Opinion: Data securityWho's losing your personal data?Richard Stone, Credant Technologies The loss of CDs by UK Revenue and Customs containing the personal information of 25 million UK citizens has rightly caused a public outcry. The real question that the British people should be asking, however, is: “Who else has lost my data that I haven’t been told about?” Organisations of all sizes, including local and national government, hold huge amounts of personal information on virtually every individual in the UK, yet amazingly, there are no laws to force them to either protect that information (such as by encryption) or to tell you if your information gets lost or stolen. Make no mistake about this: ever since the first credit card number was put on the first laptop computer or CD, companies have been losing your information and just simply not telling you. It is a sad fact of economic life in the UK that it is cheaper for a company to say nothing and do nothing if they lose Joe Public’s private information, rather than doing the right thing — ensure that all the data is encrypted, or telling consumers if there’s a risk that their private data could have got into the wrong hands. The situation in the US today is very different. Following some very high-profile data thefts, many States have now enacted so-called “data breach notification” legislation (1). Put simply, this legislation says that if you lose customers’ personal identifiable information (social security numbers, credit card numbers, driving licence numbers, etc) and it wasn’t encrypted, then you must notify everyone who’s likely to be affected. Many States have also included additional consumer protection, such as one year’s free credit-monitoring services to protect against possible identity theft. The US federal government — immune from state legislation — has also mandated strict data security standards for itself. Following an incident similar to the HMRC in mid-2006, President
Bush issued a mandate that all government departments must implement
data encryption, with no exceptions (2). The net effect of US legislation has been to change the economic balance of data security. Now it’s cheaper to implement a good data security solution (ie encrypt the data) than to bear the cost of a data breach notification. The figures speak for themselves. When items such as credit monitoring are added in, it’s estimated that the average cost of a breach notification following the loss of unencrypted data is in the region of $90-$140 per customer record (3). So, if the loss involved 100,000 customers, this will typically cost a company on average about $11.6m. What’s the cost of a good data-security solution to avoid this in the first place? Much, much less than that! US legislation hasn’t stopped data theft, any more than burglaries have been stopped by property laws. What it has done is to provide insurance for affected consumers by forcing companies and the government to either protect consumers’ data, or come clean when they lose it so consumers can get the protection they deserve. It has also put the spotlight on companies who fail to protect consumers, as these breaches are now tracked by a number of public websites (4). The UK government should follow the US’ lead: it should enact legislation to protect consumers against the horrors of data theft and the subsequent risk of identity theft. If nothing else comes out of the HMRC incident, then just let this be a lesson learned the hard way! Richard Stone, VP Marketing, CREDANT Technologies References 1. www.ncsl.org/programs/lis/cip/priv/breach.htm 2. Executive Office of the President, Office of Management and
Budget. Protection of Sensitive Agency Information. Washington, June
23, 2006. M-06-16. Listed on:
www.whitehouse.gov/omb/memoranda/2006.html |
|||
|
|
|||