|
Amid winter blizzard of privacy breaches is blowing through Britain's public sector, undermining confidence in government and chilling private sector executives who fear their companies might be the next to suffer.
The transport ministry earlier this month admitted it had lost personal information relating to more than three million learner drivers, a month after the Revenue and Customs agency revealed it had mislaid 25 million people's personal data in the post. It later emerged that nine National Health Service trusts had mislaid information on hundreds of thousands of patients.
Richard Thomas, UK information commissioner, says he has also received numerous anonymous confessions of problems, many of them from companies that have suffered privacy breaches and are anxious not to do so again.
The embarrassing disclosures are far more than a parochial tale of British institutional incompetence. Rather, they highlight a global problem: as information is collected more easily, put to more sophisticated uses and shared more widely, breaches of the rules have become both more common and more likely to be serious. The loss of learner-driver data on a computer disc by a subsidiary of Pearson, owner of the Financial Times, from its worldwide data store in Iowa, is an in-stance of the increasing international cooperation between companies and governments. But is privacy regulation in danger of slipping beyond citizens' control?
Quentin Archer, a partner at Lovells, the law firm, says the privacy breaches in Britain and elsewhere show how data protection is an international problem that is likely to grow as businesses and public agencies share more and more information. He says: "Individuals have a right to be concerned about what's happening - and they have a right to require governments and companies to adopt and enforce proper standards of security."
Last month's Revenue case - one of the world's largest single losses of confidential information ever to become public - is exemplary of the growing anxiety. The Revenue lost two CDs that included people's addresses, bank account details and national insurance numbers. The CDs' disappearance - which triggered the resignation of Paul Gray, Revenue head - has created a potential goldmine for fraudsters. Richard Archdeacon, a director of Symantec Global Services, the virus and internet security protection company, says the Revenue case will prove a "tipping point" for the way companies and government deal with data loss.
One reason the case has sent such a shiver of panic through executives as well as bureaucrats is that they know Gray's predicament could easily have been their own. Indeed, there have been even larger data disasters in the private sector. They include the 2003 theft of 92 million email records from AOL, the internet company, and the illegal access last year of tens of millions of credit and debit card numbers through the systems of TJX, the US discount retailer.
Data security breaches are becoming a costly problem for companies, both financially and in terms of reputation. The Privacy Rights Clearinghouse, a US not-for-profit group, has identified more than 215 million records of US residents that have been exposed since January 2005 because of security failures. The Ponemon Institute, a research organisation, says breaches cost US companies an average of $197 (£99, 137 euros) per record compromised, up 43 per cent since 2005. The institute says: "Data breach costs represent a significant risk to organisations of all sizes and industries."
Survey
Yet even as the problems expand, there is increasing evidence that many companies simply do not take them sufficiently seriously. A survey of US and British businesses published this month by Kroll On-track, an information management company, found that fewer than half of the businesses in both countries had a strategy or policy in place on how to deal with electronically stored information. Kristin Nimsger, its president, says the statistics are "frightening yet not surprising". She adds: "The explosion of electronic information and the onslaught of new rules, regulations and laws have made it incredibly difficult for companies and counsel to stay on top of everything."
For the public, the potential implications of lax data security are even more troubling. It can lead to identity theft and other types of fraud. On the same day the driver data loss emerged, regulators fined Aviva, the UK's biggest insurer, £1.26 million ($2.5 million, 1.7 million euros) over a breach that allowed fraudsters to alter customer addresses and bank account details as part of a £3.3 million scam.
The blunders reflect both the explosion in the amount of personal information stored by institutions and changes to the ways business is done. Technical advances allow data to be held in ever more convenient forms that also happen to be easier to lose or steal.
According to the Ponemon report last month, lost or stolen devices such as laptops account for half of all data losses, while other security menaces include hacking and mistakes by third parties such as contractors and consultants.
A second complication is that some of the most trusted tools of business and government are more vulnerable than we - or their users - might think. At ClubHack, a conference for internet security professionals held this month in Pune, India, the titles of some of the presentations suggested the potential for breaching some of the world's richest data sources. One paper discussed "mining digital evidence in Microsoft Windows", while another discussed how to hack Firefox, the internet browser, to steal "web secrets".
A third latent threat to data security is that government departments and companies are gathering greater quantities of information from individuals and doing more with it. Information is shared and synthesised for use in targeted marketing, meaning that data are moved around more widely and seen by more people, increasing the chances of it being mislaid or stolen.
A fourth - and more subtle - contributor to data privacy breaches is the conflict between two social trends: the rising institutional appetite for information, and falling job security. While sensitive data are collected in rapidly increasing amounts, the people processing the information are sometimes among the most casual members of the labour force. A small minority will make mistakes through inexperience or take advantage of their positions to cream off information to use for fraud.
Shortcomings
All these trends are adding dangerous dimensions to a universe of data that outsiders have little opportunity to monitor. Bridget Treacy, a partner at Hunton & Williams, the law firm, says public and private sector organisations have generated a swath of "indirect information" that members of the public never get to check. That means one of the main supposed data protection safeguards in Britain and some other states - the individual's right to see information held about them - is often stronger in theory than in practice.
Given all these shortcomings, it is perhaps no surprise that public confidence in the institutions holding their information is low. A survey released by Thomas's office last month says nine out of 10 people are concerned that organisations do not treat their personal information properly.
Aside from the increased complexity of data management and plummeting public confidence, institutions face a threat on a third front: the development of markets in the illegal buying and selling of personal information. Symantec says UK credit card details can be bought for as little as 25 pence, e-mail passwords for 50 pence and full identities for £5.
As the vulnerabilities of the system grow globally, so its defences look increasingly inadequate. There is nothing close to an international consensus on how to deal with data security.
National privacy rules make a ragged, threadbare patchwork even by the weak standards of much international law - and clashes over privacy reflect the growing ease and frequency of transnational data transfer.
Swift, the Brussels-based processor of many European bank transactions, ran into trouble with national privacy regulators last year after it emerged it had been sharing customer data with the US authorities, ostensibly for use in terrorism investigations. In China, Yahoo has drawn criticism for handing over details of the online activities of two journalists, who were subsequently jailed.
Lawyers say there is an urgent need internationally to bridge the detachment behind theoretical debates about privacy and the practical steps needed to protect it.
Obligations
One way to make institutions sit up and take notice is to impose greater obligations on them to notify authorities and customers when security breaches occur. More than two-thirds of US states now have data breach notification laws, which require organisations to inform customers if the loss cannot be "mitigated" by some means. Jary Kidd, chief marketing officer at Network Appliance, a company that makes data storage devices, says the laws have led to an increase in reported incidents.
In Britain, Thomas has demanded greater powers to audit companies, harsher penalties for data security offences and even a requirement for senior executives to sign off publicly on companies' data protection policies. He has persuaded the government to impose jail sentences for any-one illegally buying and selling information.
Companies and public authorities are likely to make greater use of safeguards such as data encryption. In the Revenue data loss, many were shocked that such a large volume of highly sensitive data were not encrypted.
The public also has a part to play. Apart from putting pres
sure on companies and authorities to be more responsible, people will have to assess the balance of risks involved in handing over personal details.
Sharing information can yield benefits, such as access to new products, or advantages such as the reductions in crime that can occur when public authorities share intelligence. The debate is over where the limits should lie in what institutions are al-lowed to do with our information and which methods they should be allowed to use to extract it from us.
Transport for London's Oyster card, used by residents and visitors to pay for bus and Underground journeys, highlights some questions. While you can obtain it over the counter without providing personal details, you can get a refund on a lost card only if you have given your name and address. So to get full economic value from an essential service, you must hand over your data. Is this informed consent, or de facto coercion? Such points of tension are likely to become more acute as companies and the public sector grow more aggressive in gathering and using information.
The security blizzard is still blowing and sensible institutions are thinking about how they might dig their way out of the snowdrift. Suddenly, stories that might formerly have passed unnoticed are being seized on by the media as further examples of institutional carelessness. Information security problems have existed for a while, but people seem much more bothered by them now.
As Nigel Swycher, a partner at Olswang, the law firm, puts it, data security is no longer a "second-tier risk assessment" but a task for executives themselves to address. "It's now at boardroom level. That's where it belongs in this day and age."
|
