Sunday 22 May 2011

Compulsory breach notification: is anyone else heading in the wrong direction?

An extremely interesting debate was held at Australia House in Central London last Thursday. Hosted by Dtex, a company which assists organisations to control the flow of data via the delivery of a “Know Your Insiders” programme, the message was probably not one that those who are responsible for developing and enforcing the soon-to-some-into-force Electronic Privacy Regulations would have wanted to hear.

What do I mean?

Well, we all know that next week heralds the coming into force of new regulations which, among other things, change the rules around cookies. But I've said enough about cookies recently. This blog posting comments on the new rule changes to compulsory breach notification.

Regulation 5 relates to the notification of personal data breaches by Communication Service Providers. In all cases, the Information Commissioner must be notified. In some cases, the subscriber or user must also be notified where there is a risk that the breach would adversely affect the personal data or privacy of that user. Late breach notifications may result in the Information Commissioner imposing a fixed civil monetary penalty of £1,000 on the Service Provider.

There are two problems with this concept.

First, there is no list of Communication Service Providers in the UK, so it is not clear just how many organisations will be affected. I really don’t know how the Information Commissioner will take action against companies who fail to comply with the breach notification requirements, especially when his staff won't even know who he is expected to check up on. Of course, they will know all about the big Service Providers – but what about the smaller ones, whose security standards may well be those that are more suspect? Think, for example of the case of the firm that incurred the latest fine from the Commissioner. ACS Law were barely plankton in the legal ecosystem – yet the owner of the firm still managed to cause the liklihood of siginficant damage being inflicted on thousands of people!

Second, and more importantly, the regulations require Service Providers to devote more time to reporting the most minor of mistakes, which will inevitably divert precious resources from providing advice and support to business projects that really need greater attention. If we are not extremely careful, the debate will slip back into the “security zone”, rather than get focused on the most crucial part of the whole data protection problem.

Take a quick look a the definition of a “personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service;.

So it’s a breach if a single encrypted laptop or a single encrypted data stick is lost? Despite the fact that no damage has been done to any “victim”? Or, in a retail environment, where a passer-by overhears a conversation between a sales advisor and the customer? Even where the only “unauthorised disclosure” is the customer’s name and telephone number?

Of course it’s far-fetched. But the explanatory notes to the Statutory Instrument do state that all breaches have to be reported to the ICO. (Just as users are apparently expected to have to consent to all cookies that are not strictly necessary on websites, but that’s another pet gripe of mine that is the focus of my next blog entry.)

In my view, this madness removes the focus on what I think is the most crucial part of the whole data protection problem. And this was the part which was the main subject of the speakers’ comments at Australia House last week.

If you are to believe the speakers, it’s not really about technical issues.

Obviously, technology can help – which was why the Australian Trade Commission were so keen to facilitate the session, which promoted the services of Dtex, an Australian company. They were also keen to ply us with some of the finest Australian wines and they most generously let us feast on Kangaroo canap├ęs. (I kid you not!)

But, what we really need to concentrate on is people. It’s a behavioral issue, more than a technical issue. We have to focus on the human factor – but this is actually an extremely difficult thing to do.

One of the reasons it’s so hard to get board directors to focus on the importance of human behaviours is because the board members speak a language which can be alien to those who speak in terms of data protection. Board members exist to develop a strategic approach that will maximise shareholder returns – so they tend to speak in financial terms. When assessing risks to the company, they look to their Risk Steering Committees, and expect risks to be quantified in financial terms. What is the loss of “x” likely to be?

The trouble is that, in data protection terms, its really hard to quantify poor data protection standards in financial terms. How many customers really leave businesses that have had data breaches, for example? This is the sort of critical questioning that data protection managers face when they pay their concerns before the company. Where is the actual evidence that customers turn to other providers? While Larry Ponemon has done some amazing work in this area, some of his studies are getting quite depressing – a report published in March 2011, for example, predicted that: most privacy advocates and people in the data protection community believe that data breach costs will start coming down eventually because consumers will become somewhat immune to data breach news. The idea is that data breach notifications will become so commonplace that customers just won’t care anymore.

So, let’s all try and keep focused on the really important stuff – which is making sure that staff know what is expected of them, that they are properly trained and are really committed to the organization. That’s what I want to spend my time doing. Not wasting anyone’s time in Wilmslow having to report the loss of an encrypted data stick, simply because it was left in someone’s trouser pocket while went through the wash cycle at home.

Those folks in Wilmslow surely have better things to do,than wait for such relatively inconsequential reports to dribble through, too.

There was a time when regulators were expected to just waste their time on tedious details around purpose notification, as data controllers diligently kept their regstration entries up-to-date. Shortly they have something else to monitor - which could be equally wasteful of their scarce recources.

Sources: (The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011)

Image credit:
This image is taken from the Monty Python comedy sketch: 100 Yards Dash for People with No Sense of Direction – part of the 27th Silly Olympiad. The starting gun goes off and everybody starts running, very fast. They run up to the high jump, disc throw, hamburger stand, and John Cleese goes powering out of the stadium and up a busy high street. As he’s running a reporter asks him about his progress. He shouts: “I’m getting there, getting there!”