In 2011 Sony was fined £250,000 for leaking personal data including passwords, email addresses, names and possibly financial details (story: 24/1/2013). Stories relating to data breaches are often seen in the press, inciting strong comment from the Financial Services Authority and the Information Commissioners Office. David Smith, the ICO’s deputy, said “there’s no disguising that this is a business that should have known better”.
With data breaches happening frequently, the general public would think the FSA and ICO are taking the necessary steps to make legislation and guidance clear. Well think again. When contacting these organisations with a question, businesses can expect to wait up to a month for a response.
Graeme Batsman, director of Data Defender commented that “in the past I have emailed the ICO and waited four weeks, only to receive a reply saying look at paragraph x. It’s shocking, and works against those who wish to understand data protection policy”.
This is demonstrated when accessing the FSA and ICO’s resources online; those searching for answers are simply directed to a paragraph on their website. The reason behind this cursory approach is the fear of repercussions. ICO phone staff refuse to answer direct yes or no questions in case it comes back to bite them.
Graeme Batsman continues, commenting that “the ICO is worried about come back, hence why they will not give a straight answer. This is confusing businesses”.
On dealing with the FSA, you are referred to a whopping 104 page document detailing the ins-and-outs of data security. This leads to the question: with companies already stretched for time and resources, who out of their number can be expected to read a 100 page document? Simple guidance is what is needed, not monstrously long PDFs on policy.
It is all very well listing the problems businesses may face, but for businesses to understand and act accordingly clear instructions are required. Take data destruction for instance; once a hard drive is no longer required it should be destroyed in an appropriate manner. There are many ways to do this such as shredding, degaussing and over writing. All of these however, have different parameters and methods. Take over writing for example; there are various standards around the world to wipe data and the ICO only offers general guidance without advising what the minimum standard is.
What is required is a question and answer system such as:
Do you need to dispose of confidential papers?
Yes, it should be shredded to the DIN security standard three at minimum.
Does your company use CDs, USBs and Laptops?
Yes, they should be encrypted to the mandatory standard of FIPS 140-2 at minimum and so on.
As simple as it sounds, a straightforward system has yet to be put in place prolonging mass confusion. One example being the volume of businesses still believing the FSA and ICO require UK or EU storage in order for data to be held within the EU. It doesn’t, again legislation does not make this clear. As for tax and finance, the HMRC is very much the same, with solicitors and accountants referring to past case studies for direction instead of relying on loose government guidelines.
Until all government departments release concise and easy to understand legislation and guidance, rules will be broken. Shockingly, even the consultants have a hard time keeping up with the rules as they change so frequently.
Graeme Batsman concludes saying, “speaking to FSA regulated clients, it is apparent that legislation is not clear. Even the FSA does not understand the technicalities”.