A Question of Protection

Complying with the requirements of European legislation for data protection is a key challenge for organisations. The high-profile data-handling fiascos of recent months have underlined this. Financial directors have for too long been ignoring the importance of protecting data, and urgent attention to both the spirit and the letter of the law is urgently required, especially as a much tougher regulatory regime approaches.

The EU Data Protection Supervisor – the independent authority responsible for protecting personal data in the EU – recently pushed for the EU e-Privacy Directive to be amended to provide for a pan-European data breach notification requirement. In parallel, the UK Information Commissioner, enforcing the Act in the UK, has been empowered to levy fines in cases where the UK Data Protection Act (DPA) has been disregarded.

Changes to data security regulation are inevitable after the dramatic press coverage of failures to safeguard personal data records, including the HM Revenue & Customs CD-ROM fiasco and the prolonged theft of TJX credit card records. In France, Germany and Spain, the national data protection commissioners have been stepping up their enforcement activity, which includes increasingly substantial fines for non-compliance. Organisations now urgently need to assess the size of the issue, the potential impact on their organisation of a data breach, and the best practice steps for mitigating the data breach risk.

The source of the problem

The IT Governance Data Breaches Report identifies that spectacular data breaches are not caused by the misdemeanour of a junior employee, but arise from systemically inadequate information security arrangements at the organisations where the incident occurs. A data breach is ‘the unauthorised disclosure by an organisation of personally identifiable information, where that disclosure compromises the security, confidentiality or integrity of the data that has been disclosed’.

Attrition.org’s database of data loss and data theft incidents shows a ten-fold increase in the number of reported data breaches – in the US, the UK and across Europe – since 2004. The peaks in reported data breaches following the disclosure of nationally significant breaches such as the UK’s HMRC data loss, suggests that there were – and probably still are – many data breaches that go unreported and research suggests that organisations are reluctant to officially report data breaches unless they have already been exposed. The evidence suggests that waiting to be found out is not the best strategy. Data protection is receiving attention for three reasons:

1. Identify theft is a low-risk, high return option for organised crime. Traditional crime, including violent robbery and theft, has clearly identifiable risks. It is easy to be caught on CCTV, seen by witnesses or caught by means of DNA, and the returns are relatively low. However, high-tech crime creates real problems for the police and is relatively low-risk for the criminal. Contributing factors include the perpetrator’s anonymity, the speed of the crimes, the volatility or transience of evidence, the trans-jurisdictional nature of cybercrime and the high costs of investigation.

2. Legal and regulatory initiatives, such as the EU Data Protection directive and California’s data breach disclosure law SB1386, have formalised the concept that personal data must be legally protected, and introduced penalties for failure to do so. Recent amendments to the DPA and changes to regulation in the EU, which are introducing significant financial penalties for non-compliance with the Directive, make this an urgent issue for UK organisations.

3. The proliferation of mobile data storage devices has changed the boundaries of where data is stored and effectively eliminated ‘fixed fortifications’ as an effective tool for preventing data breaches.

Costs and compliance

The Ponemon report of 2007 commented that ‘the investment required to prevent a data breach is dwarfed by the resulting costs of a breach’ and ‘the return on investment and justification for preventative measures is clear’. Costs of data breaches – legal costs, the costs of restitution, brand damage, lost customers and so on – are significant; for financial services organisations, it was about £55 per compromised record.

While not involving legal compliance, if an organisation has a credit card-related data breach and is found not in compliance with the Payment Card Industry Data Security Standard (PCI DSS), there can be severe contractual and financial penalties, including a bar on the business accepting payment cards.

All these factors make the protection of personal data a key business and compliance responsibility. There are nine key steps that every organisation should take. As a minimum:

1. Encrypt personal data on laptops; whole disk encryption is a more secure solution than folder or file level encryption and FIPS 140-2 is the recognised standard for encryption.

2. Encrypt all removable and portable media that might contain personal data, including USB drives, CD-ROMs and magnetic backup tapes.

In addition:

3. Establish procedures to ensure the physical destruction of redundant computer drives, magnetic media and paper records prior to disposal, and ensure that disposals are made in line with a formal data retention timetable.

4. Organisations that accept credit and other payment cards should also comply with the PCI DSS.

5. Provide regular training and awareness on legal responsibilities for all staff that deal with personal data.

6. Deploy outward-bound channel (email, instant messenger) filtering software with customised dictionaries for relevant legislation such as Data Protection Directive, PCI.

7. Establish a vulnerability patching programme and implement anti-malware software.

8. Implement a business-driven access control policy, combined with effective authentication.

9. Develop an incident management plan that enables the organisation to respond effectively to any data breaches.