Fourteen months after publication, the Select Committee report on “Personal Internet Security” was finally debated on the floor of the House of Lords. Since we produced the report much has happened. There have been the well-publicised data losses at HM Revenues and Customs and from other Government departments and agencies. And indeed today, we hear of the loss by EDS of an MoD hard drive containing the details of 100,000 service men and women. This all confirms my view that the Committee was absolutely right to call for a Data Breach Notification law in the UK.
This is, of course, about the culture within organisations – every employee has got to understand the importance of maintaining data security and their responsibility for doing so. Perhaps if people recognised the potential value of personal data they might be less cavalier in its treatment. For many people, a stolen identity will take weeks or months of effort to sort out. The FSA estimate that the cost of identity fraud in the UK (admittedly using a fairly wide definition) is around £1.7 billion. During the inquiry we were told by Team Cymru that on a single server in a typical month there were for sale the data from 32,000 compromised Visa cards, and 13,000 Mastercards. The price nearly three years ago was $1 for a US card, $2 for a UK card. Associated data was also for sale including the card-holder’s mother’s maiden name etc.
Perhaps if employees were told that each personal record was worth at least £100 – they might treat a memory stick or for that matter that MoD hard drive containing a hundred thousand personal records as though it was worth £10 million – certainly with more respect.
It maybe that engendering such a change in culture will require more than a Data Breach Notification Law. Perhaps we need something more akin to the framework created by health and safety legislation, where every manager would have to take personal responsibility for delivering information security in their area or face prosecution. And perhaps we need an IT equivalent of the US Sarblanes-Oxley requirements to make people at Board level take their responsibilities to heart.