Data breach fines will not stop the rot

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://blogs.techworld.com/war-on-error/2010/08/data-breach-fines-will-not-stop-the-rot/


Is the new era of data fines for data breaches having any effect on
the way organisations treat customer information? As with the French
revolution, it could be too soon to tell, but what matters for the
industry right now are appearances.

On the face of it the fine meted out to Zurich Insurance looks like a
tough one, £2.275 million’s worth of FSA retribution for allowing a
South African subsidiary to lose an unencrypted backup tape with
46,000 UK customer records on it in August 2008.

The size of the fine had a lot to do with the fact that it took Zurich
a year to work out that it had happened at all, exposing those people
to a window for fraud that might have difficult to detect until
significant damage had been done. There is no evidence that any was,
we are told.

The previous FSA high point was the 2006 loss by the Nationwide
Building Society of a laptop containing records of 11 million account
holders, which got the society a near-million pound fine.

The first issue are the timescales involved here. The Nationwide loss
happened in 2006, the Zurich two years later, and it is safe to say
that these reports are only the thin edge of a fat wedge. Others will
undoubtedly have gone unreported or simply unnoticed, especially where
outsourcing is involved.

Indeed you could argue that the Zurich is to be praised for managing
to discover and report such a distant data breach at all. For its
trouble it has now been publically named and fined.

The second issue is how little the public got to find out about data
security practices at either the Zurich or the Nationwide. Do either
now encrypt laptop hard drives and backup tapes as a standard
procedure? Institutions are not required to tell customers anything.

The public gets to hear about the punishment but a lot is left behind
a curtain of secrecy. This is wrong and possibly dangerous.

What the UK lacks is not punishments but a basic data breach
notification law that puts a legal (rather than informal) onus upon
organisations of any type to report breaches not just to the FSA but
to the Office of the Information Commissioner. Many US states already
have such laws in place which is why most of the stories of serious
breaches come from over the Atlantic.

One possibility is that this will happen via some form of amendment to
the 1995 EU Data protection Directive. The UK, then, is waiting for
the EU to set a European precedent, which is a wise approach in the
long term, but could leave the UK exposed for some years to come.

Whatever the outcome, customers - and citizens of public sector bodies
- have a right to know not just that their data is being protected but
how it is being protected.

Thinking about moving a current account to a new bank? How your
personal data will be secured by that bank should be as important as
the interest rate on savings. Right now, organisations would rather
not be asked such questions.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php