessment is now considered the essential starting point to protecting the best interests of taxpayers, customers, companies and ordinary citizens alike.