Wednesday 11 April 2012

The benefits of reporting on data breaches

What is the point of reporting data breaches to the regulator? This was the question I asked an eminent academic yesterday – and I was quite surprised with the answer he gave.

The opportunity to ask the question arose at the end of an interesting briefing on the problems associated with disposing electronic data. An organisation –the Asset Disposal & Information Security Alliance has recently created a standard to certify companies in the IT Asset Disposal marketplace. The UK IT Asset Disposal market is largely unregulated, highly competitive, with no barriers to entry, and offering huge differences in the quality of service provided. It operates in an environment where there is little awareness of the real data protection issues, a weak or non-existent value proposition, characterised by a significant degree of illegal exportation of data held on IT assets to organised criminal gangs in third countries. (This is why an 8G iPhone 3G with 4G of data sells for more on the black market than a 16Gb iPhone 3G with no data on it.)

And that’s just the UK. There are no genuine global standards and there are no genuine global suppliers.

Not nice. Which is why so few people in businesses feel that it’s actually “their” duty to care about what happened to data once it’s left their premises. Is it a data protection, a legal or a procurement issue? Who really checks to clear the memory caches in the photocopiers before they are returned to the leasing company? Or carries out audits to ensure that the corporate data on laptop hard drives and servers really is destroyed before the devices find their way onto eBay?

Anyway, back to the plot. One of the speakers at this event was Professor Andrew Blyth, from the University of Glamorgan. His work (for various reasons) means that he is very familiar with the data breaches reported to the ICO, and particularly about the data breaches that occur in the National Health Service.

view on data breach reporting within the NHS is that the sheer volume of data breach reports has had an effect on the NHS. It’s removed the stigma of breach reporting, as everyone is now doing it. And, in removing the stigma, media interest in breach reporting has reduced, too. A few years ago, the media used to pay great attention to his comments on the significance of data breaches. Now, they are far less interested. We are now, apparently, much more grown up about the issue.

As far as the extent to which breach reporting is having a positive behavioural effect, Andrew pointed out that there are signs of a change in culture within the NHS, but it’s a long, uphill struggle and has to be seen as a long-term initiative.

Andrew also pointed out that he saw privacy issues impacting generations in different ways. With younger people living increasing amounts of their lives on-line, and being more prepared (when compared with older generations) to trade their personal information with a data controller for “free” access to an on-line service, data breaches apparently meant increasingly less to them.

At least for now. Perhaps, when their credit cards or passwords have been compromised for the umpteenth time, they’ll be less sanguine.

So, the message is that breach reporting is of use in facilitating behavioural change, but it should not be expected that cultural transformations will occur overnight. It’s a long haul. For those companies that already embrace a culture which puts privacy at the heart of its operations, then compulsory breach reporting may have less of an effect in encouraging behavioural change.

Data breaches will always occur. As do fires, thefts, and industrial accidents. If breach reporting helps reduce the volume of incidents, then all well and good. But, so far, no-one has carried out any research comparing levels of data breaches in environments where breach reporting is, or is not, encouraged. So there is no objective evidence yet which establishes the true value of breach reporting.

There could well be a PhD in this area of academic research for someone, if they really wanted to look into the issue.

Image credit:
Today’s image was taken at the reception after the event, which was held at the top of the BT Tower in Central London. The Victorian "H" shaped building with the short green roof connecting both main wings, close to the foot of the tower (and in the centre-left part of the image) is actually an extremely significant object. Now a derelict former NHS psychiatric clinic, it was originally built as a workhouse. Just 60 yards down the road, at 22 Cleveland Street, (next to the building with the very pale green roof at the centre-top of the image, opposite the large brown parcel of land) lived as a youth the author Charles Dickens. So, what you are actually looking at is an unusual view of the workhouse, made famous in his novel, Oliver Twist, written when Dickens was 26 years old.