Your browser is no longer supported

For the best possible experience using our website we recommend you upgrade to a newer version or another browser.

Your browser appears to have cookies disabled. For the best experience of this website, please enable cookies in your browser

We'll assume we have your consent to use cookies, for example so you won't need to log in each time you visit our site.
Learn more

Dealing with data thieves

  • Comment

After Sony customers were told their personal data may have been stolen, lawyer Mark Deem explains how public bodies can protect their and others’ data from similar attacks.

With all too depressing regularity, the importance of data has forcefully made its way back into the headlines, with two contrasting issues of considerable importance.

First, the allegation that certain smart-phone devices have been embedded with the capability of not only capturing, but recording geographical data of its users; and, secondly, the revelation that personal data of millions of Sony customers has been compromised.

Whilst the extent of both the data capture and the numbers of customers affected have been questioned by the companies concerned, the issues emphasise two truisms in the world of data: our data is everywhere and is being captured to an ever increasing extent and at an ever alarming rate; and, crucially, whilst steps can be taken to minimise the impact of any data loss, the risks cannot be eliminated.

In local government, breaches seem commonplace. In this year alone, Ealing LBC, Hounslow LBC, Leicester City Council and Cambridge CC have all reported incidents of lost media; Anglesey County, Walsall and City of York Councils have been linked to miscommunications of personal data to third parties; and Wolverhampton City Council has reported the inadequate disposal of certain personal data.

These are the unlucky ones - the incidents where a report has been made. Many more incidents simply go undetected or unreported.

Increasing physical security, limiting access to data and encrypting the underlying material has been the standard response to minimising the risk of data loss. This has broadly been adequate to deal with threats of inadvertent disclosure, inadequate destruction or loss of electronic media. It remains, however, entirely ineffective when it comes to the targeting of data, i.e. the Sony scenario.

Experience shows, however, that implementing a five point plan can go some way to minimising the impact of any breach and could represent the difference between formal action and an incident being resolved ostensibly in private:

  • understand what personal data is being captured, whether it is genuinely required and, if so, how and where it is stored;
  • understand and address points of vulnerability in terms of hardware, software, policies and procedures;
  • ensure that perimeter security complements electronic security - a perimeter strategy which prevents a USB memory stick from leaving the premises is severely undermined if the same data can exit via social networking websites;
  • cut budgets if you have to, but cut security corners at your peril - hacking is a technological game of cat and mouse, requiring firewall and security software to be kept up-to-date; and
  • ensure the body has a breach management plan, providing for effective containment and data recovery, as well as formal notification of the event, if appropriate.

The Sony experience reminds us that all bodies capturing data remain vulnerable to data breach, irrespective of size and sector. Although it is a real risk which cannot be eliminated, the risks facing government bodies can be dramatically reduced with careful planning. That leaves us to reflect on why - in the words of Oscar Wilde - there is so little useless information.

Mark Deem is a partner with law firm Addleshaw Goddard

  • Comment

Have your say

You must sign in to make a comment

Please remember that the submission of any material is governed by our Terms and Conditions and by submitting material you confirm your agreement to these Terms and Conditions.

Links may be included in your comments but HTML is not permitted.