Watch Out for the Data Watchdog's Bite
A puppy, not a watchdog. That’s the criticism that has often been aimed at the UK’s data regulator, the Information Commissioner’s Office (ICO). In 2008 and 2009, despite reporting some 720 data breaches from businesses, government bodies and charities, the strongest measure the ICO could take was to issue warnings and enforcement notices. But from April this year, the ICO will have real teeth, in the form of a £500,000 fine for companies that breach the Data Protection Act (DPA) through ‘reckless or malicious’ practice.
And that’s just the start of tough new data security sanctions. In October 2009, the European Union (EU) agreed new rules on the reporting of breaches. While this currently applies to telecoms providers and ISPs, the EU is committed to extending breach notification to all firms that process personal data – banks, building societies, insurers, brokers – with draft legislation presented this year.
Notification means telling the national regulator and all parties affected by the breach. Sounds simple enough – but the costs are punitive. The precedent has been well established by the California SB 1386 data breach disclosure law, introduced in 2002, with similar laws now in force in most US states.
In many cases, meeting notification demands has a far greater financial impact than a fine, or fixing the data breach. Gartner estimates that organisations spend on average US$90 for each personal record lost in each data breach. The Ponemon Institute states the cost is still higher, at up to US$140 per record, per breach. It all adds up.
These regulatory moves have been driven by the ongoing data breaches, and by the slow uptake of endpoint security solutions that would help to prevent breaches happening. In December 2009, we surveyed UK companies in both the public and private sector on their use of data encryption. Less than 50% used any encryption on company laptops and mobile devices. This figure is almost identical to the results of a similar survey we did in November 2007.
As such, it’s no surprise that international regulatory bodies feel it necessary to introduce tougher legislative measures against organisations that handle data in a careless or reckless way. When the UK deputy information commissioner welcomed the ICO’s new powers, he also made the intentions behind them crystal clear. The statement read: “We are keen to encourage organisations to achieve better data protection compliance, and we expect that the prospect of a significant fine for reckless or deliberate data breaches will focus minds at board level.”
So data watchdogs are rapidly getting the bite to accompany their bark, with the ability to apply both hefty fines and notification costs. However, the data breach legislations mentioned all have one key point in common.
They all have ‘safe harbour’ provisions – enabling organisations to escape penalties if they can prove they took reasonable steps to protect data, prior to the breach. For example, the EU Data Breach Notification provision, mentioned earlier, says that notification will be required “… except where the provider can demonstrate it has applied appropriate technological protection measures which render the data unintelligible to unauthorised users.”
In simple terms, if an organisation can show that it has encrypted its data (including the data lost in a breach) using a recognised, strong encryption process, in adherence to appropriate security policies, it can avoid penalties and notification costs.
Of course, the benefits are not just financial. There’s also the reduction in overall risk; increased goodwill from stakeholders; and an improved image and reputation for the organisation. Let’s take a close look at how to deploy data encryption across an organisation.
In terms of what solutions are needed, the fact that data breaches can now be punished by law makes any computing device a risk. Although the data breaches seen in media headlines are usually caused by the loss or theft of a laptop computer or USB memory stick, all computers within an organisation – both desktops and laptops – are endpoints, with access to sensitive data. All computers should have data security controls installed.
These controls should include full-disk encryption with pre-boot authentication, port/device control software and removable media encryption. It’s also important for the customers’ administrators – the people who are on-site everyday – to have central visibility and control over endpoints to ensure compliance with the organisation’s security policies.
The ability to centrally enforce security policies with IT solutions is critical in data security. Over the past two years, many of the data breaches that hit the headlines were blamed on individuals who ignored security policies. But this way of thinking masks the real problem.
The vast majority of breaches happen not because of malicious behaviour, but because a well-meaning person was just trying to save a little time, or get their task done faster. In most cases, the person is aware of the organisation’s data security policy – but they thought it would be OK not to follow policy, just this one time. It’s human nature.
The solution is to automate the process so that security is applied automatically to the data in any circumstance – whether on shutting down a laptop, or copying data to a memory stick or CD. The security also needs to conform to policies determined by the IT department. This way, users cannot tamper with, or work around, the security. The less the user is aware of the solution – and latest generation products are highly transparent – the better.
The Holy Grail of endpoint security is to give the IT team central management of all security issues – including configuration, deployment, client and policy updates, password recovery, reporting and deactivation.
This combination of always-on, transparent security and easy, central management helps to eliminate a significant source of risk, while minimising exposure to data breach disclosure laws and financial penalties. With the right data security approach, companies can keep the watchdogs at bay.