The following e-mail will be sent on your behalf.

<your name> has sent the following story to you from ElectricNews.net.

The story is available from http://www.electricnews.net/article/10124346.html

Data protection: burden of responsibility?
Friday, May 09 2008
by Billy MacInnes


In the wake of the recent Bank of Ireland laptop thefts, it's
a good time to ask what should be done to safeguard our data.

You would think Irish organisations would have learned by
now. IT security has been a hot topic for the past two years
yet bumbling continues to blight the nation's businesses 

The theft of four laptops belonging to Bank of Ireland has
caused disruption to thousands of the bank's customers.
Names, addresses, financial details and medical records of
customers of the bank's life assurance products were all
stored on the stolen laptops. 

Bank of Ireland's explanation of the whole affair hardly
inspired confidence. First there were 10,000 customers
affected and only a few branches. Then it turned out there
were actually over 30,000 customers hit as well as a bucket
load of branches. 

It's about as palatable as Father Ted's many excuses to
Bishop Brennan but in this case it's the bank that ought to
get a good kick up the backside. 

"When this level of data is lost there is a great danger of
large-scale identity theft. Bank of Ireland assures us that
none of the compromised accounts have had any unusual
activity on them but this was a few days before they informed
us that the number of accounts affected was three times
higher than they originally thought," said Simon Coveney,
Fine Gael spokesperson for Communications, Energy and Natural
Resources. 

The laptops were stolen between June and October last year
but it took until April for Bank of Ireland to report the
theft to the Data Protection Commissioner. These kinds of
delays might be avoided if there was an increase in the level
of pressure the Data Protection Commissioner was allowed to
apply. 

Coveney wants to see legislation empowering the commissioner
to carry out random checks and data security audits of
organisations in both the private and public sector. 

"Financial penalties for breaches are already in existence,
but we need to look at increasing the amounts involved to
create a real incentive," he said. 

The public sector of course has managed to outdo Bank of
Ireland, at least in terms of scale. The records of over
171,000 Irish blood donors were compromised following the
theft of a laptop in New York in February. 

"Events like these pose enormous risks for Irish citizens.
To an extent that does not appear to be fully realised by
many people yet," said Coveney. "The proof of this is in
the fact that, according to the Gardai, criminals are
starting to steal laptops to order specifically for the data
that might be contained in them," he said. 

He's right of course but please stop me if this record sounds
familiar. Over and over again for the past two years the
media has reported on error after mistake after calamitous
botch-up. Sometimes the message really doesn't seep through
to the student, no matter how hard the teacher tries. 

So instead perhaps a different approach is needed. Rather
than repeatedly reminding firms how security is important,
why not implement some measures that can account for student
apathy. 

Full-volume encryption on hard-drives can help ensure that
the data stolen from a laptop is useless to criminals. This
approach to security makes the data on a hard drive
impossible to read without the right access. This means
accident-prone members of staff can be trusted not to let
sensitive information fall into the wrong hands. Indeed, the
Government is to make moves in this direction: the Houses of
the Oireachtas have issued a tender to cover the provision of
encryption for 600 devices used by TDs, Senators and staff.





Remote access is another alternative to consider. Rather than
having staff members travel with laptops laden down with
sensitive data, allow them to access the data required over a
secure virtual private network. These networks allow users to
access sensitive information from any location, reducing the
need to store data on portable devices such as laptops or
PDAs. 

Even still Irish organisations should keep working to protect
their hardware. Laptops don't have legs and too many people
have suffered to simply accept that sometimes theft happens.


"The biggest effect is often the distress that is caused to
people due to the knowledge that information relating to them
that they normally choose to whom it is made available is now
potentially open to access by anybody," said Billy Hawkes,
the Data Protection Commissioner. 

"Obviously the more sensitive the data the greater the
distress and that is a distress that cannot be measured in
simple monetary terms," said Hawkes. 

It's up to the likes of the Irish Blood Transfusion Service
and Bank of Ireland to step up and try to calm customer
fears. 

"When data is lost, organisations can only attempt to
minimise the damage to their customers and to themselves,"
said Hawkes. "Telling customers precisely what has
happened, what dangers they may be exposed to, what measures
the organisation is taking and what customers should do
themselves, can significantly reduce the damage to the
organisation," he said. 

Individuals can play their part too by being careful of how
they dispose of sensitive documents and by keeping track of
activity in their bank accounts. 

The onus though is on public and private sector
organisations. They are the guardians, the bodies entrusted
with protecting customer data. 

These gatekeepers need to realise that public trust in their
abilities is low and only tighter security can restore
customer faith.