The loss of CDs containing the personal information of 25M UK citizens has rightly caused an out-pouring of ‘Shame on you’ on HMRC and prompted questions like ‘How could you let this happen?’ The real question that the British people should be asking though is this: ‘Who else has lost my data that I haven’t been told about?’
Organisations of all sizes, including local and national government, hold huge amounts of very private information on virtually every individual in the UK, yet amazingly there are no laws to force them to either protect that information (such as by encrypting the data), or to tell you if your un-encrypted information gets lost or stolen. Make no mistake about this: ever since the first credit card number was put on the first laptop computer or CD, companies have been losing your information and just simply not telling you. There’s a sad fact of economic life here: it’s cheaper for a company to say nothing and do nothing if they lose Joe Public’s private information, rather than to do the right thing — ensure that all the data is encrypted, or telling consumers if there’s a risk that their private data could have got into the wrong hands.
The situation in the US today is very different. Following on from some very high-profile data thefts, many States have now enacted so-called ‘Data Breach Notification’ legislation (http://www.ncsl.org/programs/lis/cip/priv/breach.htm).
Put simply, this legislation says ‘If you lose customers’ Personal Identifiable Information (Social Security numbers, credit card numbers, driving licence numbers, etc) and it wasn’t encrypted, then you must notify everyone who’s likely to be affected’. Many States have also included additional consumer protection, such as one year’s free credit monitoring services to protect against possible identity theft. The US Federal Government – immune from State legislation — has also mandated strict data security standards for itself. Following an incident similar to the HMRC in mid-2006, President Bush issued a mandate that all government departments must implement data encryption – no exceptions (see http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf).
(In that breach, a laptop containing health and financial information on 26.5M veterans was stolen from an employee’s home – the cost of just mailing the notification (letters, envelopes, postage) was about $11M)
The net effect of US legislation has been to change the economic balance of data security: Now, it’s cheaper to implement a good data security solution (ie encrypt the data) than to bear the cost of a data breach notification. The figures speak for themselves: When items such as credit monitoring are added in, it’s estimated that the average cost of a breach notification following the loss of unencrypted data is in the region of $90-$140 per customer record (see http://www.tech-404.com/calculator.html).
So, if the loss involved 100,000 customers, this will typically cost a company on average about $11.6M. What’s the cost of a good data security solution to avoid this in the first place? Much, much less than that!
US legislation hasn’t stopped data theft, any more than burglaries have been stopped by property laws. What it has done is to provide insurance for affected consumers by forcing companies and the government to either protect consumers’ data, or come clean when they lose it so consumers can get the protection they deserve. It has also put the spotlight on companies who fail to protect consumers, as these breaches are now tracked by a number of public web sites.
The UK government must follow the USA’s lead. They must enact legislation to protect consumers against the horrors of data theft and the subsequent risk of identity theft. If nothing else comes out of the HMRC incident, then just let this be a lesson learned the hard way!
Richard Stone is Vice President (Marketing) at CREDANT Technologies: www.credant.com
