6 posts • joined 30 Jul 2007
Trials without permission or even asking ...
just how valueable is any promise made to anyone, about this ISP's efforts to keep information private and confidential, in the past, present and future?
Trust has always be essential to relationships between customers and the government/private sector, it's even more the case in the information economy. Every example of this disregard for data privacy undermines the trust needed to prosper in the information age.
There is no excuse for an organisation making money from preaching about security best practices to keep information private, etc to then not be transparent about it's own activities.
Interesting question Dave!!
Most people assume that they will have any funds fraudulently removed from their account returned. This is the situation in a majority of cases however how much longer will the banks put up with this loss from their bottom line? Not long in the case of TK Max. El Reg reported that a number of banks have taken the retailer to court as the losses and costs associated with the breach and clearing up of the untidy mess are an incumberence upon the banks. They rightly are asking the question "why should we carry the cost?". However the skeptics out there may very well ask the question whether the banks carry the burden of this security breach ultimately or whether the banks customers do through higher charges!!
Irresponsible or something worse!!
A couple of harsh facts.
I can not help but wonder how the Conservatives believe that reversing the obligations upon both the public and private sector is going to save £billions. According to the Information Commissioner the state of Data Protection and compliance with legislation is "awful" within the UK. So if we have barely any respect for Data Protection how can we save anything?
Secondly, the conservatives should have had the sense to wait for Lord Broers report upon internet security, before passing judgement. Here he outlines that data protection and all round internet and information security in the UK is far from effective. The report confirms the relationship between future economic and social prosperity and security best practice. If people can not trust those responsible for gathering, storing, processing and accessing information in the future society and the economy will slow down.
Thirdly, as a mere citizen, the only source of recompense I have for mis-management of information relating to me is the DPA. Take it away and I am left to the whims of fate and those who would gladly prfit from my details/information but rather not take any effective management and technical measures to secure my identity from misuse/abuse.
Fourthly, businesses that complain about data protection should seriously ask themselves a personal question ... "How would they want information relating to them to be treated?"
Finally .. I agree that the DPA is valueless red tape. Its value is based not upon the justifiable reason for having it in the first place, but rather upon the effectiveness of the legislation and its enforcement. What is the value in red tape which is so easily and readily avoided by both the public and private sector?
Recommendations going against best practice
There should only be one recommendation to any organisation concerned about information security. That is to conduct an assessment of the risk and make up your own mind.
I'm sorry but recommedations to go out there and buy, buy, buy more technology before anything else are backward in their approach to security management and really not the story that vendors or anyone involved in the security/risk management field should be promoting.
I'll give NTA this though. Testing/audit whatever name you wish to call it is vital to understanding whether your investment in technical security controls is effective. Secondly using a third party makes quite good sense. You can't very well ask the person administering your systems/controls to check themselves. This is known as segregation of duties and life is full of examples where we do this to reduce risk.
Rock and a hard place
Being told to "protect your own data" is nothing new. I would think it fair to say that people's awareness, due to reported incidents of information security breaches, has ensured that as a nation we're better informed as indivduals. Though you could argue strongly that the private and public sectors have a considerable way to go before the same could be said.
However your "data footprint" as I like to call it, is far larger than that which you have any control over. i.e your home environment. As a citizen, employee or customer we are expected to trust those we give our data to. That trust is not based upon any level of common respect but sadly is forced upon many through the DPA.
What is more sad though is that having identified the problem, which justifed the expense of creating legislation and an enforcement body, the fact is that data protection within the UK is A) under valued B) Mis-represented C) Barely existent in many cases until it hit's the headlines.
On a final note. I'm confident that I can take care of my own information which I hold. I do the things most would expect to do to keep your details secure. However I expect those that hold information about me, for their own purposes, to ensure that the information is managed in a way which does not pose a threat to me. Unfortunatley that makes me reliant upon legislation. Currently without appropriate, timely, affordable and effective legislation and enforcement achieveing my "self management" of my own personal information finds me between a rock and a hard place called "no chance".
Two penny worth ..
Breaches like this aren't unusual and we can be confident that considerably more are happening than we ever see in the media. By the way we have to thank the media as we do not have any statutory obligations upon organisations to disclose data breaches. Unlike in the US. So it's our closest thing to an ally with regards privacy in this information economy.
Yep it is a monumental problem, though the Council is being a little naive with comments which reflect their opinion that nothing much seems to have happened with regards these lost details. Experience of working within this field has shown that the modus operandi of cyber theft is to store details and create identities and exploit over longer periods of time. Maybe they should get their security specialist back in to explain this.
Comments about the ICO are fine, but I have a lot of sympathy for the department. The Commissioner has made it clear that the state of Data Protection is pretty poor in the UK. He along with the National Consumer Council's CEO want better protection of the citizen’s data. However their current powers and enforcement capabilities are pretty limited in comparison to the amount of data out there and the number of organisations subject to Data Protection Act.
I do however agree with comments that a maximum fine of £5000 is not an effective deterrent. It is a little inequitable when compared to fines handed out for £900,000 for loss of banking information. It is, after all, just different parts of financial information about the individual.
I do believe that attitudes within the public sector will hopefully change. "Trust" will be an essential part of the relationship between society and the state in the future. When I use the terms “Trust” I mean in the people who gather, use and manage information about us in the public and private sectors. Not the IT / ICT systems. After all they do what we tell them to! And in this case they failed, for whatever reason, to adequately assess the risk and control this.
What could make a difference in driving organisations to take data protection seriously? If Newcastle Council received 54,000 complaints someone would have a lot more explaining to do. So in another way the more effective tool would be the general public because they vote for the Councillors to whom the CEO is accountable.