Data protection: burden of responsibility?
09-05-2008
by Emmet Ryan

In the wake of the recent Bank of Ireland laptop thefts, it's a good time to ask what should be done to safeguard our data.

You would think Irish organisations would have learned by now. IT security has been a hot topic for the past two years yet bumbling continues to blight the nation's businesses

The theft of four laptops belonging to Bank of Ireland has caused disruption to thousands of the bank's customers. Names, addresses, financial details and medical records of customers of the bank's life assurance products were all stored on the stolen laptops.

Bank of Ireland's explanation of the whole affair hardly inspired confidence. First there were 10,000 customers affected and only a few branches. Then it turned out there were actually over 30,000 customers hit as well as a bucket load of branches.

It's about as palatable as Father Ted's many excuses to Bishop Brennan but in this case it's the bank that ought to get a good kick up the backside.

"When this level of data is lost there is a great danger of large-scale identity theft. Bank of Ireland assures us that none of the compromised accounts have had any unusual activity on them but this was a few days before they informed us that the number of accounts affected was three times higher than they originally thought," said Simon Coveney, Fine Gael spokesperson for Communications, Energy and Natural Resources.

The laptops were stolen between June and October last year but it took until April for Bank of Ireland to report the theft to the Data Protection Commissioner. These kinds of delays might be avoided if there was an increase in the level of pressure the Data Protection Commissioner was allowed to apply.

Coveney wants to see legislation empowering the commissioner to carry out random checks and data security audits of organisations in both the private and public sector.

"Financial penalties for breaches are already in existence, but we need to look at increasing the amounts involved to create a real incentive," he said.

The public sector of course has managed to outdo Bank of Ireland, at least in terms of scale. The records of over 171,000 Irish blood donors were compromised following the theft of a laptop in New York in February.

"Events like these pose enormous risks for Irish citizens. To an extent that does not appear to be fully realised by many people yet," said Coveney. "The proof of this is in the fact that, according to the Gardai, criminals are starting to steal laptops to order specifically for the data that might be contained in them," he said.

He's right of course but please stop me if this record sounds familiar. Over and over again for the past two years the media has reported on error after mistake after calamitous botch-up. Sometimes the message really doesn't seep through to the student, no matter how hard the teacher tries.

So instead perhaps a different approach is needed. Rather than repeatedly reminding firms how security is important, why not implement some measures that can account for student apathy.

Full-volume encryption on hard-drives can help ensure that the data stolen from a laptop is useless to criminals. This approach to security makes the data on a hard drive impossible to read without the right access. This means accident-prone members of staff can be trusted not to let sensitive information fall into the wrong hands. Indeed, the Government is to make moves in this direction: the Houses of the Oireachtas have issued a tender to cover the provision of encryption for 600 devices used by TDs, Senators and staff.

Remote access is another alternative to consider. Rather than having staff members travel with laptops laden down with sensitive data, allow them to access the data required over a secure virtual private network. These networks allow users to access sensitive information from any location, reducing the need to store data on portable devices such as laptops or PDAs.

Even still Irish organisations should keep working to protect their hardware. Laptops don't have legs and too many people have suffered to simply accept that sometimes theft happens.

"The biggest effect is often the distress that is caused to people due to the knowledge that information relating to them that they normally choose to whom it is made available is now potentially open to access by anybody," said Billy Hawkes, the Data Protection Commissioner.

"Obviously the more sensitive the data the greater the distress and that is a distress that cannot be measured in simple monetary terms," said Hawkes.

It's up to the likes of the Irish Blood Transfusion Service and Bank of Ireland to step up and try to calm customer fears.

"When data is lost, organisations can only attempt to minimise the damage to their customers and to themselves," said Hawkes. "Telling customers precisely what has happened, what dangers they may be exposed to, what measures the organisation is taking and what customers should do themselves, can significantly reduce the damage to the organisation," he said.

Individuals can play their part too by being careful of how they dispose of sensitive documents and by keeping track of activity in their bank accounts.

The onus though is on public and private sector organisations. They are the guardians, the bodies entrusted with protecting customer data.

These gatekeepers need to realise that public trust in their abilities is low and only tighter security can restore customer faith.