The latest amendment to the Data Protection Act, which came into effect on the 6th of April, means that the Information Commissioner’s Office (ICO) is now able to impose a fine of up to £500,000 for organisations which lose data. However, with the recent announcement at the end of May 2010 stating that since November 2007 over 1,000 data breaches had been reported to the ICO, with most breaches due to lost or stolen devices, surely now is the time for businesses take the initiative and avoid the wrath of the ICO.
This article will outline why the new ICO powers offers an opportunity for businesses and government to get a better understanding of employee data access and data storage to tackle nagging holes in processes and data protection – and why if you don’t, human error means you should already be planning the date for your organizations time in the ICO spotlight.
The best business case in years (and not just for IT)
Whenever change is forced upon an industry it is never going to be welcomed with open arms. So it hasn’t surprised me that that the new measures put in place by the ICO have left many organizations frustrated, claiming guidelines are vague and it’s just another revenue opportunity for government. And even some IT security journalists I’ve spoken with echoed this criticism, claiming the ICO guidance doesn’t offer the insight needed to understand what criteria the ICO will use when assessing incidents of data loss.
However, I believe that energy and attention are being focused incorrectly. Obviously the fact that the commissioner has the ability to decide the level of fine – depending on the size and financial means of the organization and the severity of the breach – is a major concern. But, how can the government, or for that matter business, look over 1,000 data breaches and not take action.
For any organization to run efficiently – whether it comes to data protection, worker productivity, or staying within budget – it must have a clear picture of how employees are accessing and storing data. With all risk management metrics indicating a breach will occur, the new consequences of a data breach provide the business justification to re-asses the measures they currently have in place and set the correct policies internally. Ignoring the facts or opting for a cheaper IT security option won’t work much longer.
The inevitably of human error and the right equation to deal with it
Since the ICO powers were announced, I’ve spoken with many customers and people within the IT security industry to gauge their feelings. The over-riding response has been that that the threat of fines will result in an unnecessary drain on the already stretched IT security budget. In fact, some feel suckered. Having invested in technologies that now are shown to be not so invincible and others that lack the potential documentation to fend off breach claims. For example, a major concern is just how companies can prove to the ICO that data which has been lost on devices which they perceive to be secure has not, and cannot, be accessed. And this concern highlights the bigger issue that businesses must now implement controls and processes which offer an audit trail in relation to data, so if a data loss does occur, the business can prove the data has not been breached.
Whilst these concerns regarding data loss and data breach may impact upon the level of fine from the ICO, it re-enforces the struggle which most organizations have regarding employees accessing and storing data. And the reason we’ve been asked by so many organizations to help navigate through them how to build in the right process so not sap all the life out of worker productivity and IT budgets. Consumerization, the cloud, and many a trip down to Dixons by staff makes data security a complex animal, with employees being able to access and store data from many more locations and on a myriad of devices. It’s no wonder then that the leading cause for data breaches in the UK is due to a lost or stolen storage device.
Of course, the threat of a fine and consequences of a breach are naturally not going to make employees think or act differently in terms of data security. There are no doubts the consumerization of IT has had many benefits, but it has led to a huge increase in the numbers of points which employees can access and store data. Unfortunately the reality of the situation is employees have more opportunities than ever before for human error to result in data loss or breach. And whilst training and awareness are important, the lost bag or stolen car will still occur. However with recent Ponemon research putting the cost of a data breach in the UK having already reached an average £1.68 million , it’s unthinkable that you would put the security of company data, corporate reputation and ultimately the cash in the company bank account in escrow waiting for the next mishap.
How many laptops, storage devices, and other IT assets are reported lost in your organization each year. You don’t need a fortune teller to known these will happen again and gain. With a probability equal to 100%, if you any doubts about your data protection efforts make sure to tell your executives to prepare for a breach, the publicity, the fines, and prepare soon.
On the other hand, the business case driven by this risk based approach, is the right way to push ahead with reworking and baking in the right security and data protection measures. Specifically, it’s clear you don’t just need to protect data with the right security controls, you need to know they’re working too. Not being able to make a clear and demonstrable argument to any regulator, whether ICO, FSA, or others, is no longer an option. And with David Smith, Deputy Commissioner for the ICO, talking up the idea of codified data breach notification, expect the demands of proof to only increase.
Where to next
Although I’ve no doubt that many would rather that the new powers hadn’t come to fruition, I truly believe that now is the time to bring your risk-based plan to tackle the nagging data protection holes in your organization to management. The near term-investment in pausing to working in the right controls and audits will undoubtedly deliver long-term business benefits. Ask for the opportunity to build the right way: not just for data security but also for productivity and flexibility. The business case is here now – take the opportunity. Before you can start planning the solution and even if you done so over six months ago, I’d advise you to audit all of your data access and data storage points.
Once you know what you need to protect, how employees prefer to access data, and the latest business processes, you can take the lead to devise the next steps: data protection built-in, auditable, and with the flexibility employees are clamoring for.