Wednesday 13 October 2010

A new name for a Data Breach?



Lunch today with Dr Larry Ponemon, thanks to the extremely generous hospitality of Ashley Winton at White & Case. No, that’s not him in the picture at the foot of this blog entry. Nor is it an image of Ashley White. Think on.

For those of you who don’t know, the Ponemon Institute conducts independent research on privacy, data protection and information security policy. It enables organizations in both the private and public sectors to have a clearer understanding of the trends in practices, perceptions and potential threats that will affect the collection, management and safeguarding of personal and confidential information about individuals and organizations.

The Ponemon Institute is also the parent organization of the Responsible Information Management (RIM) Council. The RIM Council draws its name from the practice of Responsible Information Management, an ethics-based framework and long-term strategy for managing personal and sensitive employee, customer and business information. Members of the Council represent a cross-section of Fortune 500 companies and are champions of privacy and data protection in their organizations. Through working groups and special projects, they create practical solutions to the privacy and data protection challenges faced by organizations.

In my humble opinion, Larry is one of the great gods of data protection – and his annual “cost of data breach” reports are generally considered the leading authority on the subject. So, it was a rare priviledge to meet the great man again, and to hear a preview of the latest figures. I won’t tell you what they are as I don't know if they have been officially published yet, and I don't like to leak material on this blog ... but the figures do continue to make a compelling case for preventative action to be taken now, rather than wait and deal with the stuff that flows from feeling obliged to issue a data breach notification to all and sundry.

Over lunch today, Ashley White argued that breach notification was more firmly on the EU’s agenda than it has ever been before, even though European regulators don't appear to have an agreed view about how big the breach ought to be before it has to be notified to anyone. I was more worried that, given the steady flow of breach notices that Americans seem to get, thanks to “consumer-friendly” US laws, there’s precious little evidence that these laws have actually changed behaviour and led to a reduction of data breaches in the US. So, if it's not working over there, why import it over here?

I was also worried how sanguine these Eruocrats are that data controllers actually know what data has been lost when there has been a loss. My experience of dealing with people who have lost (encrypted) laptops or (encrypted) data sticks is that they didn’t have a complete idea about what was on the media. Not much of an idea at all, actually, let alone a complete idea. And I really wouldn’t want to face the ire of an apoplectic “data subject” (horrible phrase that it is) who demanded to know if “their own” data had been lost if I didn’t actually have any proof that it had, indeed, been lost.

Anyway, back to the plot. My real aim over lunch today was to start a campaign to change the phrase data breach to something more meaningful. What is a data breach, anyway? It’s a phrase that seems to belong more in the “Cold War” environment of the 1960’s, when an intelligence breach signified that someone had learnt about something that they should not have known. I don’t think the mere loss of information is sufficient to warrant the use of the term breach. I could “lose” a CD or data stick by seeing it fall out of a window of a railway carriage door and then watching it getting crushed on the tracks by an oncoming train. I may have lost the data, but no-one else is going to get harmed – so why on earth should that be a reportable data breach? We wondered what alternative terms might be more appropriate. A “Reportable Data Incident?” No. Too many words.

What would Frank Spencer have said about such a calamity? In the seminal television series “Some Mother’s Do Have Em”, broadcast between 1973 and 1978, he never actually uttered the phrase "Ooh Betty”. He did say "Oooh..." and made references to having "a bit of trouble", or to the cat having done a "whoopsie" (on one occasion, in his beret). A Data Ooooh? Or a “Data Whoopsie?” No, these won’lt do.

Or what would Homer Simpson have said about such a calamity? Should we report "data d’oh”s? No, I don’t like that term either.

After much deliberation, I have come up with a new term - which describes an unfortunate mistake – and it does have a date protection connotation. It’s named in honour of the Rapporteur of the original Data Protection Directive, who subsequently left the European Parliament to become a British MP, then was appointed Defence Secretary, Transport Secretary, Leader of the House of Commons and Labour Party Chief Whip, before disgracing himself (in the eyes of many, me included) in the recent MP’s expenses scandal. All that good work, then an enormous mistake that will live with him (and the rest of us) or a very long time. Yep, stand forward Geoff Hoon.

So, rather than reporting “data breaches”, let’s consider reporting on “data hoons” instead.