Alan Calder on IT Governance, information security & ISO 27001

Well, I did say, when the government blamed the HMRC data loss on the failure of some junior member of staff to observe the rules, that if the truth were ever to emerge, it would be that HMRC suffered from systemic failure to comply with the Data Protection Act (DPA).

Lo and behold, the Poynter report highlights serious institutional deficiencies at HMRC. No surprise there, then.

What is slighly more surprising, though, is the apparent determination of the government to give the Information Commissioner some real teeth. The recent Criminal Justice and Immigration Act brings in serious financial sanctions for organisations that recklessly breach the provisions of the DPA. As recent fines levied for the loss of laptops indicate, ‘serious’ can be in the order of £1 million – certainly serious by most measures.

And most organisations are going to find, when it comes down to it, that they developed DPA compliance policies and procedures when the threat of punitive action was just so much FUD – and these procedures are about to be found wanting. The first cases might be expected in Autumn this year.

That’s why we developed two tools – one is a tool for checking compliance with DPA, and the other is a DPA Compliance toolkit of templates and so on to help organisations ensure they do actually have the core policies and procedures in place.

But, even if you have the right procedures, the key will still be to get staff to comply – and that’s likely to be a real challenge for the allegedly morale-deficient HMRC!

I read in ComputerWeekly that the House of Lords Science & Technology Committee is to re-open its inquiry into e-crime and the security of personal data, apparently due to the Government’s “vacuous, idle and irrelevant” response to its initial recommendations.

I am dismayed that, after what was a well considered report, so little has been done by this Government. It is at least a little heartening that their Lordships are not mincing their words about their disapproval. Perhaps this time we may see a little more action as a result? – I wonder. Time will tell, but one would think that the spate of data loss disasters, most notably the HMRC lost discs fiasco, would give the Government ample incentive to finally stop sitting on its hands.

As I wrote at the time of the Committee’s first report, ISO27001 needs to lie at the heart of the Government’s response to this challenge. It is high time that our our political leaders put their money where their mouths are and made the Standard compulsory across all departments.

The UK government claimed that the person who burnt the HMRC child benefit database to a disc and mailed it to the National Audit Office (NAO) was a relatively junior civil servant who had breached rules and would be subject to disciplinary action.

If this is true, it’s hardly fair, is it?

After all, this person was just trying to be helpful – a previous set of discs had already gone missing and the NAO really wanted the data (actually, they only wanted some of the data, but HMRC thought it was easier just to send the lot) – and, apparently, ‘senior management’ authorised the despatch. There’s no evidence that HMRC provided the level of training that would ensure that everyone inside the organization understood their individual responsibilities in respect of personal data; conversely, there does appear to be evidence that HMRC is systemically failing to comply with the Data Protection Act (see details of an even more recent data breach) AND, in spite of delaying the publication of this news by over a month, still couldn’t even get their story straight.

It’s only right that the Chairman of HMRC should have resigned. That’s not enough – systemic failures of this sort go right to the top of the organization, to the politician accountable to Parliament for its performance. However, it’s not clear that the current Chancellor of the Exchequer should go (although, if he can’t get to grips with this fiasco, he’ll have to go anyway) – after all, it was his predecessor that presided over the creation of the shambles that is now the HMRC.

And the Prime Minister, who was responsible for the creation of the ‘modern’ HMRC, has promised to spend a lot of money with PricewaterhouseCoopers for proposals to ensure this sort of thing doesn’t happen again.

Well, it doesn’t take a multi-million pound contract to get the answer to this question! The three things that must be done are:

1. Require all UK public sector organizations to achieve ISO/IEC27001 – an independent, third party certificate that they have in place all the procedures – including staff training – necessary to secure such vital information;
2. Bring in a Data Breach Law requiring immediate notification of the breach, enabling criminal charges to be brought against organizations and, individually, top management, and providing for real compensation as a class for those affected by the breach;
3. Forget about the UK national ID card – it must be obvious to anyone by now that the risks associated with a database of this sort are just too great for HM Government to counter.

There – that saves the public purse a small fortune!

While one swallow might not make a summer, multiple breaches of one particular law (Information Commissioner: “we are already investigating two other breaches”) do rather suggest that the organization concerned has little interest in compliance with it.

Her Majesty’s Revenue and Customs (‘HMRC’) has, on a number of occasions, broken the law. Those involved in the breach, and their political masters who allowed it to happen, should be dismissed and prosecuted.

The law HMRC has broken is the Data Protection Act 1998 (‘DPA’). This is what DPA says: “Personal data shall not be processed unless…appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” (7th Principle).

The DPA provides explicit guidance on how to interpret this principle: “Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to—
(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b) the nature of the data to be protected.”

The data on the child benefit database (names, national insurance numbers, dates of birth, mother’s maiden names, bank account details, etc, of some 25 million people) is clearly personal data, and is clearly highly sensitive. The law therefore requires the Data Controller (in this case, HMRC) to take appropriate measures to ensure the security of the data. Even the most rudimentary of information security risk assessments would identify the danger of someone attempting to extract some or all of this data. Appropriate counter-measures should therefore, and rather obviously, include removal of any technical capability to ‘burn the database to a disc’. The supervisory failure that allowed a junior member of staff to export this data to a disc and then mail it, unencrypted, outside the organization is merely sympomatic of a deeper failure to make any effort whatsoever to comply with the DPA.

It seems to me that the time has come, not only for executives and ministers to be dismissed and prosecuted, but for two other steps:
1. All public sector organizations that deal with personal data should be required to achieve certification to the international information security standard ISO/IEC 27001 – and should be given no more than two years to complete certification;
2. The UK now needs a data breach law that brings significant financial penalties and criminal charges against those – from the top of the organization down – who fail to take security measures appropriate to the nature of the personal data being protected.

Not a sentiment you will often hear. However, Her Majesty’s Revenue & Customs (HMRC) has been rightly applauded over the matter of a stolen laptop. Not for the actual theft, of course, but for the security measures the laptop contained (password protection and ‘powerful’ encryption software) and, in particular, HMRC’s openness and honesty in coming clean about the incident quickly.

The potential loss of one’s personal data is a serious concern, so it is vital that anyone affected gets to hear about the event as quickly as possible. Full marks to the taxmen for their professional conduct and to Silicon.com for its Full Disclosure campaign, which is putting some welcome and well directed pressure on the government.