Alan Calder on IT Governance, information security & ISO 27001

Virgin is a strong brand, so a welter of stories describing Virgin Media’s breach of the Data Protection Act, when it lost an unencrypted disc containing the details of some 3,000 customers, would not have been part of the PR strategy. As a result of a simple management failure – not requiring the encryption of all portable media that contain personal data – it now finds its name and brand logo alongside statements that Virgin Media has been guilty, ‘scolded, ‘reprimanded‘, ‘slammed‘ and ‘rapped‘ for inadequately protecting its customers’ data. Not a pretty outcome!

There is a simple way to avoid this sort of damage - encrypt all portable media! We wrote about this in our Data Breaches Report 2008 and, after the HMRC fiasco, one would have thought that all organisations would, at least, have carried out the encryption part of our recommendations.

I wish that I was surprised by Logica’s survey findings, that 57% of firms had ‘no understanding of the impact of a security breach on their organisation.’

And the sad fact is that, in a number of these ‘unaware’ organisations, the first that the board will know about their compliance shortfall will be when they’re hit with a ‘signficant’ fine under the recent amendment to the Data Protection Act.

And that’s a pity, because DPA compliance really isn’t that hard: there are just 8 principles and, so long as the organisation tackles those 8 principles intelligently and constructively, it’s unlikely to find itself facing any breach proceedings. We’ve done what we can to make it easy for people to understand the size of the problem (our Data Breaches Report 2008), to get a straightforward understanding of the compliance requirements (our DPA Compliance pocket guide, written by DPA experts), to assess their current state of compliance and what steps to take (our DPA Compliance Assessment Tool) and we’ve even developed a DPA Compliance Toolkit that contains the key documentation for compliance.

But we can’t do that essential first step: care enough about the personal information of your staff, your customers and your suppliers to take adequate steps to meet your compliance obligations. Don’t wait until you’re staring down the barrel of an ICO enforcement notice before you take what will then be expensive and possibly disruptive steps to get a compliance regime into place as quickly as possible.

Search Security published this, on 29 July 2008:

Last week, the MoD was forced, in an answer to a parliamentary question, to admit that during the last four years, 658 of its laptops were stolen, and another 89 lost. Only 32 of the devices have been recovered. In addition, 121 USB memory sticks have been taken or misplaced since 2004, with 26 of the losses happening this year, including three that contained information classified as “secret” and 19 that were “restricted”.

What makes the news even more depressing is that earlier estimates of losses had put the scale of the problem much lower (at 347 laptops stolen between 2004 and 2007). Defence Secretary Des Browne explained that there had been “anomalies” in the earlier reporting process.

Of course, any organisation that can undercount the number of lost laptops over a three year period by about 50% doesn’t actually have a functioning system for accounting for its laptops. A functioning system, in an organisation like the MOD, might have components like:

* Loss of any laptop treated as an information security incident;
* Centralised collation of reports of lost laptops;
* Regular physical checks on the continued existence and status of all laptops;
* Automated monthly online updates of all laptops that both ensure that laptops are not running illegitmate software, that all anti-malware software is up to date, and so on – and, of course, that the laptop is still active and authenticating correctly.
* Any failures in any of these checks should be reconciled with the physical check and the incident reports.

If the MOD had any of these systems in place, it would at least know how many laptops it had lost. As it doesn’t know this (those ‘anomalies’) one’s conclusion must be that it simply hasn’t put in place systems that are adequate to this task. And if it hasn’t bothered even to make sure that it knows where its laptops actually are, how can it really be sure that all of those lost laptops are encrypted and that none of them have been used in a way that would breach data protection law or the security of the realm?

And what makes anyone certain that the more recent figure is any more correct than the earlier underestimate? How does the MOD know that actual laptop losses aren’t running into the thousands?

Well, I did say, when the government blamed the HMRC data loss on the failure of some junior member of staff to observe the rules, that if the truth were ever to emerge, it would be that HMRC suffered from systemic failure to comply with the Data Protection Act (DPA).

Lo and behold, the Poynter report highlights serious institutional deficiencies at HMRC. No surprise there, then.

What is slighly more surprising, though, is the apparent determination of the government to give the Information Commissioner some real teeth. The recent Criminal Justice and Immigration Act brings in serious financial sanctions for organisations that recklessly breach the provisions of the DPA. As recent fines levied for the loss of laptops indicate, ‘serious’ can be in the order of £1 million – certainly serious by most measures.

And most organisations are going to find, when it comes down to it, that they developed DPA compliance policies and procedures when the threat of punitive action was just so much FUD – and these procedures are about to be found wanting. The first cases might be expected in Autumn this year.

That’s why we developed two tools – one is a tool for checking compliance with DPA, and the other is a DPA Compliance toolkit of templates and so on to help organisations ensure they do actually have the core policies and procedures in place.

But, even if you have the right procedures, the key will still be to get staff to comply – and that’s likely to be a real challenge for the allegedly morale-deficient HMRC!

It is hard to get away from media stories about accidental losses of personal or confidential data – Government laptops stolen from a car, secret council files found in a skip, and so on. The latest strand to this story is the revelation last night on the excellent Donal MacIntyre programme (BBC Radio 5 Live on Sunday 13 April) that a council childcare worker recently lost confidential information about a child under his protection after popping into a bar for a drink. Download the programme podcast here.

Recently I’ve come across a different but equally worrying trend – the deliberate bypassing of formal security procedures by employees in companies with established security regimes. Our research found that a staggering 68 percent of employees admitted to breaching security controls in order to do their jobs. Are these people, mad, bad or worse? Actually, the chances are that they are basically conscientious employees just trying to get their work done under trying circumstances. The greater culprit here is likely to be well intentioned but misguided managers, who are putting place unduly frustrating policies that strike the wrong balance between the security and availability of information.

Clearly, this points to a serious disconnect between the people who specify and police internal security systems, and the employees at the coalface who interface with them in their daily lives. If we are ever to make meaningful progress in the battle against identity theft and online fraud, there is a vital battle to be fought for the hearts and minds of staff.

Tomorrow we will publish a timely new insight into the state of data breaches worldwide and what organisations need to do about them. Data Breaches: Trends, Costs and Best Practices assesses the true state of today’s data breach environment; recognises the real, damaging trends that affect organisations and individuals; and identifies current and emerging best practices in controlling the risks and costs arising from inadequate data security. The report is aimed at executives, information security managers, risk managers, auditors, compliance managers, stakeholders and data controllers worldwide, i.e. it is for precisely the people who may be putting in place the policies that their employees are currently working around. If you or your organisation would benefit from reading this – and there are clearly many – you can find out more and purchase a copy here.

The UK government claimed that the person who burnt the HMRC child benefit database to a disc and mailed it to the National Audit Office (NAO) was a relatively junior civil servant who had breached rules and would be subject to disciplinary action.

If this is true, it’s hardly fair, is it?

After all, this person was just trying to be helpful – a previous set of discs had already gone missing and the NAO really wanted the data (actually, they only wanted some of the data, but HMRC thought it was easier just to send the lot) – and, apparently, ‘senior management’ authorised the despatch. There’s no evidence that HMRC provided the level of training that would ensure that everyone inside the organization understood their individual responsibilities in respect of personal data; conversely, there does appear to be evidence that HMRC is systemically failing to comply with the Data Protection Act (see details of an even more recent data breach) AND, in spite of delaying the publication of this news by over a month, still couldn’t even get their story straight.

It’s only right that the Chairman of HMRC should have resigned. That’s not enough – systemic failures of this sort go right to the top of the organization, to the politician accountable to Parliament for its performance. However, it’s not clear that the current Chancellor of the Exchequer should go (although, if he can’t get to grips with this fiasco, he’ll have to go anyway) – after all, it was his predecessor that presided over the creation of the shambles that is now the HMRC.

And the Prime Minister, who was responsible for the creation of the ‘modern’ HMRC, has promised to spend a lot of money with PricewaterhouseCoopers for proposals to ensure this sort of thing doesn’t happen again.

Well, it doesn’t take a multi-million pound contract to get the answer to this question! The three things that must be done are:

1. Require all UK public sector organizations to achieve ISO/IEC27001 – an independent, third party certificate that they have in place all the procedures – including staff training – necessary to secure such vital information;
2. Bring in a Data Breach Law requiring immediate notification of the breach, enabling criminal charges to be brought against organizations and, individually, top management, and providing for real compensation as a class for those affected by the breach;
3. Forget about the UK national ID card – it must be obvious to anyone by now that the risks associated with a database of this sort are just too great for HM Government to counter.

There – that saves the public purse a small fortune!

While one swallow might not make a summer, multiple breaches of one particular law (Information Commissioner: “we are already investigating two other breaches”) do rather suggest that the organization concerned has little interest in compliance with it.

Her Majesty’s Revenue and Customs (‘HMRC’) has, on a number of occasions, broken the law. Those involved in the breach, and their political masters who allowed it to happen, should be dismissed and prosecuted.

The law HMRC has broken is the Data Protection Act 1998 (‘DPA’). This is what DPA says: “Personal data shall not be processed unless…appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” (7th Principle).

The DPA provides explicit guidance on how to interpret this principle: “Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to—
(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b) the nature of the data to be protected.”

The data on the child benefit database (names, national insurance numbers, dates of birth, mother’s maiden names, bank account details, etc, of some 25 million people) is clearly personal data, and is clearly highly sensitive. The law therefore requires the Data Controller (in this case, HMRC) to take appropriate measures to ensure the security of the data. Even the most rudimentary of information security risk assessments would identify the danger of someone attempting to extract some or all of this data. Appropriate counter-measures should therefore, and rather obviously, include removal of any technical capability to ‘burn the database to a disc’. The supervisory failure that allowed a junior member of staff to export this data to a disc and then mail it, unencrypted, outside the organization is merely sympomatic of a deeper failure to make any effort whatsoever to comply with the DPA.

It seems to me that the time has come, not only for executives and ministers to be dismissed and prosecuted, but for two other steps:
1. All public sector organizations that deal with personal data should be required to achieve certification to the international information security standard ISO/IEC 27001 – and should be given no more than two years to complete certification;
2. The UK now needs a data breach law that brings significant financial penalties and criminal charges against those – from the top of the organization down – who fail to take security measures appropriate to the nature of the personal data being protected.

If UK companies are still struggling to get to grips with the Data Protection Act (1998), then just think how far they still have to go to get to grips with the rest of their data security requirements!

Now’s a good opportunity to add your views to the consultation around handing out prison terms to employees who knowingly breach the Data Protection Act – remembering that, while strengthening the law is probably a good idea, the absence of adequate resources for investigating possible breaches and pursuing and then prosecuting those who break the law will simply create yet more red tape for those companies who behave properly anyway, without doing anything meaningful to reduce data abuse.