Securing Against Data Loss and Theft
Data
security breaches have littered the news over recent years, writes Adrian
Gregory, MD of the DQM Group. All kinds of organisation have
been affected from government departments to well-know financial institutions.
And there is no indication that the problem is subsiding.
Research we commissioned last year found that there had been over 25
million exposures of personal records to potential theft and fraud over
a 12-month period. This equates to the same number of households in
the UK and highlights the enormous security challenge facing British
public and private sector organisations in today's data-rich society.
Organisations of every kind keep records on their clients and customers,
which is vital for a whole array of business practices such as sales
activity, marketing campaigns and customer service. Transactional processes
such as billing, credit and finance requirements all involve maintaining
detailed personal records. The need for more sophisticated methods of
tracing fraudsters and data thieves has never been greater.
Data loss and theft
Most institutions have already put tight internal measures in place,
but all too frequently these measures do not pay attention to the eventuality
of a breach. Most companies would be appalled to find their customers
were contacted inappropriately by rogue traders with, at worst, fraudulent
intentions.
Unfortunately, these breaches are all too often a result of human intervention.
A whole host of situations involving human interference might be to
blame; from something as simple as an employee loosing their work laptop
to a more sinister stimulus like an employee who is being blackmailed
by criminal elements to obtain customer data. For larger list owners,
the consequent recovery of client's marketing communications would typically
run costs into hundreds of thousands of pounds or Euros, not to mention
the subsequent chaos for customers and employees alike.
The security and accessibility of data sets is frequently viewed as
a purely internal issue. If an organisation were to admit that it had
experienced a breach of its data security, that might open it up to
potential legal liability as well as exposure of its reputation. So
most keep quiet if it happens. Even the requirement of the Data Protection
Act 1998 to keep personal data secure has tended to be viewed as an
entirely internal process.
One consequence of this inward focus has been a lack of clear ownership
and specified processes to deal with data security. Often the issue
is handled within IT departments rather than as a standalone function.
Abuse of this ‘out of sight, out of mind’ attitude has therefore
been relatively easy. It is an uncomfortable fact that most breaches
of data security are carried out by an organisation's own staff, including
its director and senior managers. Recent research by KPMG Forensic found
that the typical company fraudster is a trusted male executive who gets
away with over 20 fraudulent acts over a period of up to five years
or more.
Significant changes in the broader culture across commerce and the public
sector - and especially among data subjects - mean that ‘laissez
faire’ is no longer an acceptable attitude. Growing legal pressures,
from industry-specific regulations to international laws, now mean that
every organisation that has data needs to be sure it is holding on to
it. Indeed, leading brands are becoming increasingly aware of the damage
security breaches can do to their image. As a result, data security
is moving from an IT discussion to the boardroom, not least because
the brand is often the most highly-valued asset on the balance sheet.
Track and Trace
Data security can never be 100 per cent. It is not possible to guarantee
the total safety of any asset, whether physical or virtual, which needs
to be in constant use. Certain measures will deliver a much higher degree
of security, however, and are more likely to meet compliance requirements.
Perhaps most importantly, data security is being addressed almost exclusively
from the point of view of stopping data leaving the organisation through,
or to, an unauthorised party. Firewalls and encryption routines help
prevent illegal access to sensitive information. The problem with this
approach - whilst absolutely necessary - is that such measures cannot
protect against computer theft, loss or theft of data on physical media,
or loss/theft of physical records. Moreover, although escalation procedures
once a breach has occurred can minimise the impact of identity fraud,
it cannot help trace the fraudsters.
Therefore, there is a significant need to widely implement measures
for tracking and tracing identity thieves and fraudsters once a breach
has occurred. There are various means of doing so, whether electronic
or physical. However, all involve the use - in one way or another -
of 'seed names'. Seed names are agents or identities that appear to
be real customers, but have in fact been inserted into the database
to obtain a view of any unauthorised use of record.
In a real life example, the direct marketing industry uses such 'sleepers'
as standard practice to guard against unauthorised use of commercial
mailing lists. Now corporations and government bodies are beginning
to adopt the same approach in order to monitor data abuse. Even in the
early stages of such techniques in the wider commercial and public sectors,
there have been cases of pre-emptive discovery, where unauthorised data
usage (in fact data theft) has been identified, which would have otherwise
lain undiscovered.
Notification requirements
Notification of data security breaches is likely to become a legal requirement.
In the US, in 2002, California became the first state to pass a Notice
of Security Breach law requiring any organisation that suffers a breach
of its data security and the loss of personal data to disclose this
fact and to offer assistance to the data subjects affected. A further
33 states have since implemented similar legislation.
Some European Union states have similar laws in place, though not currently
the UK. However, the introduction of the E-Commerce Directive 2006 has
created a new regulatory framework for electronic communications networks
and services. The objective of this framework is to protect citizens
and businesses within the EU when they are using e-commerce.
To meet the terms of the directive, the UK's Information Commissioner
drew up new proposals affecting Internet Service Providers and network
operators.
These require the notification, to the national regulator, of any security
breaches involving the loss of personal data. The regulator must then
decide whether it is in the public interest to inform the general public
of the breach. Notification to the customer is also required where any
breach of data security leads to the loss, modification or destruction
of, or unauthorised access to, personal data.
While not yet implemented, these requirements are likely to come into
force in 2007. They create a new climate of opinion and a legal background
that is likely to lead to pressure for the same standards to be applied
by all data owners, whether using electronic networks for data transmission
or not.
Conclusion
UK public and private sector organisations are holding an increasing
volume of data on customers and citizens. If such organisations are
to continue to be allowed to use this information to improve customer
service, they also have to take on the responsibility of keeping it
safe and secure. The exposure of 25.45 million personal records every
year to potential theft and fraud is already unacceptable. In addition,
individuals must become more savvy and responsible about the way they
keep and dispose of their personal records. For organisations to concentrate
only on internal systems security is not enough. Equal attention needs
to be given to ways of tracking and tracing abusers and fraudsters after
a data breach has occurred, so that the perpetrators might more frequently
be brought to justice. Only by removing the criminal element from the
picture can the tidal wave of identity fraud be turned back.
* DQM Group recently commissioned a White Paper on best practice in
data security, which is available upon request.
Web: http://www.dqmgroup.com