This page discusses minimisation of consumer data losses
through network management, vetting and other mechanisms.
It covers -
is complemented by the more detailed discussion in the
Security & InfoCrime
guide elsewhere on this site.
The prevalence of data loss incidents highlighted in the
preceding pages of this note indicates that inappropriate
exposure of personal information is not restricted to
academic institutions or SMEs. Loss has occurred in government
organisations and corporations that have the infrastructure,
skills and other resources for effective protection of
the information with which they have been entrusted.
It is clear that exposure of some consumer data has occurred
because personnel have failed to adhere to corporate protocols.
Other losses reflect the inadequacy of such protocols
or the failure of data custodians to ensure that basic
mechanisms such as encryption of files, password protection
of laptop computers and clean-up of surplus servers are
Some organisations appear to have been penny wise and
pound foolish, saving small amounts of money by omitting
some protections and as a result suffering substantial
costs, whether through payment of credit reports and call
centres (the US Veterans Affairs agency budgeted over
US$100 million for its response to loss of data in 2006)
or more subtly through erosion of consumer trust.
Few appear to have embraced notions that they are custodians
rather than owners of consumer data. One of our more amusing
associates sings a Lesley Gore parody
our data and we'll lose it if we want to,
lose it if we want to
recognition of custodianship is changing slowly. Data
protection is ultimately a question of cost. The current
balance arguably needs to shift from costs borne directly
by victims to costs borne by custodians. Over time it
is conceivable that such a shift (and hence better protection)
will be driven by insurance companies rather than by legislation.
What risk assessment is undertaken by data custodians?
The answer is not clear. That is unsurprising. Threat-savvy
organisations do not wish to equip potential offenders
with tools by publicising their security processes. Others
do not wish to experience embarrassment by demonstrating
that their risk assessment and actions were inadequate.
Overall it is apparent that some organisations have not
undertaken a formal or comprehensive risk assessment and
that, judging by the incidents highlighted in preceding
pages of this note, follow-up action has been inadequate.
Risk assessment would typically need to cover -
data is handled by the organisation (directly and by
agents such as call centres, couriers and archives)
is the shape of threats
is the probability of those threats
are the costs of minimising potential exposure of data
are the costs of potential exposure (eg erosion of brand,
fines, tighter regulation, million dollar charges for
provision of credit reference services and operation
of call centres)
assessment should be reflected in steps to minimise risk.
One point of entry is provided in the Australian Standard
(AS 4360) Risk Management portal.
Preceding pages have highlighted the inadequacy of much
network management, with unauthorised access to devices,
networks and databases.
Responses include -
physical security (highlighted in the following paragraph),
which can be as simple as locking unauthorised people
out of the rooms that house an organisation's networked
concerns about wireless access
that networks and individual machines are free of malware
to manage print outs and other hard copy (one of our
staff wryly recalls consulting to a 'best practice'
ICT client, with over 800 staff, that rigorously controlled
access to desktop machines but left voluminous printouts
in a hopper bin inhabited by alley cats, homeless people
and the odd dumpster diver)
including testing, of corporate firewalls
identification and use-based activity restrictions (eg
tracking that the temp receptionist isn't busy downloading
the credit card details of all staff)
restrictions, including requirement for electronic authorisation
before files are copied to a disk or a USB device is
added to the network
sanitisation of surplus devices and storage media, for
example physical destruction of hard drives and shredding
of disks rather than assuming that 'deleting a file'
means the information is unrecoverable
Management of network access is complemented by measures
to place barriers in front of data thieves.
Those measures include -
protection for laptop and desktop personal computers
of data collections, in particular data being transferred
from one facility to another via a courier
of GPS tracking devices in satchels or boxes containing
computer tapes and disks (facilitating identification
if the container falls off the back of a truck or merely
gets lost at the airport)
of a special courier rather than standard freight shipment
restricting access to networks by keeping computers
behind counters and locked doors (machines are less
likely to walk out of a building if there is a door
in the way)
of machines, for example call centre staff do not have
machines with floppy disk or CD-burning options and
are unable to send email
to other than specified addresses
As the preceding pages of this note have illustrated,
preventing exposure of consumer data ultimately involves
questions of people management.
Measures include -
and addressing risks
management and staff to threats (so that, for example,
they can recognise network attacks or pretexting
and other 'social engineering' requests for data)
of employees and contractors
implementation and review of protocols
the bona fides of organisations/individuals that request
information on a commercial or supposedly official basis
the implications of outsourcing data handling, in particular
offshoring to environments where there is substantial
subcontracting and weak data protection law
penalties for loss of laptops and other breaches of
It is a fact of life that bad things happen despite (on
occasion even through) measures to prevent or minimise
exposure of personal information.
The preceding pages suggest that a range of organisations
have not been very effective - or are merely perceived
to be ineffective, something that for them may be just
as serious - in responding to disasters.
They have faced challenges in -
that data has been exposed
and accurately identifying what data has been lost (indeed
whether it has been lost), something that both inhibits
further action and fosters perceptions of a cover-up
authorities and other stakeholders
potentially affected individuals
prosecuting perpetrators rather than keeping quiet in
order to minimise embarrassment, regulatory intervention
and increased insurance premiums
home responsibility to corporate staff (if management
does not 'own' the problem it is likely to recur)
next page (responses)