Alan Calder on IT Governance, information security & ISO 27001

As the UK enters its new age of austerity, with public sector organisations finding draconian budget cuts, one must fear that citizens’ personal data will be increasingly at risk. The UK public sector (led by the NHS) has never been that amazingly good at protecting personal and sensitive information, as newspaper articles and the Information Commissioner’s website regularly attest.

The ICO has just taken enforcement action against three councils who failed to protect personal information, including information about children. The council’s failings were all pretty standard: unencrypted USB sticks, unencrypted laptops, inadequate staff training and inadequate supervision. These are all relatively simple - if costly - to remedy; the basics - essential DPA policies and procedures should all of course be in place already.

What still seems to be missing, though, is a real committment, on the part of public authorities, to taking the business of data protection seriously - I guess that we’ll actually need to see a series of £500k fines being levied before we see the majority of organisations raising their game on the field of protecting their citizens.

The Information Commissioner’s Office (ICO) has received over 1,000 reports of data breaches or losses since it was set up, and has issued a stern reminder that organisations must ensure that data is well protected. The biggest culprit is the NHS. The ICO’s Security Breaches Report shows the breakdown of breaches.

As we’ve said on our website (Data Protect Act Penalties), sooner or later the ICO will start levying fines for egregious breaches of the DPA - it would make sense to get one’s DPA compliance house in order before that happens, wouldn’t it? Simply buying and using the tools in our DPA Compliance Toolkit would prepare most organisations to face the worst!

I wish I was surprised that most staff of most companies are not aware of the new penalties available to the ICO in respect of reckless breaches of the DPA. Of course, there may be an argument that most staff in most companies don’t need to be aware, because their organisations are already in complete compliance with the DPA. I would be surprised, though…..

Anyway, we just launched a set of staff awareness posters, specifically to help with raising staff awareness around specific Data Protection Act issues. We hope they help improve awareness of critical responsibilities around protecting personal data and preventing identity theft.

The Data Protection Act (’DPA’) in the UK is a cornerstone of IT and information-related legislation. It applies to all organisations that collect or hold information about living individuals. Most organisations would claim that they comply with the DPA. The reality is that many don’t - over 800 organisations have reported data breaches in just the last two years - and as, reporting data breaches is not a legal requirement, it is likely that there have been many more breaches similar to those described here, but which have been ’swept under the carpet.’

The Information Commissioner (ICO) will, from 6 April 2010, have the power to levy fines of up to £500k for serious breaches of the DPA. Which organisations will suffer the first fines?

For all organisations, the choice is clear and straightforward: continue with shoddy data protection practices and face potentially significant financial penalties, plus the wide spread press coverage that will attend such a fine, or take steps to improve those practices. There is, in fact, a good business case to make for doing exactly that. The ICO has just published The Privacy Dividend, which describes how to make the business case for the necessary investment and even includes - for free - all the documentation that an organisation might use as part of that business case.

Penalty or dividend? 

It shouldn’t be a hard choice, should it?

One of the key problems faced by organisations that want to comply with the Data Protection Act is that the DPA doesn’t contain any detailed guidance on compliance - in essence, it is just a set of 8 principles. And the worst principle from a compliance perspective is Principle 7, which requires organisations to make appropriate technical and administrative arrangements to protect personal information. What is appropriate? And how would you prove it? For some years, ISO/IEC 27001 certification has been the most effective way of demonstrating DPA compliance, but the read across between the two standards is not that precise.

BS10012 (Data Protection: Specification for a Personal Information Management System), on the other hand, is a standard that is specifically written to meet DPA compliance needs. It is written as a specification (in other words, audits can be conducted against the standard and there is talk of a certification scheme) and it deals specifically and completely with the requirements of the DPA. It has just been published and every organisation that has personal information to protect should

1. Buy a copy, and compare actual practices with those described in the standard and,
2. Consider improving actual practices so that they conform to those described in the standard.

Here’s a link where you can get your own copy: http://www.itgovernance.co.uk/products/2542

I did a presentation earlier this week at NITES, in Ireland.  My topic was data protection and governance. I took the opportunity to make a number of linked points:

1. We already have data protection legislation in the EU and US;
2. These regulations don’t have any real teeth;
3. Most company boards - particularly  in the financial sector - and public sector managements simply don’t care about data security - there are no rewards for doing a good job and no meaningful penalties for failure;
4. The Health and Safety Executive in the UK has a budget and staffing levels about 20 times higher than does the Information Commissioner, as well as powers to inspect and fine, so it’s hardly surprising that health and safety regulation shows progress and data protection doesn’t (remember, too, that our ICO’s tiny budget, the majority of which is provided by company registration fees, has to cover DPA compliance as well as FOI and Environmental Regulation compliance!) 
5. We care more about people using mobile phones while driving than we do about companies losing thousands/millions of sensitive personal records - we jail people for sending text messages while driving but do nothing about company directors whose reckless disregard of data protection regulations endangers the financial future of vast numbers of ordinary consumers;
6. It’s time for data security to be given proper emphasis - by which I mean custodial sentences for CEOs and senior civil servants whose organisations recklessly disregard the DPA - with ‘reckless disregard’ having characteristics like unencrypted laptops or USB sticks and failure to conform to BS10012 (when it is finalised and launched),
7. We also need a pan-European data breach directive, that requires companies who fail to protect personal data to meet in full the costs of restitution for those affected as well as paying substantial financial penalties (and, possibly, jail time for directors - see my earlier point).
8. It’s time for us, the consumers whose personal data is so regularly abused, to start demanding - through all the channels open to us - that our elected representatives start taking this subject seriously and enact legislation that will actually have teeth, and commit the level of financial support that will enable those teeth to bite.

You are welcome to download a copy of my NITES presentation: nites-feb-09.

I’ve been of the view, for some time, that effective corporate information security will only come to pass when company directors are prosecuted, fined and jailed for failures to implement and maintain effective information security management systems.

Here are two stories that rather illustrate the point:

• Companies not evaluating security policies efficiently (if at all)
• Companies mostly unprepared to prevent data leaks over email

And it’s all actually quite straightforward - implement ISO27001, obey the Data Protection Act, and have happy customers, staff and regulators!

I think it’s a great pity - but clearly unavoidable - that the FSA has arrived at the view that it will have to fine individual board-level executives of retail banks if it is to get them to take adequate measures to protect customers’s information. I think this is excellent news - particularly the clear statement that ‘FSA wants to avoid executives palming off overall security responsibilities onto the IT department. Chief executives, compliance officers and board-level IT directors could all be held responsible.’

One would have thought that banks might have spotted that protecting customer information might be a fundamental part of customer care in this identity-theft age but, then again, I guess we might have expected banks to have spotted that it might not make sense to lend someone of limited income 130% of the already-inflated value of a house. 

A number of UK banks have been - or are about to be - taken into public ownership. The UK government doesn’t exactly have a great track record (eg HMRC, MOD, etc) when it comes to protecting personal data, either. So we have to hope that the FSA will have the courage to fine the government-appointed directors of nationalised banks where they fail to ensure their organisation takes adequate steps to protect personal data - or the protection of personal data in the UK will just become even more difficult.

When financial markets appear to be in free fall, many organisations might think that data protection is the least of their worries. Who cares, they might wonder, about protecting personal data if tomorrow we might not exist any more? (And, from what we’ve seen over the last few weeks, the ‘might not exist tomorrow’ possibility should be a very real planning scenario for all but the world’s best-capitalised banks).

Well, in the UK, the Information Commissioner is unlikely to cease caring - already identified as “setting the political and administrative agendas for the protection of personal data in this century in the UK” and for “firmly disciplining politicians, civil servants, the media and business folk into line”, he’s unlikely to allow data protection to take a back seat at exactly the moment that spammers are expected to take advantage of bank buyouts to launch new phishing scams.

However, we’re talking here about banks who were unable to identify or adequately manage some rather more obvious risks to their business (like, if you lend someone 130% of the value of his collateral, and if his current cashflow is insufficient to pay the interest let alone repay the principle, how do you expect to survive?) than those around personal data. So, if you’re a bank customer, it might not be wise to hope that, in the midst of all this turmoil, your personal data will be adequately protected. The facts speak for themselves: US organisations are on track to report at least 680 data breaches by the end of 2008, affecting more than 30 million records.

It is clearly the case that, with personal data, one can only rely on oneself to protect it!

Apparently, we’re today kicking off the UK National Identity Fraud Prevention Week - and research for RSA reveals wide-spread disbelief (as in, 90% of Britons) that their personal data are safe with banks and retailers, and half the people think that not enough is done to protect these personal details.

That’s better than I thought! Let me explain: in today’s insecure world, everyone has to be concerned about his or her own personal data - this is a critical personal asset that needs safeguarding. And, for far too long, people have simply not been adequately concerned about this issue. Clearly, this is changing - let’s hope that, as more people learn about the poor care exercised by data controllers in the UK, they get better at insisting that adequate steps are taken - and voting with their feet where they are dissatisfied with the standard of care. 

From an organisational point of view, of course, it’s not hard to respond to the findings of this research - take adequate steps, today, to comply with the Data Protection Act in the UK, or whatever data protection legislation applies in your business jurisdiction. If you accept payment cards, PCI DSS compliance should be a given. And, for every organisation, ISO27001 is the best practice standard for securing information - and this week would be a good week to get started on an ISO27001 project!