In the past few weeks alone a number of data loss incidents have been reported that have been investigated by the Information Commissioner's Office (ICO), involving organisations such as the Student Loans Company, Wolverhampton Council, South Central Ambulance Service, and Diagnostic Health Systems Ltd. The concern with all these incidents is that they were easily preventable and indicate a lack of good data security awareness and practices among staff.
One of the points noted by the ICO in the Diagnostic Health Systems case was that GP referrals were being emailed directly to staff inboxes, which meant there was no audit trail of how this data was being used or distributed. The intention behind these actions was certainly not malicious, and it could be argued that the root cause was lack of education of staff as well as not having appropriate technologies in place to prevent accidental data loss.
Dated Data Protection Act
The Data Protection Act was put in place back in 1998 to ensure that any organisation that stores, handles or transmits personal data applies principles to the protection of data. The way we develop and consume information has drastically changed in the past decade, and one of the issues around the Data Protection Act is that it was developed and implemented long before smart phones were in use, when emails were only just taking off, and where letters were still the main form of communication. Significant technological advancements, proliferation of personal computers and the internet have made it much easier for companies to fall foul of data protection regulations.
The ICO is not only responsible for dishing out punitive measures for breaches to the Data Protection Act, but should also be offering guidance and best practices to organisations to help them protect their customer's and stakeholders information. Within the public sector, all government and local councils must ensure that all documents, emails and other information sources are protectively-marked, and we would ask why as a regulator the ICO would not expect this of commercial organisations as well.
The government classifies data, so should you
One of the ways in which organisations can protectively mark documents is through data classification solutions, which empowers users and businesses to assign a value to the data they create and handle so that informed decisions can be taken about how it is managed, protected and shared. After all, how can any organisation effectively protect data when they don't know what they have and its corresponding value to the organisation? In a recent IBM study, they highlight that ‘critical data' accounted for up to 2 percent of overall data volume within organisations, but this same data accounted for over 70 percent of their business value. That is to say, if this critical data is lost or leaked, their business could be severely impacted – or possibly irretrievably damaged.
For organisations using a data classification solution, a safety net is established helping prevent sensitive data from being distributed in error and enforcing data security policy and best practice across the organisation. Indeed, data classification is cited as being one of the top IT security priorities for the next 12 months – with 15 percent stating it is business critical and 41 percent a high priority, according to Forrester Research. Furthermore, according to research by the Aberdeen Group, organisations classed as security ‘leaders' are three times more likely to have implemented data classification than security ‘laggards'.
Education is the key
The ICO doesn't have an enviable job, and it can be very easy to criticise incidences where they appear to have been too lenient on an organisation. In the case of a data loss, if a company is seen to be doing all it can to limit the damage of the incident, such as supplying credit monitoring services, then the ICO may be able to take a much more lenient position because slapping a local council with a fine doesn't really help anybody.
Data breaches and data losses are not going to go away any time soon, and the role of the ICO should be more than just a punitive organisation, they should be seen to be educators as well.
Martin Sugden is CEO of Boldon James