Proposals to unveil harsher punishments for data loss will lessen the problem but not be a silver bullet.
Following recent claims by the former Information Commissioner Richard Thomas, a discussion on SC Magazine's LinkedIn group on whether stronger and harsher punishments will be enough to deter and prevent corporate data loss has seen varying opinions given on the subject.
Senior information security manager Steen Larsen said that he believed that harsher punishment would lessen the problem around corporate data loss and that the lack of punishment is certainly a key reason why data protection compliance is being ignored by most businesses.
Larsen said: “If you go to the C-level people it is very hard to produce a business case for compliance because there are no significant consequences if you simply ignore compliance.
“The recent fines issued by the FSA have certainly ‘concentrated the minds' in the financial services industry and are a good case showing that compliance action will be taken if harsher punishment is introduced. One hundred per cent security or compliance does not exist so breaches will always continue to happen. But better data protection compliance and security will benefit us all and lower the number of breaches. Hopefully fines will be doled out not for the breach itself but for failure to adequately protect personal information.”
In agreement was Tom Mellor, principal at Identigrate UK, who said that it was important to now punish the specifics of the breach, rather than punish the inadequacy of the process.
Mellor said: “I was discussing this yesterday with the MD of a long established IT services company. In his view, small businesses are completely unconcerned with confidentiality and integrity (both essential in meeting one's obligations under the DPA). All their efforts are concentrated first on survival and then on getting the job done.
“Technology, to prevent accidental leakage or to protect against misuse of email and Web 2.0 technologies, is of course important. However, everything hangs on employees' understanding that their actions pose a real threat to other people's personal information and changing their behaviour accordingly. That will only happen when the directors/senior management articulate and enforce a policy.”
Jeremy Orritt, channel account manager at Websense, followed Mellor's points by stating that the problem of data loss lies in broken business process. He said: “The user that just wants to get the job done will try to cut corners despite policies being in place. Realistically, data loss prevention starts with user education but this alone is not enough. Enforceable process is the way forward to prevent users accidentally using data in inappropriate ways.
“Policies around UKDPA and PCI compliance can be enforced by following a DLP best practice methodology and incorporating a solution to protect a company's intellectual property. It can be a lengthy and expensive process unless it's approached from the right angle. Identifying a company's intellectual property is usually the biggest hurdle to get over. Once you know where this is and what it looks like, protection can follow quite quickly.”
However Richard Turner, chief executive at Clearswift, believed that the prospect of more regulation and bigger fines will no doubt delight most in the security industry, but it is not a silver bullet.
Turner said: “We must, as an industry and as practitioners, face up to the fact that one of the biggest barriers to a more secure future is that being secure looks far too much like extra cost and not enough like a growth strategy to a great number of organisations.
“Our industry's challenge then is to learn to help facilitate business and not to simply suck through its teeth and say you can't do that.”