Alan Calder on IT Governance, information security & ISO 27001

As the UK enters its new age of austerity, with public sector organisations finding draconian budget cuts, one must fear that citizens’ personal data will be increasingly at risk. The UK public sector (led by the NHS) has never been that amazingly good at protecting personal and sensitive information, as newspaper articles and the Information Commissioner’s website regularly attest.

The ICO has just taken enforcement action against three councils who failed to protect personal information, including information about children. The council’s failings were all pretty standard: unencrypted USB sticks, unencrypted laptops, inadequate staff training and inadequate supervision. These are all relatively simple – if costly – to remedy; the basics – essential DPA policies and procedures should all of course be in place already.

What still seems to be missing, though, is a real committment, on the part of public authorities, to taking the business of data protection seriously – I guess that we’ll actually need to see a series of £500k fines being levied before we see the majority of organisations raising their game on the field of protecting their citizens.

The Data Protection Act (‘DPA’) in the UK is a cornerstone of IT and information-related legislation. It applies to all organisations that collect or hold information about living individuals. Most organisations would claim that they comply with the DPA. The reality is that many don’t – over 800 organisations have reported data breaches in just the last two years – and as, reporting data breaches is not a legal requirement, it is likely that there have been many more breaches similar to those described here, but which have been ‘swept under the carpet.’

The Information Commissioner (ICO) will, from 6 April 2010, have the power to levy fines of up to £500k for serious breaches of the DPA. Which organisations will suffer the first fines?

For all organisations, the choice is clear and straightforward: continue with shoddy data protection practices and face potentially significant financial penalties, plus the wide spread press coverage that will attend such a fine, or take steps to improve those practices. There is, in fact, a good business case to make for doing exactly that. The ICO has just published The Privacy Dividend, which describes how to make the business case for the necessary investment and even includes – for free – all the documentation that an organisation might use as part of that business case.

Penalty or dividend? 

It shouldn’t be a hard choice, should it?

I’ve been of the view, for some time, that effective corporate information security will only come to pass when company directors are prosecuted, fined and jailed for failures to implement and maintain effective information security management systems.

Here are two stories that rather illustrate the point:

• Companies not evaluating security policies efficiently (if at all)
• Companies mostly unprepared to prevent data leaks over email

And it’s all actually quite straightforward – implement ISO27001, obey the Data Protection Act, and have happy customers, staff and regulators!

When financial markets appear to be in free fall, many organisations might think that data protection is the least of their worries. Who cares, they might wonder, about protecting personal data if tomorrow we might not exist any more? (And, from what we’ve seen over the last few weeks, the ‘might not exist tomorrow’ possibility should be a very real planning scenario for all but the world’s best-capitalised banks).

Well, in the UK, the Information Commissioner is unlikely to cease caring – already identified as “setting the political and administrative agendas for the protection of personal data in this century in the UK” and for “firmly disciplining politicians, civil servants, the media and business folk into line”, he’s unlikely to allow data protection to take a back seat at exactly the moment that spammers are expected to take advantage of bank buyouts to launch new phishing scams.

However, we’re talking here about banks who were unable to identify or adequately manage some rather more obvious risks to their business (like, if you lend someone 130% of the value of his collateral, and if his current cashflow is insufficient to pay the interest let alone repay the principle, how do you expect to survive?) than those around personal data. So, if you’re a bank customer, it might not be wise to hope that, in the midst of all this turmoil, your personal data will be adequately protected. The facts speak for themselves: US organisations are on track to report at least 680 data breaches by the end of 2008, affecting more than 30 million records.

It is clearly the case that, with personal data, one can only rely on oneself to protect it!

Apparently, we’re today kicking off the UK National Identity Fraud Prevention Week – and research for RSA reveals wide-spread disbelief (as in, 90% of Britons) that their personal data are safe with banks and retailers, and half the people think that not enough is done to protect these personal details.

That’s better than I thought! Let me explain: in today’s insecure world, everyone has to be concerned about his or her own personal data – this is a critical personal asset that needs safeguarding. And, for far too long, people have simply not been adequately concerned about this issue. Clearly, this is changing – let’s hope that, as more people learn about the poor care exercised by data controllers in the UK, they get better at insisting that adequate steps are taken - and voting with their feet where they are dissatisfied with the standard of care. 

From an organisational point of view, of course, it’s not hard to respond to the findings of this research – take adequate steps, today, to comply with the Data Protection Act in the UK, or whatever data protection legislation applies in your business jurisdiction. If you accept payment cards, PCI DSS compliance should be a given. And, for every organisation, ISO27001 is the best practice standard for securing information – and this week would be a good week to get started on an ISO27001 project!

Virgin is a strong brand, so a welter of stories describing Virgin Media’s breach of the Data Protection Act, when it lost an unencrypted disc containing the details of some 3,000 customers, would not have been part of the PR strategy. As a result of a simple management failure – not requiring the encryption of all portable media that contain personal data – it now finds its name and brand logo alongside statements that Virgin Media has been guilty, ‘scolded, ‘reprimanded‘, ‘slammed‘ and ‘rapped‘ for inadequately protecting its customers’ data. Not a pretty outcome!

There is a simple way to avoid this sort of damage - encrypt all portable media! We wrote about this in our Data Breaches Report 2008 and, after the HMRC fiasco, one would have thought that all organisations would, at least, have carried out the encryption part of our recommendations.

Lots of organisations think they don’t need to worry about theft of credit card data. I don’t know why. Payment card data theft is now big business – the level of professionalism available in this industry includes the development of bespoke software supported by an extremely efficient helpdesk and you don’t usually get this level of specialization until the industry is starting to mature.

Apart from the interesting fact that darkside helpdesks appear to be more efficient than many over on this side, you have to wonder why every organisation that accepts payment card data isn’t already at least PCI DSS compliant? Why hasn’t the PCI Security Council already come up with some form of ‘PCI DSS Compliant’ badge and certification scheme so that paying customers can concentrate all their business on the websites and businesses of those organisations that have actually bothered to do what it takes to protect their card holder data?

Well, I did say, when the government blamed the HMRC data loss on the failure of some junior member of staff to observe the rules, that if the truth were ever to emerge, it would be that HMRC suffered from systemic failure to comply with the Data Protection Act (DPA).

Lo and behold, the Poynter report highlights serious institutional deficiencies at HMRC. No surprise there, then.

What is slighly more surprising, though, is the apparent determination of the government to give the Information Commissioner some real teeth. The recent Criminal Justice and Immigration Act brings in serious financial sanctions for organisations that recklessly breach the provisions of the DPA. As recent fines levied for the loss of laptops indicate, ‘serious’ can be in the order of £1 million – certainly serious by most measures.

And most organisations are going to find, when it comes down to it, that they developed DPA compliance policies and procedures when the threat of punitive action was just so much FUD – and these procedures are about to be found wanting. The first cases might be expected in Autumn this year.

That’s why we developed two tools – one is a tool for checking compliance with DPA, and the other is a DPA Compliance toolkit of templates and so on to help organisations ensure they do actually have the core policies and procedures in place.

But, even if you have the right procedures, the key will still be to get staff to comply – and that’s likely to be a real challenge for the allegedly morale-deficient HMRC!

I read in ComputerWeekly that the House of Lords Science & Technology Committee is to re-open its inquiry into e-crime and the security of personal data, apparently due to the Government’s “vacuous, idle and irrelevant” response to its initial recommendations.

I am dismayed that, after what was a well considered report, so little has been done by this Government. It is at least a little heartening that their Lordships are not mincing their words about their disapproval. Perhaps this time we may see a little more action as a result? – I wonder. Time will tell, but one would think that the spate of data loss disasters, most notably the HMRC lost discs fiasco, would give the Government ample incentive to finally stop sitting on its hands.

As I wrote at the time of the Committee’s first report, ISO27001 needs to lie at the heart of the Government’s response to this challenge. It is high time that our our political leaders put their money where their mouths are and made the Standard compulsory across all departments.

The UK government claimed that the person who burnt the HMRC child benefit database to a disc and mailed it to the National Audit Office (NAO) was a relatively junior civil servant who had breached rules and would be subject to disciplinary action.

If this is true, it’s hardly fair, is it?

After all, this person was just trying to be helpful – a previous set of discs had already gone missing and the NAO really wanted the data (actually, they only wanted some of the data, but HMRC thought it was easier just to send the lot) – and, apparently, ‘senior management’ authorised the despatch. There’s no evidence that HMRC provided the level of training that would ensure that everyone inside the organization understood their individual responsibilities in respect of personal data; conversely, there does appear to be evidence that HMRC is systemically failing to comply with the Data Protection Act (see details of an even more recent data breach) AND, in spite of delaying the publication of this news by over a month, still couldn’t even get their story straight.

It’s only right that the Chairman of HMRC should have resigned. That’s not enough – systemic failures of this sort go right to the top of the organization, to the politician accountable to Parliament for its performance. However, it’s not clear that the current Chancellor of the Exchequer should go (although, if he can’t get to grips with this fiasco, he’ll have to go anyway) – after all, it was his predecessor that presided over the creation of the shambles that is now the HMRC.

And the Prime Minister, who was responsible for the creation of the ‘modern’ HMRC, has promised to spend a lot of money with PricewaterhouseCoopers for proposals to ensure this sort of thing doesn’t happen again.

Well, it doesn’t take a multi-million pound contract to get the answer to this question! The three things that must be done are:

1. Require all UK public sector organizations to achieve ISO/IEC27001 – an independent, third party certificate that they have in place all the procedures – including staff training – necessary to secure such vital information;
2. Bring in a Data Breach Law requiring immediate notification of the breach, enabling criminal charges to be brought against organizations and, individually, top management, and providing for real compensation as a class for those affected by the breach;
3. Forget about the UK national ID card – it must be obvious to anyone by now that the risks associated with a database of this sort are just too great for HM Government to counter.

There – that saves the public purse a small fortune!