A blizzard of privacy breaches is blowing through Britain, undermining confidence in government and chilling the private sector who fear, quite rightly, that their company might be the next to suffer.
In December 2007, the transport ministry admitted it had lost personal information relating to more than 3m learner drivers, a month after the HMRC agency revealed it had mislaid 25m people’s personal data in the post. Also, it emerged that nine National Health Service trusts had mislaid information on hundreds of thousands of patients.
In October 2009, the then Environment Secretary Hilary Benn confirmed the Rural Payments Agency could locate data backup tapes containing personal data, including banking details, of more than 100,000 farmers. Shortly afterwards, the Ministry of Defence admitted 91 laptops, 23 desktop computers and 47 USB memory devices had gone missing, with only 66 of the laptops reported as stolen.
The very next day, Maidstone and Tunbridge Wells NHS Trust were reprimanded by the Information Commissioner’s Office over the theft on an encrypted laptop which contained sensitive personal data on 33 patients. Another Three unencrypted laptops were also stolen in August 2009 from the Trust’s Maidstone site. The Information Commissioner’s Office said that 209 NHS bodies had reported data protection breaches in the previous two years, and incidents involving NHS organisations accounted for almost 30% of all data breaches reported since November 2007.
In fact, this is a high-level global problem: as information is collected more easily, put to more sophisticated uses and shared more widely, breaches of the rules have become both more common and more likely to be serious.
HMRC lost two CDs that included people’s addresses, bank account details and national insurance numbers. The CDs’ disappearance – which triggered the resignation of the Revenue head –created a potential goldmine for fraudsters. But this should also prove a ‘tipping point’ for the way companies deal with data loss.
Indeed, there have been even larger data disasters in the private sector. They include the 2003 theft of 92m email records from AOL, the internet service providers, and the illegal access last year of tens of millions of credit and debit card numbers through the systems of TJX, the US discount retailer.
In 2007 Richard Thomas, the then UK information commissioner, said he had received numerous anonymous confessions of problems, many of them from companies that had suffered privacy breaches and were anxious not to do so again.
Data security breaches are becoming a costly problem for companies, both financially and in terms of reputation. The Privacy Rights Clearinghouse, a US not-for-profit group, has identified more than 215m records of US residents that have been exposed since January 2005 because of security failures.
According to the Ponemon Institute, breaches cost US companies an average of $204 (£130) per record compromised, up 43 per cent since 2005. Data breach costs represent a significant risk to organisations of all sizes and industries.
Yet even as the problems expand, there is increasing evidence that many companies simply do not take them sufficiently seriously. A survey of US and British businesses by Kroll Ontrack, an information management company, found that fewer than half of the businesses in both countries had a strategy or policy in place on how to deal with electronically stored information. This comes at a time when the explosion of electronic information and the onslaught of new rules, regulations and laws have made it incredibly difficult for companies to stay on top of everything.
For the public, the potential implications of lax data security are even more troubling. It can lead to identity theft and other types of fraud. On the same day the driver data loss emerged, regulators fined Aviva, the UK’s biggest insurer, £1.26m over a breach that allowed fraudsters to alter customer addresses and bank account details as part of a £3.3m scam.
This reflects both the explosion in the amount of personal information stored by institutions and changes to the ways business is done. Technical advances allow data to be held in ever more convenient forms that also happen to be easier to lose or steal. Lost or stolen devices such as laptops account for half of all data losses (ask the MoD about this one), while other security menaces include hacking and mistakes by third parties such as contractors and consultants.
Another latent threat to data security is that companies are gathering greater quantities of information from individuals and doing more with it. Information is shared and synthesised for use in targeted marketing, meaning that data is moved around more widely and seen by more people, increasing the chances of it being mislaid or stolen.
A more subtle contributor to data privacy breaches is the conflict between two social trends: the rising institutional appetite for information, and falling job security. While sensitive data is collected in rapidly increasing amounts, the people processing the information are sometimes among the most casual members of the labour force. A small minority will make mistakes through inexperience or take advantage or their positions to cream off information to use for fraud.
So what should businesses do to safeguard themselves? Luckily, computer experts have developed ways to help small firms protect themselves against the most common security threats. For example, most personal computers sold today come equipped with virus protection. Since passwords can be guessed or stolen, some companies use more sophisticated authentication technologies, such as coded ID cards, voice recognition software, or even retinal scanning systems.
In addition to protecting their own computers from security threats, companies that conduct business over the Internet must also take care to protect their online customers. Businesses should never store customer information – especially credit card numbers – on its web server or any other computer connected to the internet. It is also a good idea to avoid putting any sensitive information on these machines.
In order for hardware and software security measures to be effective, firms must incorporate computer security into their basic operations. Business owners should establish a set of policies and procedures for internet security, which should encompass computer activity at both the user level and the system administrator level.
