Last November’s news about the loss of personal data by Her Majesty’s Revenue and Customs (HMRC) generated international publicity, a run of reports of other security breaches, and proposals for new legislation. But does this mean we are any closer to understanding either the root cause of the problems within the public sector or the potential for harm that bad security causes?
At this stage it looks as if HMRC resulted from pockets of operational failure, but what would be the outcome of deliberate or malicious attacks on, say, the security of critical national infrastructure, or a complete failure of security within law enforcement?
Luckily, so far there is no evidence that HMRC will cause any real, lasting harm to the many millions of people whose data was compromised – but perhaps this is to be expected where data is “merely” lost as opposed to stolen or attacked.
Over the past few years, since the information commissioner’s “What price privacy?” report to parliament, I have been working closely with high-profile public sector as well as private sector organisations on the issue of data security. This work has produced some interesting anecdotal evidence:
• There has been a high level of appreciation of the importance of data security within most of the organisations I have worked with, in the sense that there is discernible investment in this area – for example, the recruitment of security officers, data protection and privacy officers; the engagement of security and risk auditors; the development of practices, policies and procedures; and the procurement of “privacy enhancing technologies”.
• At the same time, there is an appreciable sense of “disconnect” within many organisations. Common complaints are that business units do not talk to one another, their concerns are not taken seriously enough at board level, and there is not enough cash to go around.
• Furthermore, there is a growing feeling that the information commissioner’s office (ICO) has become more concerned with increasing its powers and gaining publicity for its endeavours than providing organisations with practical help and solutions on the issue of security. One erudite commentator put it to me recently that they feel the ICO gives the impression that it now sees data controllers as the “enemy” rather than as a “partner”.
Of course, we must treat anecdotal evidence like this with a degree of circumspection. However, the overall message has been a compelling one: something is going wrong with data security in the public sector. In fact, the message was so loud and so clear that it rendered a HMRC-scale breach entirely predictable, in the sense that a data security breach affecting over one-third of the population was inevitably going to occur. The only difficulty lay in predicting the location of the victim. HMRC have been very unlucky – it could just have easily have been a bank, for example. Indeed, overwhelming evidence came from the United States, where reporting of security breaches laws are now the norm at state level. The reports that came out as a result demonstrate absolutely that a HMRC-scale case was always in the offing.
The key message to the public sector is that a new approach to data security is required. This new approach could be best described as “holistic”, with the old and outdated approach being best described as a “silo” approach. The silo approach to security is one that effectively puts the cart before the horse, in the sense that the organisation goes equipped with pre-formed plans and strategies and then builds a case for their implementation.
The core problem with the silo approach is an inevitable one in cases where a closed mind is brought to bear on a problem. The sponsor of the plan or strategy might not have seen all of the issues or envisaged the full range of downstream consequences, leaving gaps in the organisation’s overall security rating. Perhaps this explains why organisations can invest in many of the key indicators of good security, such as those mentioned earlier, yet still suffer a security breach. Putting the same point differently, it would be surprising if the various inquiries into HMRC reveal that the organisation had done absolutely nothing on security.
The holistic approach is precisely the opposite of this, in the sense that it rejects pre-formed plans, strategies and their sponsors. Instead, it encourages the organisation to keep an open mind and go where the evidence leads, as a good detective would when investigating a crime. It starts with the identification of the categories of information within the organisation, then traces their life-cycle from initial capture of data to its final deletion or destruction or transit out of the organisation. This approach will reveal important evidence upon which truly effective planning and strategising can commence, particularly:
• The categories of risk present within the organisation, of which there are really only four (information risks, people risks, physical risks and technology risks).
• The legal obligations facing the organisation.
• The core interfaces between the organisation and the outside world, at which risk is heightened.
It is certainly the case that data security in the public sector will not improve through acceptance of the holistic approach alone. The information commissioner is correct to say that the Data Protection Act requires beefing up, because it presently gives organisations little incentive to comply with its requirements. However, this support is tempered by concerns about the commissioner’s current approach to enforcement and compliance that are being expressed within both the public and private sectors. This is a worry, because if the commissioner is starting to lose support in the key “marginals” he risks failure in the delivery of a security rating for the UK that we can all be proud of.
Of course, once the commissioner is armed with the powers that he has been seeking for such a very long time his performance will be more closely scrutinised then ever before. Indeed, his call for a right of access into organisations will carry with it an expectation that he will be able to prevent further HMRCs from occuring. Thus, it is inevitable that once new powers are introduced the buck will stop with the ICO rather than central government, which took all the initial flak generated by HMRC.
Stewart Room is a partner at Field Fisher Waterhouse and is president of the National Association of Data Protection Officers