Rules of shtoom
17 March 2008
It is something that we could imagine happening to any of us. You've come out of the office on a rainy day and make a run for your car, but once you get there you find that the USB stick you had put around your neck 'for safe-keeping' has come detached somewhere along the way.
However, when you are an NHS employee and the USB stick holds the names, dates of birth, NHS and trust numbers and details of medical conditions of 4,000 patients at Stockport Primary Care Trust, the situation becomes a great deal more serious.
This is just the latest in a number of blunders in the North West, which is rapidly becoming something of a hub for data security lapses. A worryingly similar incident occurred at Oldham Primary Care Trust just a few weeks before the Stockport affair; we have seen the accidental publication of contact details for more than 100 people who took a 'confidential' sex survey; and a local council lost another USB stick with the salary details of 320 council employees.
However, it is not just the health service that is at risk of data security breaches. It is something that is going to become even more of an issue for us in the legal sector, as we become increasingly dependent on technology. There must only be few of us who have not sent confidential information through a standard email system or saved it, unencrypted, on a CD or USB stick.
Now the public and private sectors alike are feeling the pressure from the Information Commissioner, who is actively engaged in trying to secure custodial sentences for serious breaches of the Data Protection Act. But even without custodial sentences for data protection offences, the loss of data has significant civil and legal consequences. Depending on the sector you are operating in, there may be specific regulatory regimes of which you would be in breach. A law firm, for example, would be in breach of duties under its professional code of conduct and would thus be subject to disciplinary action both for this and for breach of contract - particularly as it is very much the norm to sign agreements to abide by the data security standard.
The problem is not that we are unaware of the risks, publicity regionally and nationally has made sure of that, but rather that true data security needs an end-to-end approach that will need considerable investment. Mobile storage devices such as USB sticks are starting to become something of a scapegoat and there have been calls to ban their use for confidential data transmission purposes. However, this does not get to the bottom of the issue. The idea behind using these devices rather than, for example, simply sending an email is a sound one - the mistake is leaving the data unencrypted. Unfortunately, anything that needs to be physically moved is susceptible to human error or malicious intent, but rendering the data unreadable in the wrong hands can limit the damage.
The NHS is a case in point. A lot of people believe that care has suffered because records have not kept pace with patients as they move from a practice to a specialist, for example, and as a result are not as complete as they could and should be. Information has to be available more readily - one set of clinician's notes carried around is a long way from the joined-up healthcare that is needed. Yet, if everybody who is involved in the treatment needs to have access to the information, it has to be passed around from person to person - and how can you make sure that it gets to the right people and nobody else?Law firms face the same problem, as data is shared within teams. The ideal solution would be to use a secure email service and dedicated standalone hardware to transmit all sensitive data, mimicking the way in which banks transfer money. Encryption is relatively easy, the problem lies in making the hardware itself secure. Expense is clearly a consideration, but the trade-off between security and convenience is also a serious issue - having to go to a separate machine before you can transmit any information tends to be ill-received by time-pressured employees.
We will also need to think about access privileges. The 'gatekeeper' of sensitive data will often be a technician rather than a senior manager, which can cause no end of awkwardness. Generally speaking, businesses say that people need to have special privileges, but actually deciding who holds them can be a hard decision. If somebody is denied access, they tend to think they are not trusted - but this is rarely the case. The number of potential accidents can be reduced significantly by lowering the number of people who have access to the data and giving these people specific extra training.
Modern working practices bring up additional problems. We are being encouraged to reduce headcounts and outsource where possible, with many functions being carried out remotely or by contractors. There is also the infamous work-life balance dilemma - in an ideal world, everybody should be able to work from their PCs at home, but how can you tell who will be able to access that computer at a later stage? And how can you stop them?Because of the issues that exist, there is bound to be compromise somewhere along the line, and it is almost inevitable that we will see more lapses in the future. The most secure firms will have effective and rigorous encryption and monitoring procedures that can detect any intrusion and will thus be in a better position to contain the breach, but it will never be possible to eliminate risk entirely.
Keeping data safe is becoming increasingly complicated - there are certainly no quick, easy or completely failsafe solutions. There is ultimately no point in the Government, the Information Commissioner or the general public bemoaning failings in information security unless they look at where their demands - such as the instant access to data necessary in a joined-up health service - may be jeopardising our best efforts.
Susan Hall is a commercial partner and IP specialist at Cobbetts' Manchester office