Recent data losses have seriously harmed the reputation and effectiveness of a wide-range of UK organisations, in all sectors.
And the privacy watchdog – the Information Commissioner's Office (ICO) - is soon to acquire new powers, and is becoming more active and willing to exploit regulatory authority to the full, in pursuit of explicit policy objectives.
Any data handler that loses sensitive personal data, having failed to take reasonable precautions, faces civil monetary penalties under forthcoming legislation. As well as tougher sanctions from the ICO, companies risk damage to reputation and commercial losses if they fail to secure data.
After high-profile cases of data breaches in the Ministry of Defence (MoD) and the NHS over the past year, the public and private sector must realise that unless they address the security of endpoint devices they’ll lose out.
With more and more data being stored by organisations and transferred by removable media (especially the NHS, which now stores patient records electronically) organisations need to address their security policies to safeguard the data that they hold and avoid penalties.
Data protection re-write
In July, outgoing Information commissioner Richard Thomas called for a rewrite of the EU data protection directive, following the publication of a critical report by the RAND institute, which was commissioned by the ICO last year.
Thomas explicitly criticised the current Directive which underpins the UK’s Data Protection Act, as "showing its age", arguing that "laws must concentrate on the real risks that people face in the modern world".
The report advocates a rewrite of sanctions based on the damage caused by breaches and called for monetary penalties to provide a compensation fund to victims of data loss.
In addition to existing powers to prosecute, the ICO will be able to levy penalties against data controllers, under the new section 55A of the Data Protection Act. The ICO wants sanctions to be proportionate to the harm caused by a data breaches.
New monetary penalties
Under the newly inked section 55A of the Data Protection Act, the Information Commissioner was to be given the power to impose civil monetary penalties on businesses failing to protect sensitive personal information by implementing reasonable measures, if such data is subsequently lost.
Despite Lord Bach’s commitment to empower the data commissioner "as soon as possible", the provision for statutory penalties has not yet been "activated" by the necessary statutory instrument.
FutureSoft understands that the Ministry of Justice was set an internal target, at ministerial level, to finalise and implement the regime of civil monetary penalties before the parliamentary Summer recess "at the latest".
Government good practice is to provide statutory guidance twelve weeks before legislation comes into force. The penalties were due to be published in March, in time for their enforcement by the end of June. However, this date has subsequently passed.
Despite this, the ICO has recently issued severe warnings to a number of NHS organisations with Mick Gorrill, the assistant Information Commissioner, declaring: “It is a matter of significant concern to us that in the last six months it has been necessary to take regulatory action against 14 NHS organisations for data breaches.”
The ICO is also urging organisations to consider the impact on individuals’ privacy before developing new IT systems or changing the way they handle personal information. To help them achieve this, the ICO has launched the latest version of its Privacy Impact Assessment (PIA) handbook, which is designed to help organisations address the risks to personal privacy.
Keeping data safe
As a minimum, personal data should be secured from downloading, be adequately encrypted in transit and access restricted by using the appropriate technology.
The reasonable measures demanded by law are likely to entail both intelligent management and the deployment of robust endpoint security.
Organisations of all kinds, from governmental bodies down to doctor's offices need to maintain total visibility across their network, ensuring corporate assets are protected and that managers and administrators have a clear view of security issues.
To help address these problems, IT managers need to consider powerful security solutions, which provide a full 360-degree view of a corporation’s network and endpoint security, such as DynaComm PointGuard.
These solutions offer both real-time and on-demand protection, guarding against insider threats and data loss via a layered approach. It helps small to medium-sized businesses manage, monitor, and secure network endpoints by protecting and controlling USB devices, allowing or blocking access to files and registry entries with real-time policies, as well as being able to scan and remove malware.
Defining which applications can be run, the resources that can be assessed by whom, and at what times, is a better approach than attempting to remove user privileges for all applications. It results in better utilisation of business assets and provides more flexibility for end-users to get their jobs done. Ultimately, such an approach is more secure precisely because it actively manages, rather than passively disables.
It is no longer sufficient for security solutions to disable loopholes. They must recognise risky behaviour, respond intelligently, and feed policy creation. They must become completely integrated with the behaviour of every user and every asset, to provide visibility, protection, and management control. In doing so, they will enable organisations to address a range of different threats far more effectively than was possible before. This will present significant and measurable returns on investment to both financial stakeholders and security officers alike.
Monetary sanctions are here to stay. The regulator wants more powers to enforce and punish and has signalled its increased willingness to hold ‘businesses and governments accountable if things go wrong. It is vital to protect not just information assets but also those who are harmed by the loss of data.
Businesses need to face up to the challenge of securing sensitive data and it is imperative that they take adequate measures to protect personal data, regardless of the timetable for regulatory sanctions.
The message is clear: both in the short and the long term, organisations have got to step up to the challenge of a stronger data protection regime or else pay the price.
Tim Farrell has been in the computer business for thirty years, as an engineer, author and highly successful entrepreneur. He co-founded FutureSoft in 1982, providing communications software for the earliest versions of Windows (including the second commercially available product on that operating system.) Under Tim's leadership, FutureSoft has forged successful partnerships with industry giants such as Microsoft, HP, Compaq, NCR and AT&T.