The theft of CDs containing the personal information of 25M UK citizens has rightly caused an out-pouring of ìShame on youî on HMRC and prompted questions like ìHow could you let this happen?î The real question that the British people should be asking though is this: ìWho else has lost my data that I havenít been told about?î
Companies of all sizes, including local & national government, hold huge amounts of very private information on virtually every individual in the UK, yet amazingly, there are no laws to force them to either protect that information (such as by encrypting the data), or to tell you if your un-encrypted information gets lost or stolen. Make no mistake about this: Ever since the first credit card number was put on the first laptop computer or CD, companies have been losing your information and just simply not telling you. Thereís a sad fact of economic life here: Itís cheaper for a company to say nothing and do nothing if they lose Joe Publicís private information, rather than to do the right thing -- ensure that all the data is encrypted, or telling consumers if thereís a risk that their private data could have got into the wrong hands.
The situation in the US today is very different: Following on from some very high-profile data thefts, many States have now enacted so-called ìData Breach Notificationî legislation.
www.ncsl.org/programs/lis/cip/priv/breach.htm
Put simply, this legislation says ìIf you lose customersí Personal Identifiable Information (Social Security numbers, credit card numbers, driving licence numbers, etc) and it wasnít encrypted, then you MUST notify everyone whoís likely to be affected. Many States have also included additional consumer protection, such as one yearís free credit monitoring services to protect against possible identity theft. The US Federal Government ñ immune from State legislation -- has also mandated strict data security standards for itself. Following an incident similar to the HMRC in mid-2006, President Bush issued a mandate that all government departments must implement data encryption ñ no exceptions:
www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf
(In that breach, a laptop containing health and financial information on 26.5M veterans was stolen from an employeeís home ñ the cost of just mailing the notification (letters, envelopes, postage) was about $11M)
The net effect of US legislation has been to change the economic balance of data security: Now, itís cheaper to implement a good data security solution (ie encrypt the data) than to bear the cost of a data breach notification. The figures speak for themselves: When items such as credit monitoring are added in, itís estimated that the average cost of a breach notification following the loss of un-encrypted data is in the region of $90-$140 per customer record.
www.tech-404.com/calculator.html
So, if the loss involved 100,000 customers, this will typically cost a company on average about $11.6M. Whatís the cost of a good data security solution to avoid this in the first place? Much, much less than that!
US legislation hasnít stopped data theft, any more than burglaries have been stopped by property laws. What it has done is to provide insurance for affected consumers by forcing companies and the government to either protect consumersí data, or come clean when they lose it so consumers can get the protection they deserve. It has also put the spotlight on companies who fail to protect consumersí, as these breaches are now tracked by a number of public web sites:
www.privacyrights.org/ar/ChronDataBreaches.htm#CP
The UK government must follow the USí lead. They must enact legislation to protect consumers against the horrors of data theft and the subsequent risk of identity theft. If nothing else comes out of the HMRC incident, then just let this be a lesson learned the hard way!
UK Government Data Theft ñ Richard Stone ñ VP Marketing Credant Technologies
.
