Over the past year a number of organisations have suffered high profile data losses, leading to hefty fines and considerable damage to their reputation. With the EU data protection law set to change imminently, the importance of effective strategies to prevent data loss and the ability to detect and respond to data breaches quickly has become of paramount importance to businesses.
The European commission has put forward proposals that greatly strengthen data privacy laws and see a single set of rules on data protection applied across the EU. The new law would mean increased responsibility and accountability for those processing personal data, with organisations required to inform their national supervisory authority of serious data breaches as soon as possible – within 24 hours where feasible.
This, coupled with the high profile media coverage of data loss incidents, is forcing businesses to become more aware of the risk their operations are exposed to without adequate data security policies.
Additionally, each time we hear about data loss cases such as a lost USB memory stick or a stolen laptop containing sensitive information, which accounts for over 65% of recorded data losses, we are quickly reminded that these are often the result of human error.
One recent story condemns East Lothian Council who lost the personal data of over 1,000 pupils because one employee downloaded the information to a memory stick and subsequently lost it. Another example is Irish telecoms firm eircom, who recently confirmed the theft of three laptops containing personal information of over 7,000 customers.
The laptops were not encrypted and as a result the organisation has been heavily criticised by the Data Protection Commissioner for failing to employ standard data security measures and faces a very hefty fine.
In the UK, unlike some European countries, if the data loss has been caused by the actions of an individual employee, the penalty fine will be issued to the data controller within the company and the company itself will be liable to pay.
This, alongside the fact that human error will inevitably continue and the use of USB memory sticks is only set to proliferate, means that businesses need to adopt technology solutions that work within those parameters to protect themselves.
Even if your organisation uses encryption products, you still have significant exposure. Many surveys and reports have found that encryption is often turned off and there is no way to be able to prove the product was encrypted without recovering it. The sharing of passwords is also a very common potential exposure.
Of course, people can and will always make mistakes but businesses can protect themselves through readily available technology solutions. USB keys exist today that can have their memory turned on, off or deleted remotely and can be located through inbuilt GPS technology. Businesses have the power to avoid future data losses but the solution is just as much a people one as it is a technology one.
Norman Shaw. CEO ExactTrak Ltd. manufacturers of Security Guardian
Published in Business Computing World Feb 2012
