Sunday, 28 March 2010

Another nail in the voluntary data breach notification coffin?


“It’s full of excellent people with first class brains, engaged in brilliant debates. The trouble is that most of them are completely detached from the real world.”

That’s a quote from former Chancellor of the Exchequer Kenneth Clark, speaking on television yesterday about his old Treasury colleagues.

All well and good. But why am I using that quote in this blog? And why am I using the logo of the Beijing Olympic games, held between 8-24 August 2008?

Here goes. I’ve just read a press release from the folks up in Wilmslow, and can’t quite understand the point of it. I’m obviously missing something very profound, but it doesn’t make much sense to me when you take it at face value.

A few days ago, the Information Commissioner’s Office announced that one of the top bods running the British arm of Zurich Insurance has just signed an Undertaking following a security breach. When was the breach? Err, actually it was back on 11 August 2008. Over 18 months ago. During the Olympics. Can anyone else remember that day? Hint – it was the day that British divers Tom Daley and Blake Aldridge came 8th in the men’s synchronised 10 metre platform diving competition.

But why should the Commissioner decide to take action now, so long after the event? That question really irked me. And it still does.

The official account of the breach seems reasonably straightforward. Apparently, a data processor (Zurich Insurance Company South Africa) lost an unencrypted back-up tape containing financial personal information relating to 46,000 (British) Zurich Insurance policy holders. The loss occurred during a routine transfer to a data storage centre in South Africa. The data processor waited for more than a year before reporting the incident to Zurich Insurance back in Blighty. Red faces all round. Subsequent internal investigations revealed failings in the management of security procedures involving data tapes in South Africa.

So why has it taken so long for the Commissioner to get Zurich to sign an Undertaking to ensure that back-up tapes are encrypted? And why has it taken so long for the Undertaking to commit Zurich to put in place controls to monitor and promptly report potential or actual data loss activity? And for the Undertaking to require that steps are taken to ensure staff and external contractors are made fully aware of security procedures and adequate checks are carried out on contractors’ staff?

Dunno.

Interestingly, Sally-anne Poole, Head of Enforcement & Investigations at the ICO, was quoted in the press release: “I am pleased to see that Zurich Insurance plc has taken remedial steps to ensure individuals’ personal details are protected in future.”

But if Sally-anne’s so pleased with these remedial steps, then why on earth has it been necessary to get Zurich to sign the Undertaking in the first place?

Sally-anne also said: “I encourage all organisations to report any serious data security breaches to us so that the nature of the breach or loss can be considered.”

Some encouragement this is.

Perhaps it’s just another nail in the voluntary data breach notification coffin. After all, it’s hard to fault the British Data Protection team at Zurich for their actions. It appears that very shortly after they heard the awful news from South Africa, they had made a confidential confession to the Commissioner (on 3 October 2009) and had followed it up with a formal notification once they had completed their investigations, on 27 January 2010. They’ve already notified the affected customers (and did so way back in October 2009). And, they’ve already agreed to:

a) tighten up the future movement of backup tapes, and use encryption, as appropriate
b) ensure that staff and external contractors are made fully aware of such security procedures and adhere to them;
c) carry out adequate checks on contractors’ staff; and
d) establish effective controls to monitor and promptly report potential or actual data loss activity.

But what’s the point of notifying the Commissioner of a data breach if you’ve already done everything you can to prevent losses occurring in future? It obviously can’t be to avoid potentially damaging publicity about the breach, as the Commissioner’s Office has just issued a press release about this one.

Has the Commissioner’s “confessional chamber” already been dismantled and replaced by a new “court room cum public whipping post”?

Perhaps I should ask the Commissioner to explain the benefits of voluntary breach notification. Because, on just the facts of this press release, given the regulatory action taken by his officials, it really doesn’t make much business sense.

Oh, and for the record, I don't personally believe that the people in the Commissioner's Office are actually “completely detached from the real world.”


A full copy of the Undertaking from the top bod at Zurich can be viewed here:
http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx