The UK's data-protection laws have been branded "unfit for purpose" in the wake of the loss of CDs containing 25 million records by HM Revenue & Customs.
In what is now emerging as the UK's biggest-ever data-security breach, HMRC admitted last week that two CDs containing names, dates of birth, addresses, national insurance numbers and bank account details of 25 million child-benefit recipients have been lost in the post.
Two-thirds of a 12-strong CIO Jury IT user panel, brought together by ZDNet.co.uk's sister site silicon.com, said the breach shows UK data-protection laws are currently not strong enough and not fit for purpose.
Nicholas Evans, European IT director for Key Equipment Finance, said: "The information commissioner should be given more powers to carry out security audits where they have reason to believe that standards are not being met, and there should be the ability to fine organisations to the level that the Financial Services Authority took with some banks recently. It quite simply beggars belief that any system with such sensitive data could have allowed this quantity of data to be extracted, and that any organisation should have sent the data unencrypted on CDs to save money."
Current data-protection laws are too focused on closing the stable door after the horse has bolted, according to David Supple, head of IT, marketing and creative services for Ecotec.
Supple said: "This is about achieving strong governance in organisations that have such critical data and about limiting the scope for abuse in the first place."
Mark Beattie, IT director for waste-management company LondonWaste, said: "The laws should be targeted at companies with access to substantial amounts of personal data."
The whole HMRC fiasco was simply labelled a "shambles" by Jacques Rene, chief technology officer for Ascend Aerospace.
The breach also highlights the need for the use of better security and encryption technology. Mike Roberts, IT director for independent Harley Street hospital the London Clinic, said: "The use of encryption for the transmission and transportation of information should be tightened up."
Myron Hrycyk, chief information officer for NYK Logistics UK, added: "People do not understand or appreciate the strength of security required around personal data and the potential dangers of losing this information. Both these factors give rise to the relaxed way data is handled, referring to recent events. This loss of data, if [it is] not found, will be with us for years."
Read this
Feature: The top 10 IT disasters of all time
From faulty satellites nearly causing World War III to the Millennium Bug, poorly executed IT has had a lot to answer for over the years...
Data access and security is an issue for everyone, according to Nicholas Bellenberg, IT director for publisher Hachette Filipacchi UK. He said: "Every organisation has the same concern over access to data — how little security is necessary to enable people to do their jobs? [That] must then be weighed up against the potential for breaches in security, such as we have seen this week."
A third of the jury said the problem is not with the laws themselves but the enforcement.
Mark Foulsham, head of IT for esure, said: "Given that the breach was a failure to adhere to policy and process, the issue is one of policing and enforcement rather than more regulations."
Ted Woodhouse, consultant and former director of IT strategy for Leeds Teaching Hospitals NHS Trust, said: "The data-protection laws are fine — it's HMRC that's not 'fit for purpose'."
Talkback
"The data-protection laws are fine — it's HMRC that's not 'fit for purpose."
My experience shows that the laws are flimsy and easily side-stepped. After all, the Data Protection Act requires organisations to take "all reasonable technological" measures. What's reasonable?
Further, without greater penalties, more data leaks will follow. As it is, the Information Commissioner's Office can only regulate, not enforce, the Data Protection Act.
Some recent experiences will serve to illustrate some of the problems:
1. Looking for an accountant in Scotland who had basic information security practices in place, I went through 9 firms - some of them on the large side -- before I found one that measured up. Some had in-house IT people, some had consultants, some had ad hoc arrangements. The criteria: offsite and encrypted backup, no data leaving the office unencrypted, and access logs to provide an audit trail. Pretty simple, right? The vast majority of firms are using CDs; those that aren't are still on tape held either on-site or in the residence of a partner! Most think nothing of sending tax returns and E-O-Y accounts around the world as an unencrypted PDF document. Many had no access restrictions, and most had no access logging; anyone could access anything at anytime and no one would be the wiser. When I asked what guidelines ICAS gave them, most of them did not know. One flat out told me: nothing.
2. The above situation came about because my present accountant has none of the above. He is a senior partner in a three-office firm with over 1000 clients. His idea of backup is storing a DVD in a safe. "It's bomb-proof," he says.
3. Perhaps the scariest experience of late that underscores for me the poor enforcement of information security laws involves a company I recently heard about. Among the tasks they perform is listening to customer service conversations for insurance companies to ensure compliance. In the process, credit card details and other personal information would be routinely given.
Naturally, this work is outsourced. But rather than spend money on a system with proper access controls and logging, they have given the login information to their workers. Their hired-hands now have access to the entire store of phone conversations. This would have been bad enough if all of their workers lived within the UK or the EU. But one of them just moved to South Africa! When I spoke to someone I know who works for the company, I was told that everyone signed 'privacy agreements' and that was enough. Nevermind the fact that the worker's computer could go missing and take personal UK consumer information with it.
Consequently, there will only be more data breaches and these on an ever-increasing scale. Clearly, the UK government is not taking it seriously enough. But that's not all. A recent study found that the average Briton would have to have their identity stolen twice before he or she considered changing their data security habits. The only hope I see of getting everyone on the same page is a combination of stringent standards and hefty fines. But then HMRC would have to pay, as well.