Large numbers of companies are taking risks with data protection, because they are not aware of the requirements of the law.
Nearly half (44 percent) of companies use live data in test environments - something the 1998 Data Protection Act warns against explicitly, according to a recent survey of IT directors by Compuware.
Half the directors (48 percent) were only 'vaguely familiar' with the Act itself, according to the research, which highlights the importance of understanding the demands and keeping track of how customer data is treated.
A further "83 percent used only minimal measures such as using non disclosure agreements (NDA) to control data when outsourcing," said Ian Clarke, world wide enterprise solutions director at Compuware.
NDAs are all very well, but companies find it difficult to communicate the complex legal terms to their employees or to outsourcing partners, said the survey report. "Unless they have rigorous procedures in place, they run the risk of live data being leaked to third parties. This can have severe repercussions on customer confidence and company reputation, and ultimately affect the bottom line," Clarke added.
An NDA doesn’t mean a lot when an employee in an outsourcing company in India for example who earns $100-a-day can earn much more by selling confidential data, he said.
Last week, an HSBC call centre employee in India, was arrested for swindling £233,000 off 20 customers in the UK. According to news reports elsewhere, the employee was paid £1000 by a criminal gang in the UK to leak the confidential information.
"Companies have had plenty of time to understand and implement robust data privacy measures since the Act was introduced eight years ago," said Clarke, "but the security measures are just not there." Since it was written in 1998, the DPA has been updated regularly to keep up with the changing needs of technology.
"Many businesses are still confused by the ambiguity of a clause within the Act relating to taking appropriate action to protect customer data." Clarke explained. “Now, what does 'appropriate action' mean?” he said.
In the US, "a number of states make companies publicly declare a data breach," he said, and this requirement could cross the Atlantic. "This makes it important for organisations to cover off all possible angles of attack before the company is put at risk rather than trying to recover from a major fraud incident.”
The one way around this problem is to disguise the data, said the survey report. "It is easy to mask data," said Clarke. Companies for example can blank out certain fields, or in the case of credit cards, the last four digits can be scrambled, he said.
The survey report further stated that, by exchanging known values, such as addresses, with other known values, customer data can be transformed so that it is unrecognisable from the original but can still be processed by the systems across the organisation, with important fields, such as the postcode, left intact.
This can be an automatic process, thus removing the human risk element entirely, concluded the report.