Photo: ICO
Data protection racked
FutureSoft CEO and co-founder, Tim Farrell, argues that the UK regime for securing sensitive data is too weak, uncertain and fragmented to address the problem of data insecurity in UK organisations
The outgoing Information Commissioner, Richard Thomas raised eyebrows recently by criticising the UK data protection regime as out of date and endorsing calls for a rewrite of the underlying directive following the publication of a critical report, commissioned by the ICO from the Rand Institute last year.
Whilst advocating the retention of basic data protection principles, Thomas explicitly criticised the current Directive which underpins the UK's Data Protection Act, as 'showing its age', arguing that 'laws must concentrate on the real risks that people face in the modern world'. The report furthermore advocates a rewrite of sanctions based on the damage caused by breaches and called for monetary penalties to provide a compensation fund to victims of data loss.
Data protection is usually thought of as a consumer protection issue, but is increasingly allied to goals of achieving systemic stability safeguarding corporate assets. This was the case with reforms promised last year which the government committed itself to bringing into force by June 27th.
Following a series of high profile data losses, at HMRC, the NHS and MoD, a hurried amendment to the primary mechanisms of the Data Protection Act gave the ICO powers to levy civil monetary penalties on anyone failing to take reasonable measures to secure data that is then lost, a measure protecting not only consumers but responsible business users of data.
The only sign that this commitment had fallen by the wayside was the failure, in March, to issue any statutory guidance as to the level and nature of these fines. The amendment made for creditable headlines for the government. The failure to activate the new provision with a statutory instrument - despite the intervention of a House of Lords Select Committee – went largely unnoticed.
Means, motive and opportunity
The means, motives and opportunities to abstract and abuse data have multiplied over the past year. Enabling technologies such as endpoint devices are increasing in number and capability; employee turnover and mobility affords ample opportunities and it is a truism that economic conditions will exacerbate peoples' pecuniary motives.
Compliance regimes: getting tougher – but still a dollar short and a day late
Despite regulatory pursuit of statutory policy objectives, the UK regime for the protection of data has consistently failed to keep up with both technology and criminal practices in every area - always seeming to be a dollar short and a day late.
Nevertheless it seems that the era of light touch regulation is gone, in financial regulation, in data protection and professional rules. Increasingly, albeit too slowly, quasi-fines, professional and criminal measures are closing the gap on corporate failure to take care of data.
Within financial services the FSA has identified professional offences involving the misuse of information as presenting nothing less than a 'systemic threat'. Whilst many offences are covered by the new and broad umbrella regime of the 2006 Fraud Act, sensitive data is only covered in this area by a patchwork of professional rules, city regulation and civil obligations of confidence, in negligence and trade secrets.
Identifying what to protect
In the face of a piecemeal, but increasingly tough legal and compliance apparatus, pro-active practical measures are required. Real world protection against losses accruing from data breaches and their consequences, rather than against compliance failures, should be the priority for business leaders: mere compliance offers no security against real world threats. Compliance regimes and the legal apparatus around sensitive data nevertheless enjoy a reflexive relationship with the demands of the real world.
For example, in the world of pre patent technology and unregistered rights, the practical emergence of information can in itself preclude you from effectively protecting your data assets, or securing a remedy. Commercial obligations of confidence may, for the purposes of enforceability, be defined by all the circumstances surrounding their disclosure.
These should be borne in mind by data handlers regardless of the person or organisation with whom they engage in confidence. Is an endpoint device encrypted when it is passed on within your organisation? Are confidential documents marked as such? And are there layers of security to hive off sensitive information within an organisation? It may be self evident that assets such as pricing data and sales contacts are technically trade secrets, but the law of confidentiality effectively protects secret assets only if you yourself take measures to preserve that secrecy.
In other areas, similarly, the notorious Computer Misuse Act only affords data handlers the protection of criminal law if it can be shown that the person seeking unauthorised access to computerised data knew that that their access was, in fact, unauthorised. Are you explicitly identifying and protecting sensitive data as such? If not, the chances are that the stable door cannot be shut on sensitive data, even once the horse has bolted.
A real world approach
A common theme, therefore, emerges across the regime for protecting sensitive data. For the purposes of the real world, the 'reasonable measures' variously demanded by data protection, conduct of business rules and the common law should correspond with the demands of real life threats. As a first step, therefore, companies need to identify what – and indeed who – needs protection.
A single perimeter is necessary, but is usually not enough. Endpoint security solutions, such as PointGuard, for example, should allow a layered approach to be taken and for information access and dissemination to be compartmentalised across an organisation. Separate systems and passwords should protect the most sensitive or valuable information assets, such as trade contacts or pre-patent data representing the 'state of the art'.
Weaknesses need to be sought out and identified. For example, are incoming files scanned for malicious code before they are opened and encountered by your antivirus system? Are former employees' accounts systematically shut down and passwords changed? Are all endpoint devices systematically accounted for?
Reactive vs. proactive: criminals, legislators and regulators.
It is, nevertheless, no longer sufficient for security solutions merely to disable system loopholes. They must recognise risky behaviour, respond intelligently, and – most importantly - feed ongoing policy creation by managers. Real measures must result from ongoing analysis of obligations and risks. Technological security tools must become completely integrated with the behaviour of every user and every asset, to provide visibility, protection, and management control. In doing so, they will enable organisations to address a range of different threats far more effectively than is possible with a 'mere compliance' approach. This will present significant and measurable returns on investment.
In the meantime, the patchwork of measures to protect sensitive data in the UK continues to be enforced more aggressively, but is in itself inadequate to protect many with a stake in sensitive data. It is up to businesses to protect themselves and their customers, and to be one step ahead of criminals, legislators and regulators.
