Are you safe?
By David Tebbutt, 17th December 2007 at 8:21 am
I see that our beloved leaders are knocking off tomorrow until January 7th. Slipping under the wire will be Alistair Darling to explain how our data will be safer in future. Sounds like a PR exercise to me, but I’ll be very interested to hear what he says. This is against a backdrop of stopping the police search for the missing HMRC CDs and a £20,000 reward for their safe return. But, apparently, Mr Darling is going to reassure us today.
The problem with this whole saga is that it’s got little to do with the discs and everything to do with the data on them. Unless they’re found down the back of the “junior civil servant”’s desk pedestal, the chances are good that the data has already been copied and created a time bomb for twenty five million people.
This isn’t news but it does give me an excuse to ask me about your own set up. Do you have information in your computer systems that you would not like others to see? We’re talking here principally about competitors and criminals, although feel free to let your imagination roam.
If the answer’s “yes”, are you certain that it could not leave your company? Bear in mind that routes out include CDs and DVDs, memory sticks (and these are often ‘disguised’ as MP3 players, iPods, phones, cameras etc) and email. You absolutely know that there’s no chance of anything being copied?
And, if there is a chance, do you have logging procedures in place, so you know who accessed what data, for what purpose and when? And do you have authority settings which prevent the wrong people getting hold of data they shouldn’t. And do you have enforced encryption of any sensitive data that leaves your own system?
Then we come to the human procedures. Despite HMRC having all manner of written procedures, these were ignored. Telling people what to do really isn’t enough. But at least make people aware of the rules and tell them what the consequences are of ignoring them, both in consequences of the data falling into the wrong hands and in terms of the impact on their employment.
Some American states have implemented a data breach notification law. Companies must notify anyone whose data has been compromised. This lays them open to lawsuits. Without such laws, it’s little wonder that a company’s natural instinct is to keep quiet and pray that nothing horrible will happen. But the EU is looking at similar regulations. Better to assume that they’re coming and plan accordingly.
The HMRC fiasco came about because someone, understandably, didn’t want to pay £5,000 to extract precisely the information the National Audit Office was after. Had they done this, they could have printed it in three inch high letters on a billboard, and no-one would have been compromised. If the CDs do fall into the wrong hands, the damage will run into hundreds of millions. Whoever it was that refused to cough up that £5k will live to rue the day.
Now, are you sure it couldn’t happen to you?
Related Posts
Posted in the following topics: Crime, IT, Regulation, Small Business Advice, Technology | 
| 
TrackBack address
More business podcasts
More blogs
More news
£5000 to extract just the required data? I would have thought it would have been a simple query. It might have taken a while to run or running the same report a few times with different criteria. It would have been easier to put a copy of the database in a non live system that whoever needed the data could connect to over a secure network. Suppose we have to be grateful that ID cards aren’t in place yet.
Comment by Phil Connolly — December 18, 2007 #
Lemme see now 25 million records, £5000. That would be a penny per 50 records processed. Seems reasonable to me. It’s how the bureaucratic mind is likely to work. And said bureaucrat would regard that as a lot of money without thinking about the risk involved should things go pear-shaped.
A non-live but secure copy with restricted access to columns makes a lot of sense.
Frankly, the more of these cock-ups (and the government slipped a few more under the wire yesterday) the better. With a bit of luck their incompetence will kill off an all-encompassing national ID database for good.
Comment by David Tebbutt — December 18, 2007 #
Breaches of security / privacy appear to be increasingly common. It’s a very alarming trend - whatever measures are in place to protect personal data don’t appear to be robust enough.
Comment by Joan Harrison — December 18, 2007 #
And these breaches are just the ones we hear about…
Comment by David Tebbutt — December 18, 2007 #