Beware of the data watchdogs

Lowe: Customers can no longer count on puppy love on data loss and breaches

A puppy, not a watchdog; that is the criticism that has often been aimed at Britain’s data regulator, the Information Commissioner’s Office (ICO). In 2008 and 2009, despite reporting some 720 data breaches from businesses and government bodies, the worst the ICO could do was issue warnings and enforcement notices.

But from April this year, the ICO will get real teeth in the form of a £500,000 fine for companies that breach the Data Protection Act through " reckless or malicious" practice.

That is just the start of tough new data security sanctions. In October 2009, the EU agreed new rules on reporting data breaches, with draft legislation tabled this year aimed at making all organisations that process personal data notify such breaches to the national regulator and all parties affected.

The costs are punitive. We have read an estimate that organisations lose about £57 for each personal record lost or otherwise violated.

Regulators appear to be getting the bite to accompany their bark. Unfortunately, data breach laws all have safe harbour provisions – meaning that organisations can escape penalties if they can prove they had taken reasonable steps to protect the data.

For example, the EU Data Breach Notification provision says that notification will be required “except where the provider can demonstrate it has applied appropriate technological protection measures which render the data unintelligible to unauthorised users”, such as quality encryption.

So you can help protect your customers against the data loss watchdogs.

Any computing device is a risk. Although the data breaches seen in media headlines are usually caused by the loss or theft of a laptop computer or USB memory stick, all end points may have access to sensitive data.

They should all have, we believe, full-disk encryption with pre-boot authentication, port and device control software, and removable-media encrypt ion. System administrators should have central visibility and control over all end points to ensure compliance with customer security policies.

Over the past two years, many data breaches that hit the headlines were blamed on individuals who ignored security policies.

Many breaches happen not because of malicious behaviour, but because a well-meaning person was just trying to save a little time. Often, the person may know the data security policy, but he or she decided not to follow it – just this once. That is just human nature.

Apply security automatically to the data no matter what the circumstance – whether during laptop shutdown, data copying to a memory stick or CD. The less the user is aware that this is happening, by the way, the better the security.

Meanwhile, the legislation gives you a simple yet powerful sales tool. Penalties for a breach will be clearer and harsher. Now, you can calculate the direct costs that could result from a breach and compare it against the incremental expenditure of data breach protection added to the regulator’s bite. Could data watchdogs be the security VAR’s best friend this year?

Nick Lowe is northern Europe regional director at Check Point