Data breach fines will not stop the rot
Is the new era of data fines for data breaches having any effect on the way organisations treat customer information? As with the French revolution, it could be too soon to tell, but what matters for the industry right now are appearances. On the...
On the face of it the fine meted out to Zurich Insurance looks like a tough one, £2.275 million’s worth of FSA retribution for allowing a South African subsidiary to lose an unencrypted backup tape with 46,000 UK customer records on it in August 2008.
The size of the fine had a lot to do with the fact that it took Zurich a year to work out that it had happened at all, exposing those people to a window for fraud that might have difficult to detect until significant damage had been done. There is no evidence that any was, we are told.
The previous FSA high point was the 2006 loss by the Nationwide Building Society of a laptop containing records of 11 million account holders, which got the society a near-million pound fine.
The first issue are the timescales involved here. The Nationwide loss happened in 2006, the Zurich two years later, and it is safe to say that these reports are only the thin edge of a fat wedge. Others will undoubtedly have gone unreported or simply unnoticed, especially where outsourcing is involved.
Indeed you could argue that the Zurich is to be praised for managing to discover and report such a distant data breach at all. For its trouble it has now been publically named and fined.
The second issue is how little the public got to find out about data security practices at either the Zurich or the Nationwide. Do either now encrypt laptop hard drives and backup tapes as a standard procedure? Institutions are not required to tell customers anything.
The public gets to hear about the punishment but a lot is left behind a curtain of secrecy. This is wrong and possibly dangerous.
What the UK lacks is not punishments but a basic data breach notification law that puts a legal (rather than informal) onus upon organisations of any type to report breaches not just to the FSA but to the Office of the Information Commissioner. Many US states already have such laws in place which is why most of the stories of serious breaches come from over the Atlantic.
One possibility is that this will happen via some form of amendment to the 1995 EU Data protection Directive. The UK, then, is waiting for the EU to set a European precedent, which is a wise approach in the long term, but could leave the UK exposed for some years to come.
Whatever the outcome, customers - and citizens of public sector bodies - have a right to know not just that their data is being protected but how it is being protected.
Thinking about moving a current account to a new bank? How your personal data will be secured by that bank should be as important as the interest rate on savings. Right now, organisations would rather not be asked such questions.