As companies hold ever more data on us, the Information Commissioner wants those who abuse their power to go to prison. Steve Gold reports.
With data theft and high-profile losses regularly hitting the headlines, concerns about privacy are growing, and it's not just the public who are worried. Legislators are getting tougher on organisations, holding them accountable for what happens to the information they hold on their customers and staff.
In the UK, the Data Protection Act and the provisions of the newly updated Companies Act impose a duty of care on all companies to protect their data, and any successful prosecutions will result in a financial penalty against the company.
But if Richard Thomas, the Information Commissioner, has his way, things could get a whole lot worse for those found guilty of breaching data protection laws. In May 2006, he issued a consultancy paper that called on the Government to consider imposing prison sentences of up to two years for the illegal buying and selling of personal information.
Thomas caused more than a few raised eyebrows when he invoked his special powers under the Data Protection Act to present his report to Parliament, noting his deep concern over the issue.
The report, What Price Privacy?, highlights the existence of what the commissioner called a "pervasive and widespread industry devoted to illegally buying and selling people's personal information". It identifies charges of up to £750 for details of BT and cable customers' itemised phone bills, and the case of one agency that was charging customers up to £120,000 a month for its illegal tracing activities.
The bulk of such activities are already illegal under current UK law, but the report concludes that the penalties are too low and have no deterrent effect.
When presenting his report, Thomas warned that the disclosure of even apparently innocuous personal information could be highly damaging in some situations, such as the address of a woman fleeing domestic violence. He added that the low penalties against organisations and individuals that illegally trade in information devalues what is a serious data protection offence.
"We are proposing the introduction of a prison sentence of up to two years for people convicted by the Crown Courts, and up to six months for those found guilty by magistrates," he said. According to Thomas, the aim of the proposal is not to lock up more people, but to discourage anyone who might be tempted to engage in this trade, whether as a supplier or buyer.
The commissioner was due to issue a second report to Parliament in December, with a more formal request for custodial sentences for corporate data leakage and theft.
Peter Sommer, a visiting research fellow at the London School of Economics, has acted as an expert witness in a number of court cases involving computer-related evidence. He is generally in favour of custodial sentences for serious information breach cases. "We've been looking into the issue of data theft for many years in the UK and, while we have the Companies Act and other legislation, this country is relatively unique in not having specific data protection legislation in criminal law," he says.
This is far from ideal as civil legal action can be quite expensive in terms of collecting the necessary evidence and proving fault. "The cost of conducting an enquiry is very high, and most people and organisations are not going to go down this route," Sommer points out.
"Criminal prosecutions for data leakage and theft are better, as they can be carried out by the police, who are more experienced in such matters. A criminal prosecution tends to be higher profile and acts as more of a deterrent to other possible offenders."
However, there are situations where a criminal prosecution should not be used, Sommer warns. "There are degrees of fault in most cases. If you have a company with sloppy procedures, it's usually sufficient for a warning or a fine to be applied," he says. "If, on the other hand, there is a data leak due to a deliberate action on the part of the company, then that's a lot more serious. A custodial route in such situations can therefore be the way to go."
While Sommer welcomes the Information Commissioner's report, he is sceptical as to whether the Government will respond to the request. "You have to look at the parliamentary timetable. Yes, there will be general enthusiasm for this request, but it is debatable whether Parliament has the time to introduce such legislation," he cautions.
According to Sommer, the Government is preoccupied with more pressing needs, such as terrorism, which means it does not have time for new proposals. "There's just too much legislation going through," he says. "And the jails are already full with 80,000 people. I can't see the Government wanting to add to these numbers."
One law for all
Further pressure on organisations to better manage the data they hold comes from a set of UK legislation designed to help fight terrorism and organised crime. Part III of the Regulatory of Investigatory Powers Act (RIPA) 2000 gives the police new powers to decrypt files for use as evidence.
This legislation means that companies must store their encryption master keys in a secure manner. At the same time, the storage system must comply with RIPA III in allowing law enforcement officials access to the encryption keys during an investigation.
The new laws, which will take effect later in 2007, open up a range of problems, both for company managers and the police, according to Alex van Someren, CEO of hardware encryption systems company nCipher.
Company managers must comply with law enforcement requests for access to their encryption keys or face up to five years in prison, while the police must implement their own systems to protect and store such keys.
The new legislation puts pressure on businesses to implement strict controls over their data encryption and to provide authorised access to the keys, says van Someren. "Companies are already raising the issue of encryption keys at board level. They're starting to realise they will have to adopt the best practice procedures for their encryption keys that banks already employ."
And, van Someren points out, this is not something that is restricted to data storage systems within major corporates. "Microsoft's new Vista operating system comes with its own BitLocker facility that allows users to encrypt their entire hard disk using a single key. Even the smallest companies will have to get to grips with how to handle the administration of such keys if they are to comply with the new RIPA III rules," he explains.
Meanwhile, another key management issue, and one of weakest points in terms of data security in most organisations, is controlling the number of portable devices that can access the company IT source.
And it's not just a question of users plugging their laptops into the company network. "The number of people using USB devices and WiFi access is growing all the time," points out Matt Fisher, vice-president of Centennial Software.
End-point security products such as Centennial's DeviceWall can help protect and control USB and WiFi accesses and help ensure that companies comply with the relevant data protection legislation.
Fisher concedes that many IT managers are cautious about the value of this kind of security software, but says he usually advises them to install and run it in passive mode for a few weeks. "They can then assess the scale of the problem on their network. From there they can help staff understand the need for security and ensure that only authorised devices access the company's IT systems," he adds.
Fisher admits that no security system can ever be 100 per cent effective against unauthorised data loss or theft, without going overboard on costs.
"Most of the time, the systems you install will only be 99.5 per cent effective. You have to balance the cost, management and risk issues and make a decision on what protection systems to install," he says.
The global perspective
In the US, the arrival of the Sarbanes-Oxley (SOX) Act has caused more than a little panic in boardrooms because of the imposition of corporate and personal responsibility on senior managers and the way they conduct themselves in their business.
The act's provisions are sufficiently draconian to have caused most UK and European companies doing business with their US counterparts to adhere to the legislation, even though American courts have no jurisdiction over them. And now the European Commission, as well as several member states, are looking at introducing their own variants on SOX, as are other countries.
"I think you'll see this type of legislation becoming global before too long," predicts Bob Egner, marketing director at mobile data security specialist Pointsec. "The issue with company and customer data is a major one. It's all about corporate and information governance and how to protect against information leakage and theft."
The problem facing many company managers, he says, is how you go about making your IT systems sufficiently strong to protect against external theft without going to extreme lengths.
We already have the technology to protect IT systems and vulnerable points in the chain such as laptops and portable devices, Egner insists. That's why he expects the European Commission to move on creating its own version of Sarbanes-Oxley quite soon.
But, he adds, there are other ways to encourage companies to protect their data. "If you look at Japan, for example, the government there now offers a number of tax incentives to those companies that comply with the US Sarbanes-Oxley legislation," he offers.
"And India has recently passed its own personal data governance laws in response to reports that call-centre staff were selling customer details to third parties. The Indian government is very concerned about this issue, as it has a lot invested in its call centre and outsourcing services," he added.
According to Egner, the new Indian legislation is a blend of SOX and the country's own, unique data protection requirements. "They've done a good job in both Japan and India with their own approaches to the issue of corporate legislation and incentivisation. Both approaches are very interesting," he concludes.
Whatever route the UK Government and the European Commission decide to take, the time has come to tighten data protection. And, whatever you do, watch those laptops.
With a turnover of £44 million, 800 staff and over 15,000 properties to manage, New Charter Housing Trust Group is one of the largest registered social landlords in the UK. It holds vast amounts of sensitive information relating to its tenants, including financial records and legal files.
During a recent review, New Charter realised that mobile devices used by its employees were not covered by its security policies. This exposed the group to the risk of losing confidential data and staff introducing malware onto the network while uploading work from portable media.
"We knew that many people were taking work home, but had no idea how the information was being transferred in and out of the office," said John Westwood, IS infrastructure manager at New Charter Housing Trust Group. "While a worker may think they are the model employee by taking work home, they may be compromising our security. "We needed more than just a written usage policy to change behaviour," he added. "We had to alter the mindset surrounding removable device use."
The group introduced Centennial Software's DeviceWall to monitor all device connections and provide flexible enforcement of security policies. The product's temporary access tool allows connection to be granted for a single use, such as taking a large file off-site for an external meeting.
DeviceWall enabled New Charter to quickly set up Active Directory user groups with their own unique access rights. This means, for example that housing inspectors can connect digital cameras, while accounting staff cannot.
The trust installed DeviceWall in November 2005, deploying the system to more than 600 desktops and 50 laptops in less than a week.
The majority of staff must now request special permission to be able to connect a removable device. This, says the group, has dramatically reduced the amount of connections.
"Being able to understand what devices were being brought into the office gave us vital insight into where our vulnerabilities lay," said Westwood. "This meant that we were able to draw up user policies based on what was actually happening in our own organisation."