Sunday 6 June 2010

One thousand ... and still counting

Just as Anne Boelyn had her thousand days before her head got chopped off, so we now have reached the position where data controllers have managed to report one thousand breaches to the Commissioner’s Office. Will any of them suffer the executioner’s axe too?

According to my trusty guide Wikipedia, cinematically, Anne of the Thousand Days took twenty years to film because its themes — adultery, illegitimacy, incest — were then unacceptable to the U.S. motion picture production code. Well, it hasn't taken more than twenty years of data protection legislation for us to wait until the one thousandth breach has been reported. I think the ICO started counting after the great HM Revenue & Customs data breach back in October 2007. We have only had to wait until 28 May 2010. It would be nice of the ICO’s press release were also to explain just when it started counting the breaches, but never mind. Probably just an oversight.

Admittedly, the data protection breaches have not generally concerned themselves with issues as mighty as adultery, illegitimacy or incest. They’ve generally been a lot more mundane than that.

The statistic that really hits home is the percentage of data breaches that have been reported because the date media on which it was stored had either been lost or stolen. In 23% of the cases, the media was lost. In 30% of the cases, the media was stolen. So, if data controllers had adopted a “privacy by design” approach which involved the use of encryption, it seems possible that over half of all security breaches reported to the Commissioner’s Office might never been needed to have been reported in the first place.

I suppose the other statistic that really hits home is the percentage of data breaches reported by the NHS. If these figures are to be believed, they comprise 30% of all reports. Which is of course why we should not read too much into these figures. The NHS is no way as bad as that. What it does show, in my view, is that the NHS is savvy enough to be aware of the occasions when it does lose data, and sufficiently confident not to hide the figures from public view. Good on them.

I think it’s quite likely that many other data controllers are simply unaware of the losses that are occurring within their estate, and frightened of telling anyone should they do become aware of a significant breach.

I do appreciate the difficulties of practicing what you preach though. I know it’s not necessarily easy to achieve full encryption of everything, regardless of where it is, these days. I do apprecite the real pressures on people’s budgets and the horrendous problems presented to those who have to rely on legacy systems and an IT estate that is more suited to operating the Tardis than the USS Enterprise.

But think – if we could do two things in 2010, just two, what should they be? – Apply full encryption, monitor the IT boundaries, and then get down to the pub. Job done – well half of it, anyway.

Looking at the Commissioner’s press release which announced the thousandth breach, I wondered whether there was anything else we could concentrate on to pick off more “low hanging fruit”, as it’s called in corporate speak. This is what the press release thinks we should be doing:

Are you sure that you know who you are disclosing personal information to? Have you checked that they are genuine and that they are entitled to the personal details that they are asking for?
• Beware of the dangers of email. Be very careful when selecting recipients of personal information from drop down lists to get the right ones. Do not click on ‘reply to all’ and automatically include all the copy recipients in your disclosure of personal information. For more sensitive information simple email disclosure may not be sufficiently secure.
• Check that automated systems e.g. for stuffing envelopes are working properly and do some dip sampling to verify this.
• Beware of window envelopes. Make sure that only the name and address can be seen through the window.
• Check the positioning of screens particularly in open areas or by windows where they might be seen by members of the public.
• Train your staff in the risks of wrong disclosure and make sure that they don’t get careless about who they are passing information on to.

All of this seems pretty standard stuff, but I don’t think that all of these controls will necessarily result in a reportable incident should there be a failure in one of them. For example, I am hardly likely to disclose the details of a sufficiently large enough number of customers by wrongly positioning the screens in open areas. Yes, the wrong people may get to see the details of one or two customers – but hopefully not a thousand of them, which is the trigger that the Commissioner’s Office has in the past suggested as the magic figure above which a disclosure is required. And, in my experience, social engineering occurs when a miscreant is targeting an organisation for information about a specific individual (or small group of individuals), rather than just any customer whose details they can lay their hands on.

So where does this leave us? With a suggestion that we should be careful to use the “bcc” function when sending bulk emails, not the “cc” function. And that we should check envelope stuffers and letter folding machinery.

Do I hear the sound of any axe sharpening around Wilmslow yet? Don’t think so. But then again, you never know.

I doubt that Anne Boelyn heard the swoosh before it hit her fragile neck, so perhaps it's hurtling towards someone even now ...