Neglect and negligence are strong words and perhaps best employed in police incident reports and animal cruelty prosecutions. Yet so serious is the tone of today's data protection (DP) legislation that these words are included, in liberal quantity, throughout its most recent clauses.
Data protection regulations were first put in place to ensure that electronically-stored information was not inaccurate, mishandled, mismanaged, or misused, whether by companies or individuals.
In principle, there is no problem with DP legislation - the laws are necessary and clear in their purpose. There is, however, a nagging worry.
A disturbingly high per-centage of organisations remain unaware of, and ignorant to, the changes made to the DP laws last year and which came into force in January. This ignorance was bourne out in a report commissioned by Rexel Business Machines in which more than two thirds of UK businesses surveyed admitted they are not careful enough with confidential information.
Jason Downes, UK marketing manager of Rexel says: 'The survey highlights how little companies know about the guidelines concerning the safe disposal of sensitive information.' Even more worryingly, it proves that organisations are unaware of the penalties they could face if data they hold is misused.
Another recent survey, this time conducted by Security Dynamics, placed the level of corporate ignorance as regards data protection at about 85 per cent. But John Godfrey, commercial director at Technical Asset Management (TAM), thinks even that estimate is on the conservative side. He also believes that an overwhelming lack of DP knowledge will become a significant problem in the near future, not just for customers but for channel organisations, too.
'I'd place the level of ignorance at significantly more than the 90 per cent threshold,' Godfrey says. 'In our recent survey of IT directors, we found the level of ignorance as regards data security and protection nothing short of staggering. Even those organisations with some kind of structured DP policy in place didn't understand what it was really for or the full implications of the new legislation.
'Companies simply don't realise that there is now a significant core business risk to which they are exposing themselves. Moreover, they have no knowledge whatsoever of the risks or potential implications for their businesses,' he adds.
Graham Welch, UK general manager of Security Dynamics, believes awareness is a large part of the problem. 'The laws and guidelines are in place but companies don't seem to know anything about them. Although the CBI and DTI have been trying to publicise the changes for some years, from where I'm standing no one seems to know who owns this issue and no one is willing to take responsibility for it.'
He adds: 'Companies are asking "Who is ultimately accountable here and for what?" But they're not getting the answers they need. I think this whole mess presents a huge challenge for the DTI. It needs to inform companies more thoroughly, and to do it quickly.'
In fact, the updated DP legislation is fairly wide ranging and makes substantial changes to the original 1984 Data Protection Act. When the original legislation was created, its purpose was to protect the increasing volumes of personal information being stored on computers. The idea was to force companies to ensure that any personal information they were holding was kept confidential and safe from unauthorised access. Of course, few could have foreseen the explosion in telecoms or the effect the internet would have on corporate business. With technology making massive leaps, the laws had to evolve, so additions were made to the original act.
According to Welch, the amendments were absolutely necessary and are ultimately to everyone's benefit. Before the changes were made, the act left too much room for legal manoeuvre and 'creative' interpretation.
As a result, companies that were being taken to task for failing to comply were often able to sidestep the punitive measures dished out by the courts.
But not for much longer.
The original act was ambiguous and vague in several areas, according to Welch, and consequently somewhat toothless as regards enforcement.
'This made it very difficult to police in the early days. You've got to remember that, in today's terms, information technology was still in its infancy back then. The PC was barely a twinkle in IBM's eye. Technology and its usage has changed so much since then - the regulations had to change with it.'
Neil Barratt, a fellow at Bull Information Systems, suggests another reason for the amendments. 'The laws have been applied in a more or less efficient manner since their inception in 1984. The 1998 legislation acts as an update to many aspects of the original legislation to bring it into line with recent EU directives that seek to harmonise the legal approach to data protection across Europe.
'In the rest of Europe - where more stringent conditions have been in place for some time - there has been very little problem in implementing the requirements. Of course, in the UK we are more like the US in our approach and so change is slower and compliance more difficult to achieve.
The Americans have little or no data protection legislation, which is ironic given the US' overt concerns over privacy.'
So what exactly do the DP laws mean? Quite simply, that organisations must now take greater care of the information in their charge and will face tougher and more enforceable penalties if they fail to do so.
Dr John Woulds, director of operations at the Data Protection Registrar, the body set up to enforce DP legislation, explains: 'The new act makes it a legal requirement to take appropriate security measures against unauthorised access, alteration, disclosure, destruction or loss of personal data, whether deliberate or accidental. A company's failure to take steps specified by the Register would be deemed a criminal offense and can lead to enforcement action. Moreover, any individual causes that have been damaged as a consequence of neglect have the right to sue any negligent party for damages and/or compensation.'
He adds: 'The effects of insecure data on businesses could be serious - so protecting the information is like protecting the business itself.' Rexel's Downes agrees, adding that companies cannot afford to ignore the issue. 'They need to consider whether they are within the remit of the act and if they are, how they will address it.'
However, some people in the industry are still cautious about the act's effectiveness and clarity, particularly regarding the advice and guidance issued by the Data Protection Register. Terry Hiles, commercial director of Capscan Limited, says the document remains 'rather general in character, given that the statutory instruments surrounding the act of 1998 have still to be completed.'
In the end, the central question concerns who is responsible if a piece of data is compromised?
An infamous example is the case of the doctor returning an unwanted laptop to the Dixons store from which he had purchased it a couple of weeks earlier. Having decided the machine wasn't suited to his needs, the GP returned the machine within the store's money-back period. Dixons gave him a refund, 'wiped' the notebook's hard disk of all traces of him, repackaged it and sold it to a student.
But while hunting around the machine's directories, the laptop's new owner came across several confidential and sensitive psychiatric patients' records.
All this took place just months before the new DP legislation was brought into force, so the old law was applied. The GP ended up being held solely responsible. But under the new legislation, the courts could have held both the GP and Dixons accountable and both could have been sued for damages and compensation should the information have found its way into the public domain. Given this example, it's obvious that channel casualties of tougher DP legislation are a distinct possibility.
According to Godfrey, it all comes down to miscomprehensions as regards the storage and management of data. 'In our business, we have to make sure that when companies dispose of their old IT systems, those systems are completely clean and free of any residual data that could damage our clients in any way. We have found that this is exactly where a huge problem lies - companies don't seem to realise that simply hitting the delete key or re-formatting the disk is not sufficient. It doesn't really delete anything - the data is still there, it has just been earmarked to be overwritten.'
He adds: 'Dixons was extremely fortunate not to have been on the wrong end of a legal battle. Even in a situation where an individual and a company are being held equally responsible, the courts are always more likely to award punitive damages against the party in the best position to pay.
And that is always going to be the company rather than the individual, so resellers have got to be much more careful than they are presently.'
The only way for resellers to approach the situation, therefore, is by preparing for the worst.
Godfrey says companies reselling equipment must begin with the assumption that any machine that has been used in any way will likely contain potentially-sensitive data. 'Even ex-demonstration kit is potentially hazardous. Let's assume that someone accessed the Web using a demo machine and left behind some pornographic material as temporary internet files on the hard disk.
What happens if that machine is repackaged and sold cheap to a school?' It may sound like a contrived situation, but Godfrey claims he has come across similar instances.
Even when a machine's applications haven't been touched there is an underlying risk. If any kind of software has been loaded on to the machine at some point, personal details may have been inputted for licensing purposes.
'In their role as supplier, resellers will always deal with a certain number of returns, especially if they run any kind of take-back schemes.
Whether those machines are for resale or not, the dealer must take measures to ensure any data has been securely erased if they don't want to end up in court.'
Another revelation involves the theft of information devices. Under the updated act, if your car is broken into and your laptop containing sensitive information is stolen, you will be liable if you have not taken measures to protect the information from unauthorised access with passwords and so on.
Neither is the risk limited to PCs. Any kind of I/O device carries an inherent risk. Storage media, personal organisers, palmtops and even peripherals such as printers and digital cameras carry a threat where they incorporate cache memory technology.
Welch points out that responsibility lies not only with the person directly responsible for the leak or other mishandling of information, but stretches to that person's immediate superiors and management. 'According to the letter of the law, almost everyone in a senior position within the negligent company could be held responsible for a breach of data protection regulations - the IT director, the managing director and even the financial director could all be held accountable.'
Barratt adds: 'Companies should understand that the scope of the law has been extended to encompass data not held on computer.' In addition, data no longer has to have been registered for the law to be applied: 'In more cogent and biting terms, measures have been brought in under the new act to make companies employ more stringent information security.'
Godfrey offers an astonishing example of the risks involved, this time from a client perspective. He cites a merchant banking client that employed TAM to oversee disposal of its old systems. The client's internal IT department had allegedly wiped all traces of banking information from the system, so it appeared ready for disposal.
But, at a meeting, Godfrey was able to present to the client a disk containing the bank's entire client database complete with full account information.
The data had been retrieved from the client's supposedly 'blank' system.
'Jaws quite literally dropped in the boardroom,' says Godfrey. 'When we showed the client the contents of the disk, it told us that the information contained on it could have put it out of business if it had found its way into the wrong hands - the bank's entire international operation could have been held to ransom. It was so worried about it that they would not leave the meeting until it had seen the disk physically destroyed in front of them.'
Sadly, Welch thinks the level of data protection ignorance is so high that the act will only be taken seriously once one or more companies end up in court.
'Until now, companies have been very lucky, but someone in the channel is going to get caught before too much longer through sheer ignorance,' he warns. 'People have to take the trouble to understand both the technology involved in data storage and the DP laws now in place.'
So what measures can companies take to protect themselves? First of all, they should contact the Data Protection Register and/or the DTI for further information. Then, they must put in place the physical measures necessary to comply.
According to Welch, it's not just about making the data private - it's about protecting that privacy. 'Many companies miss the point. Privacy is necessary but completely redundant unless it is protected with some measure of authentication to stop unauthorised access. Not using authentication is like having a safe made from 3ft thick steel with the biggest, toughest lock available and then leaving the keys in it.'
Privacy involves encryption and encoding measures, while authentication involves procedures to protect those measures - usually through employing one, two or three-factor authentication tools, he explains.
A one-factor solution - perhaps a complex password or even multiple passwords - is fairly weak on its own. A two-factor solution combines the password with something a person 'owns' - a key or a barcoded badge, perhaps.
The three-factor option is the strongest because it combines the first two factors with, usually, something related to a person's physical attributes.
For example, it may check or scan a body part - a fingerprint or retina are the most common.
'Used together, these measures can be very difficult to circumvent and only the most dedicated and skilled hacker would bother to even try,' Welch believes.
Test the companies' data protection and take the most pessimistic stance one can think of and work backward. What would happen if the device or the information stored within it was stolen or compromised in some way?
If a company can still gain access to information that has supposedly been protected or deleted, it needs to rethink its data protection infrastructure - it's that simple and that serious.
Ultimately, everyone agrees that DP legislation is all about being much more vigilant and careful with data that is carried around everyday and take for granted. If information is consistently treated with care, there is no reason to believe that it will end up compromising your clients or your business - much less land people in court or even in prison.
I agree, neglect and negligence are strong words to throw about when discussing data protection, but now that the legal implications of insecure data are so severe, perhaps it's time to start using strong language.
A summary of what you get if you subscribe to our premium market intelligence service
Matthew Polly says CrowdStrike is looking to branch out from the UK and into mainland Europe
Southampton-based VAR states that further acquisitions are in the pipeline
With UKFast launching a public cloud consultancy, Tom Wright asks if this is the way forward for all local hosting providers