There was a time, in the (not so) dim and distant past, when the amount of digital data an individual or organisation could store was constrained by the speed with which it could be processed and transferred and the relatively high cost of the media needed to store it. But as the former have become progressively faster and the latter has become progressively cheaper, we have all become progressively less selective about the data we retain - and less inclined to treat it with the respect that it deserves. Combine this with the ever-increasing compliance requirements many organisations face and you have a recipe for disaster, says FSN contributing editor, Lesley Meall
“UK organisations recognise the need to protect customer information and other valuable data assets,” comments Phillip Dunkelberger, president and CEO of PGP Corporation, “but while their intentions may be good, not all of them are doing everything it takes to make this a reality.” Although the processing, storage and transmission of personal data are governed by mandatory regulations ranging from the Data Protection Act (DPA) to the Payment Card Industry Data Security Standards (PCI DSS), reported data breaches continue to rise in the UK, along with the associated costs.
According to research undertaken by the Ponemon Institute for PGP Corporation two thirds of UK organisations have experienced at least one data breach during the past year, multiple breaches have increased, and the cost of dealing with this is not insignificant. When asked to estimate the expense associated with data breaches, those affected indicated that lost business now accounts for 69 per cent (up from 65 per cent in 2007) of data breach costs, which average out at around £60 for each affected customer record (up from £47 in 2007).
Widespread failures
Incidents involving the biggest public and private sector organisations and their misdeeds may hog the headlines, but small and medium-sized organisations are also failing in their duty of care when it comes to the safety and security of personal data. According to a recent survey of 500 small and medium-sized businesses in the UK by BSI, one in five has unintentionally breached the Data Protection Act (DPA) at least once, by illegally transferring information to a third party, failing to hold information securely, or neglecting one of its other legal obligations.
Finding out what your obligations are under the DPA isn’t difficult. As well as the website of the Information Commissioner’s Office, which provides plenty of information, you can find practical advice on complaince (and even read how some businesses have handled the process), by visiting the relevant section on the website of Business Link. Numerous organisations and websites aimed at small and medium-sized businesses also provide appropriate guidance and factsheets, some for a fee and some free (and compliance does not have to cost an arm and a leg) so there is really no excuse for non-compliance – but it is rampant.
Nearly half of those surveyed admitted to breaking the DPA on several occassions, while 18 per cent indicated that they were so unfamiliar with the requirements of the Act, that they hadn’t the vaguest idea whether they’d broken it or not. But it’s surprising that these figures aren’t higher, because nearly two-thirds of the businesses surveyed do nothing to train their staff on data protection issues, because, apparently, they are too over-awed by the prospect. “The BSI survey backs up what we have known for some time,” comments Gordon Wanless, chairman of the Data Protection Forum, which is that many organisations find the legislation in this area “complex”.
It’s an argument, and the eight principles of the DPA do not make light reading; but the website of the Information Commissioner’s Office provides guidance in easy to digest, bite sized chunks, that avoid the gratuitous use of technical jargon – as will be clear to any organisation that can be bothered to sit down and read about its rights, responsibilities and obligations to data protection. So it’s hard not to conclude that organisations choose to ignore their DPA obligations because they can, because the chances of getting caught out are minimal, and the associated costs are negligible. But there are signs that this is changing.
Large fines more likely
A maximum fine of £5000 has hindered the effectiveness of the DPA, but the Financial Services Authority (FSA) recently fined HSBC Holdings a whopping £3.2 million for not having adequate controls on customers’ personal data (including addresses and national insurance numbers). And, when Ian Kerr of the Consulting Association was recently found guilty of illegally storing and selling employees’ confidential data, his £5000 fine was judged “wholly inadequate” by magistrates, who referred the case to the Crown Court for harsher sentencing and a potentially unlimited fine.
The Information Commissioner’s Office (ICO) has been lobbying for years for more powers and greater fines, and it now seems destined to get them. “The ICO has pressed strongly for monetary penalties where the Data Protection Act has been knowingly or recklessly breached,” according to an ICO statement, “and these penalties are being introduced next April.” Under provisions introduced in the 2008 Criminal Justice and Immigration Act the ICO will soon be able to impose substantial fines when there is evidence of a reckless or deliberate data protection breach.
Meanwhile, a new British Standard on data protection has been published. BS 10012:2009 Data Protection is a specification for a personal information management system. “The standard will help organisations demonstrate that they are handling personal information responsibly,” suggests Wanless, who was chairman of the panel that drafted the standard ((as well as chairman of the Data Protection Forum and Information Governance Manager, NHS Business Services Authority). It provides a framework that can be used as the basis of a management system, which includes procedures in areas such as training and awareness, risk assessment, data sharing, and retention as well as the disposal of data and disclosure to third parties.
Card security compliance
Because the Data Protection Act has so far proven “wholly inadequate” some organisations have taken steps to protect personal data (and the reputations of their members) by introducing their own regulations. In 2004, the founding members of the PCI Security Standards Council (American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa International) developed a Data Security Standard (DSS) designed to prevent card fraud, by encouraging and supporting the adoption of consistent data security measures on a global basis.
The PCI DSS is a comprehensive and far-reaching set of data security standards, requiring 12 measures of compliance in six areas (involving around 250 controls), and it applies to every business that accepts or processes payment cards. “Compliance with PCI DSS is vital to ensuring the integrity of the global payments system,” says Eduardo Perez, head of global data security, Visa Inc, and it can dramatically improve security, as well as reducing the potential for harm, the likelihood of data being compromised, and minimising the associated costs when security breaches do occur.
Until recently however, many merchants have been unaware of the PCI DSS, as a tiered classification system resulted in staggered compliance deadlines. For level one merchants, processing more than six million Visa or MasterCard transactions a year, the deadline was 30 June 2007, with 31 December 2008 for level two merchants, processing between one million and six million transactions. Merchants processing up to 20,000 transactions (level 4) are expected to comply too, but there is no deadline, however, many of them will be affected by the 1 October 2009 compliance deadline, which affects all ecommerce merchants (level 3), however small.
Organisations that want to learn more about what’s going on could do worse than visit the Q&A section of the website of RBS WorldPay. It explains a lot about the PCI DSS, including the reasons why banks are going to be putting their card processing customers under so much pressure to become compliant, the advantages of compliance (such as reducing the threat of Card Scheme imposed penalties), and the disadvantages of non-compliance (such as the loss of merchant facilities), in a very even-handed manner – unlike the deeply ironic letter recently sent out by another financial institution.
In it, the institution said, “If you are not compliant with PCI DSS, your risk of a data breach and associated card schemes fines and costs is significantly increased. The cost of a data breach, forensic investigation and associated card scheme fines can easily amount to more than £100,00.” It’s more stick than carrot, but the institution concerned knows better than most how effective this can be. So, although the threatened “Card Scheme” penalties may pale by comparison with a £3.2m fine by the FSA, the prospect of them could still make most organisations take their data protection responsibilities more seriously in the future than they have in the past. Time will tell.
