title for Data Losses note
home | about | site use | resources | publications | timeline |::| blaw

overview

networks

tapes

laptops

sale

law

prevention

responses

studies

costs














related pages icon
related
Guides:

Security &
InfoCrime

Consumers
& Trust

Privacy

Secrecy &
Confidentiality

ID Theft,
ID Fraud

















section heading icon     prevention

This page discusses minimisation of consumer data losses through network management, vetting and other mechanisms.

It covers -

It is complemented by the more detailed discussion in the Security & InfoCrime guide elsewhere on this site.

     introduction

The prevalence of data loss incidents highlighted in the preceding pages of this note indicates that inappropriate exposure of personal information is not restricted to academic institutions or SMEs. Loss has occurred in government organisations and corporations that have the infrastructure, skills and other resources for effective protection of the information with which they have been entrusted.

It is clear that exposure of some consumer data has occurred because personnel have failed to adhere to corporate protocols. Other losses reflect the inadequacy of such protocols or the failure of data custodians to ensure that basic mechanisms such as encryption of files, password protection of laptop computers and clean-up of surplus servers are in place.

Some organisations appear to have been penny wise and pound foolish, saving small amounts of money by omitting some protections and as a result suffering substantial costs, whether through payment of credit reports and call centres (the US Veterans Affairs agency budgeted over US$100 million for its response to loss of data in 2006) or more subtly through erosion of consumer trust.

Few appear to have embraced notions that they are custodians rather than owners of consumer data. One of our more amusing associates sings a Lesley Gore parody

it's our data and we'll lose it if we want to,
lose it if we want to

Legal recognition of custodianship is changing slowly. Data protection is ultimately a question of cost. The current balance arguably needs to shift from costs borne directly by victims to costs borne by custodians. Over time it is conceivable that such a shift (and hence better protection) will be driven by insurance companies rather than by legislation.

     risk assessment

What risk assessment is undertaken by data custodians? The answer is not clear. That is unsurprising. Threat-savvy organisations do not wish to equip potential offenders with tools by publicising their security processes. Others do not wish to experience embarrassment by demonstrating that their risk assessment and actions were inadequate.

Overall it is apparent that some organisations have not undertaken a formal or comprehensive risk assessment and that, judging by the incidents highlighted in preceding pages of this note, follow-up action has been inadequate.

Risk assessment would typically need to cover -

  • what data is handled by the organisation (directly and by agents such as call centres, couriers and archives)
  • what is the shape of threats
  • what is the probability of those threats
  • what are the costs of minimising potential exposure of data
  • what are the costs of potential exposure (eg erosion of brand, fines, tighter regulation, million dollar charges for provision of credit reference services and operation of call centres)

That assessment should be reflected in steps to minimise risk. One point of entry is provided in the Australian Standard (AS 4360) Risk Management portal.

     network management

Preceding pages have highlighted the inadequacy of much network management, with unauthorised access to devices, networks and databases.

Responses include -

  • appropriate physical security (highlighted in the following paragraph), which can be as simple as locking unauthorised people out of the rooms that house an organisation's networked machines
  • addressing concerns about wireless access
  • ensuring that networks and individual machines are free of malware
  • action to manage print outs and other hard copy (one of our staff wryly recalls consulting to a 'best practice' ICT client, with over 800 staff, that rigorously controlled access to desktop machines but left voluminous printouts in a hopper bin inhabited by alley cats, homeless people and the odd dumpster diver)
  • maintenance, including testing, of corporate firewalls
  • user identification and use-based activity restrictions (eg tracking that the temp receptionist isn't busy downloading the credit card details of all staff)
  • access restrictions, including requirement for electronic authorisation before files are copied to a disk or a USB device is added to the network
  • effective sanitisation of surplus devices and storage media, for example physical destruction of hard drives and shredding of disks rather than assuming that 'deleting a file' means the information is unrecoverable

     barriers

Management of network access is complemented by measures to place barriers in front of data thieves.

Those measures include -

  • password protection for laptop and desktop personal computers
  • encryption of data collections, in particular data being transferred from one facility to another via a courier
  • inclusion of GPS tracking devices in satchels or boxes containing computer tapes and disks (facilitating identification if the container falls off the back of a truck or merely gets lost at the airport)
  • use of a special courier rather than standard freight shipment arrangements
  • physically restricting access to networks by keeping computers behind counters and locked doors (machines are less likely to walk out of a building if there is a door in the way)
  • configuration of machines, for example call centre staff do not have machines with floppy disk or CD-burning options and are unable to send email to other than specified addresses

     people management

As the preceding pages of this note have illustrated, preventing exposure of consumer data ultimately involves questions of people management.

Measures include -

  • identifying and addressing risks
  • sensitising management and staff to threats (so that, for example, they can recognise network attacks or pretexting and other 'social engineering' requests for data)
  • vetting of employees and contractors
  • development, implementation and review of protocols
  • checking the bona fides of organisations/individuals that request information on a commercial or supposedly official basis
  • understanding the implications of outsourcing data handling, in particular offshoring to environments where there is substantial subcontracting and weak data protection law
  • imposing penalties for loss of laptops and other breaches of protocols

     disaster planning

It is a fact of life that bad things happen despite (on occasion even through) measures to prevent or minimise exposure of personal information.

The preceding pages suggest that a range of organisations have not been very effective - or are merely perceived to be ineffective, something that for them may be just as serious - in responding to disasters.

They have faced challenges in -

  • identifying that data has been exposed
  • quickly and accurately identifying what data has been lost (indeed whether it has been lost), something that both inhibits further action and fosters perceptions of a cover-up
  • alerting authorities and other stakeholders
  • alerting potentially affected individuals
  • actively prosecuting perpetrators rather than keeping quiet in order to minimise embarrassment, regulatory intervention and increased insurance premiums
  • sheeting home responsibility to corporate staff (if management does not 'own' the problem it is likely to recur)





icon for link to next page   next page (responses)

 


this site
the web

Google

version of July 2006
© Bruce Arnold
caslon.com.au | caslon analytics