There are two issues here. The first is the fact that the documents stolen were in a paper format and therefore could not be protected by technologies such as encryption, and the second is the fact that the Halifax did not need to disclose that the theft had occurred in the first place, although the company did notify the UK Financial Services Authority (FSA) and the police before writing to affected customers.
This is the latest of a string of thefts involving sensitive customer data in the UK, although there are many more instances that we are never made aware of. In another example, earlier this year, Nationwide Building Society was fined GBP980,000 by the FSA over the theft of a laptop containing customer data.
Most of the cases involve data stolen in an electronic format that is not encrypted and can therefore be read by the thief, and much has been said about the need for organizations to protect their data by encrypting it, particularly if it is to be taken outside of the organization, either in the form of tape back-ups being transported to a storage facility, or on the laptop of an employee in transit.
However, organizations must also consider encrypting sensitive data that never leaves the organizational boundaries. TJX, the parent company of TK Maxx in the UK, has revealed that it suffered an unauthorized intrusion or intrusions of its systems that handles most of the credit card, debit card, check and merchandise return transactions for most of its stores in Canada, Puerto Rico, and the US, as well as part of its computer system in the UK that handles credit and debit card transactions for stores in the UK and Ireland. Apparently, the intrusions started in July 2005, and ended in January 2007, but the company did not become aware of the theft of data until the end of December last year. This emphasizes the need to better protect data within the company.
When security breaches occur that affect the personal details of individuals in several US states, the fact has to be disclosed. California led the way with this type of legislation when it introduced the California Disclosure Law, which demands that organizations disclose security breaches if personal details are compromised. If such a law was introduced in the UK, it could focus the minds of decision-makers within organizations to put measures in place to better protect data containing sensitive information pertaining to individuals.
Now is surely the time for a disclosure law similar to that introduced in US states such as California. At the moment, it seems that the fines and the brand damage caused when security breaches do come to light are not enough of an incentive to persuade organizations to adequately protect their data, and the risk of a fine is hardly an incentive for an organization to admit to a security breach when it is not legally required to do so.
Until we have a legal requirement to disclose, we will continue to only hear about a handful of breaches. Surely, most consumers would feel a lot happier about their personal details being held by various agencies and financial institutions, if they knew that those organizations had a real incentive to protect that data. If data was stolen, and there was a risk of a consumer’s details being read by unauthorized people, then they should be told about it.
Source: OpinionWire by Butler Group (www.butlergroup.com)
