We have been hearing it for sometime how crucial it is for all of us to be careful about our own data. Shred bank statements/ correspondence, ensure you send identity documents by registered post (recorded /special delivery in the UK) and so on and so forth.
And here, we have this example where a junior office (who certainly did not understand a bit, and unfortunately so, what data protection is all about even if he/she were not trained .. isn’t there some common sense to it too) burnt the whole UK record of all child benefit receivers in clear text (we hear they say it was un-encrypted, some stories say it was password protected.. gosh.. what a mess!!!) on two CD or DVDs and sent through normal mail.
And for what!!! – Well there was an audit query.. And aren’t we afraid of our auditors.. we are more than ready to provide more than what they want at anytime .. And yes with Worldcoms and Enrons who can argue why not!!!… but wait weren’t these the auditors who allowed that mess to happen.. remember Andersen 🙂
So back to the point, a query requiring only a certain data elements for audit purposes was too much of an effort. And we hear this stupid debate in the parliament and among the certainly not too IT literate MPs to suggest that it required money to filter the data… its just loads of XXXX.
And even if the data could not be filtered, how can someone think of sending such a sensitive data on CDs. There are better ways to send it (e.g. via encrypted VPN connection over the Internet or WAN). Even the very basic e-commerce websites employee encryption to stores user credit/card transaction data and the connection during the execution of transaction is normally pretty secure (TLS, SSL).
And it boils down to good IT practices… well browsing the Internet one comes across this link http://www.itil.org.uk
So lets go over a brief introduction what it is. ITIL or IT Infrastructure Library is a best practice model for IT service delivery and you would be surprised who developed it…… Office of Government Commerce. yes another government department.
And some people say it is so top-notch that it is almost replacing all IT governance frameworks. Big blue-chip companies are already using it e.g. HP
So… wait a moment. Does this mean one UK government department develops a world-class IT governance framework but the other government departments are simply unaware of it………. you bet !!!!
Hence, in addition to fixing the responsibility the UK government should think about improving the communication across its departments which is close to pathetic.
And definitely it makes a mockery of the UK government case for introducing ID cards with biometric data.. which in effect means our true identity .. can you trust your elected leaders to play with your identity !!!!
We’ll see how the UK government treats this test case…. which will be a lesson for other governments around the world and of-course it will / and in some way it has strengthen the argument of privacy advocacy organisation that governments are collecting too much personal data.
So let’s close this piece with an opinion from a Symantec expert, Guy Bunker:
“Sadly Bunker is sceptical about whether anyone will learn from the incident. He cited the lack of impact caused by previous high profile data leaks, such as those at Nationwide and TK Maxx.
An all too prevalent ‘this won’t happen to us’ mentality means that most organisations will not learn from the HMRC case and tackle potential pitfalls in their own policies.
Bunker suggested that a fine similar to the one handed to Nationwide might encourage some companies to sit up and take notice as they will not want to incur a similar penalty.
“But, ultimately, fining the government is not of much use to the people who have had their details lost,” he said.
Companies and governments must understand and question the procedures and policies they implement, and these systems to be investigated to make sure they conform to the required security standards.
Bunker concluded that legislation forcing companies to disclose data breaches, as happens in some US states, may be necessary to ensure that customers are as protected and well informed as possible. “Forewarned is forearmed,” he said.”