Managing data security risks
by Mark Child, Kingston Smith Consulting LLP
DATA IS ANY organization’s most valuable asset, and should always be high on the risk management agenda. Recent research undertaken by the British Standards Institute (BSI) resulted in one in five organisations admitting that they may have unwittingly committed a breach, not simply by failing to hold personal information securely but by neglect of other legal obligations. Since April 2010 the penalties from failing to have controls surrounding the collection, management and use of personal data have increased. From this date the Information Commissioner’s Office (ICO), has the power to fine organisations up to £500,000 for serious contraventions of the Act. In a world where little is sacrosanct from government cuts, a revenue raising opportunity like this could prove irresistible.
So is everyone taking the matter as seriously as the regulators? On 17 June 2008, the Financial Services Authority (FSA) fined Merchant Securities Group Limited (Merchant Securities) £770,000 for not adequately protecting its customers from the risk of identity fraud. This is the first time the FSA has fined a stockbroking firm for weak data security controls. On 22 July 2009, the FSA fined three HSBC firms over £3m for not having adequate systems and controls in place to protect their customers' confidential details from being lost or stolen. These failings contributed to customer data being lost in the post on two occasions. On 24 August 2010, the FSA fined the UK branch of Zurich Insurance Plc (Zurich UK) £2.275m for failing to have adequate systems and controls in place to prevent the loss of customers’ confidential information. The fine is the highest levied to date on a single firm for data security failings.
In October 2010, the ICO used its power to impose data-breach fines for the first time. Hertfordshire County Council was given a penalty of £100,000 for faxing sensitive information to the wrong recipients, while the company, A4e, must pay £60,000 for losing an unencrypted laptop.
Given the number of requirements that now populate the regulatory agenda it would be easy to forget what was on the FSA’s mind in 2008 when it published “Data Security in Financial Services”. This has inevitably slipped into the background given the focus on the banking sector, toxic assets, etc. However it certainly will not have gone away. In fact, as the dust settles and work continues on a revised and more intrusive regulatory regime, data security is certain to come back on to the agenda.
So what are organisations doing to get its data security into shape? Will they be able to pass an FSA review on this subject? Let us remind ourselves of some of the things the FSA was saying. In terms of governance, firms need to consider data security as a specific issue not just an IT issue. The right people at the right level of seniority need to be involved. A risk assessment of the whole business should be carried out, using outside expert help if necessary.
In terms of management of third party suppliers, companies need to determine how a third party manages and secures their data, who has access to it, and how it is transferred between the two firms. Companies should not rely on the contract to absolve them of responsibility in the event of a breach.
Focus on high risk areas. In terms of controls, controls in offshore operations are the company's responsibility. Generally speaking, too many people have too much access to too much information; all access should be granted on a need-to-know basis. Risk-based monitoring of access to customer data should be considered. Portable media, including USB devices and CDs, need good management to mitigate against data security risks.
In terms of disposal of customer data, many firms are quite good at disposal of hard copy, paper based data records. However, companies should check the procedures at their outsourced offsite storage facility.
There is a lot to be considered when thinking about protecting data from improper use. Imagine the consequences of client information getting into the wrong hands. Clearly, the financial consequences can be significant. The inconvenience of fraud against clients will not endear the company to them. But most significantly, the damage to an organisation’s reputation could be catastrophic.
Securing information assets should be a top priority for all organisations. No-one can afford the damage to reputation that is caused by loss of data. Information security is something that needs to be embraced by the whole organisation; it is not a dry technology subject. In fact it is the business – not IT – that is responsible for the protection of their information.
The Information Commissioner, Christopher Graham, said: “Getting data protection right has never been more important than it is today. As citizens we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our details. When things go wrong, a security breach can cause real harm and great distress to thousands of people.”
