Pity the messenger of bad news, but don’t pity them for long.
This week, clerks at the UK financial outfit the Nationwide Building Society will be sending out 11 million letters to the company’s savers (most of whom are ‘members’ in that they technically own the business), informing them of a rather nasty happening we hear suspiciously little about in the UK – three months ago a laptop went missing with customer information on it.
They say they’re not *seriously* worried because the information in question did not include account passwords for online banking, or user names. Then again, they won’t tell us what else might have been on the laptop, leaving some people to surmise it might have been home addresses, names, and other data sufficient to allow ID theft if it fell into the wrong hands.
We do not know. We will not be told either. Because the UK has no data disclosure laws, the members are not even entitled to be given the information ventured so far. They were just being nice when they confessed. The fact it took the Nationwide three months to tell its customers is a scandal, but even that is defended on security grounds. They didn‘t want the thieves to know how valuable the information on the laptop could be if sold on the black market.
We don‘t know if any security such as encryption was used on the data but it looks likely that it wasn’t. We can’t know how the building society normally uses encryption on its laptops because it won’t tell anyone. Why do employees even need to put so much data on laptops in an age of the VPN, remote access and remotely-accessible databases anyway?
The UK needs a data disclosure law of the sort that is found in most US states because that would put the gun to the heads of banks, companies and even government. Losing people’s data would then come at a price – having to phone up the regulator, in this case the Financial Services Authority (FSA), in order to explain how something so stupid could possible have happened.
An EU directive now looks highly likely, even if things are at a relatively early stage. The EU’s thoughts on the matter have been in the public domain for some time (7.2 onwards). The flaw in this proposal is that it would only affect ISPs and telecoms operators, but the principle is the same.
Such a law is inevitable so let’s take the medicine now before we experience any more Nationwide-style cock-ups.