After Sony customers were told their personal data may have been stolen, lawyer Mark Deem explains how public bodies can protect their and others’ data from similar attacks.
With all too depressing regularity, the importance of data has forcefully made its way back into the headlines, with two contrasting issues of considerable importance.
First, the allegation that certain smart-phone devices have been embedded with the capability of not only capturing, but recording geographical data of its users; and, secondly, the revelation that personal data of millions of Sony customers has been compromised.
Whilst the extent of both the data capture and the numbers of customers affected have been questioned by the companies concerned, the issues emphasise two truisms in the world of data: our data is everywhere and is being captured to an ever increasing extent and at an ever alarming rate; and, crucially, whilst steps can be taken to minimise the impact of any data loss, the risks cannot be eliminated.
In local government, breaches seem commonplace. In this year alone, Ealing LBC, Hounslow LBC, Leicester City Council and Cambridge CC have all reported incidents of lost media; Anglesey County, Walsall and City of York Councils have been linked to miscommunications of personal data to third parties; and Wolverhampton City Council has reported the inadequate disposal of certain personal data.
These are the unlucky ones - the incidents where a report has been made. Many more incidents simply go undetected or unreported.
Increasing physical security, limiting access to data and encrypting the underlying material has been the standard response to minimising the risk of data loss. This has broadly been adequate to deal with threats of inadvertent disclosure, inadequate destruction or loss of electronic media. It remains, however, entirely ineffective when it comes to the targeting of data, i.e. the Sony scenario.
Experience shows, however, that implementing a five point plan can go some way to minimising the impact of any breach and could represent the difference between formal action and an incident being resolved ostensibly in private:
- understand what personal data is being captured, whether it is genuinely required and, if so, how and where it is stored;
- understand and address points of vulnerability in terms of hardware, software, policies and procedures;
- ensure that perimeter security complements electronic security - a perimeter strategy which prevents a USB memory stick from leaving the premises is severely undermined if the same data can exit via social networking websites;
- cut budgets if you have to, but cut security corners at your peril - hacking is a technological game of cat and mouse, requiring firewall and security software to be kept up-to-date; and
- ensure the body has a breach management plan, providing for effective containment and data recovery, as well as formal notification of the event, if appropriate.
The Sony experience reminds us that all bodies capturing data remain vulnerable to data breach, irrespective of size and sector. Although it is a real risk which cannot be eliminated, the risks facing government bodies can be dramatically reduced with careful planning. That leaves us to reflect on why - in the words of Oscar Wilde - there is so little useless information.
Mark Deem is a partner with law firm Addleshaw Goddard