Category Archives: Data Loss

UK ranks poorly in data loss survey

A new report into the data loss prevention measures employed by UK businesses has found that the levels of protection are far below those seen in other European countries.

Close to two thirds of organisations and firms based in the UK have not sought or implemented direct preventative measures via data protection products, according to a survey conducted by Ouocirca and CA.

The results mean that UK businesses are on average at greater risk of suffering from data loss than their contemporaries in France, Italy and the Republic of Ireland.

Of the firms that have protected their data in some way, 90 per cent believe that their intellectual property and private customer information is completely out of harm’s way.

Quocirca’s Bob Tarzey said that there was a lack of consistency across different business markets, using the personal information-driven environment of financial services and the trade secret protection required by manufacturing firms as an example as to how requirements and policies over data loss prevention are fundamentally at odds.

Mr Tarzey said that the survey proved that many UK businesses are unable to comply with data security regulations, partially because individual industries and governmental bodies had their own conflicting rules governing data loss prevention.

Businesses are being advised that the only way in which to ensure compliance is to integrate it into the very architecture of their systems and codes of practice, so that data protection is performed seamlessly and without the need for active input from staff.

Mr Tarzey said that data protection vendors would always attempt to sell products that claim to ensure compliance, but that the only way to truly combat the threat of loss or theft was to enact a fundamental change to policy within a firm.

The issues of cloud computing and virtualisation are touched on by the report and its authors, but ultimately these are seen as future challenges, which some see as underselling technologies that are already in place within many UK and international businesses. Adaptation, upgrading and constant revision are seen as the best approaches for businesses in coping with the changing requirements of data loss prevention.

NHS criticised for data loss false alarm

It has been revealed that the NHS spent thousands of pounds and hours of staff time looking for a portable storage device that it thought was lost or stolen, but which was eventually found to be safe and untouched.

In Scotland the Lothians hospital administration was sent into high alert when it was discovered that an SD memory card from a digital camera was no longer where a member of staff had left it. The card was significant because it contained sensitive images relating to patients at the hospital and its loss or theft could have resulted in serious embarrassment for hospital management.

A search effort was mounted, lasting over six weeks at great cost to the hospital. However, it emerged that the card had in fact simply slipped and become concealed in the locker where it was stored and had been resting there ever since.

The pseudo-data loss was only discovered after journalists put in a request using the Freedom of Information Act. Some have been quick to denounce the amount of time and money that was spent by the NHS on a hunt for a portable storage device that was not, in fact, compromised.

The Lothians hospital was the subject of scrutiny two years ago after 140 patients were affected by the loss of a USB memory stick.

The administration at the hospital has said that the events of 2008 led to a review of data security policy and that the results of this review and the new procedures resulting from it can be seen in the diligence and scope of the search for the missing digital camera memory card.

The hospital now encrypts all of the data stored on portable devices, and staff are no longer allowed to use such devices for personal matters after an amnesty on the memory sticks was agreed.

Critics believe that the impact of the perceived loss has caused problems and delays for patients as staff searched needlessly for the device, but directors at the hospital have be keen to emphasise to the public the importance of diligence in the protection and recovery of any data that the hospital controls.

EU rules to force reporting of data loss and breaches

Reports suggest that the EU could soon force businesses across the continent to publicly report when an incident involving data loss or a system security breach occurs.

The Information Commissioner’s Office (ICO) would have the power to demand information about serious compromises to data stored by businesses and organisations if a new EU directive governing data protection comes into force.

Telecommunications firms and broadband providers are already set to be subject to similar rules which ensure that data breaches are reported, and this may be rolled out across all businesses, according to the ICO’s David Smith.

Mr Smith was speaking to an audience at the Infosec 2010 event. He said that the EU’s Privacy and Electronic Communications directive is going to come into force before 2012, after which time all businesses could face the same level of scrutiny.

The rules would only apply in the event of ‘serious’ data breaches, and Mr Smith recognised that this would require a broad level of understanding in order for businesses to identify precisely what is meant by this. He accepted that the ICO could be the recipient of thousands of minor breach reports which could hamper its operation and he recognises that proper training will need to be given.

The ICO said that in the three years leading up to 2010 there were a total of 962 serious data breaches reported. These figures cover both public and private organisations. The NHS was the most frequent entrant onto the list.

The combined total of the NHS incidents means that it accounts for 33 per cent of the total figure. This factors in 113 reports of data or hardware being stolen, and a further 224 reports of losses from within the organisation.

Mr Smith pointed out that these figures represent only the reports that businesses and organisations in the UK were willing to make voluntarily. This could mean that the actual numbers are considerably higher, particularly in the private sector where businesses are seen to be answerable only to their shareholders and not the public at large.

Survey shows that businesses do not appreciate data loss penalties

A report into the way in which businesses calculate the financial damage that will be caused by serious data loss or theft has found that most are inaccurately predicting the ultimate cost of serious security breaches.

Around 42 per cent of employees working in the City of London said that they thought the fines applicable in the event of an average data loss scandal would amount to under ten thousand pounds.

The study was authored by BlockMaster to coincide with the introduction of new Information Commissioner’s Office (ICO) powers which will see the ICO out fines of up to half a million pounds. The new powers came into effect at the beginning of the month.

18 per cent of respondents went on to reveal that they had personally lost a portable storage device for which they were responsible at some point in between 2007 and 2010.

61 per cent said that losing devices such as mobile phones or laptops was only of concern because replacing them could prove to be expensive. This is said to show that the data contained within the devices is held in scant regard by those who use them, perhaps leading to the complacent treatment and resultant loss of many thousands of devices over the years.

BlockMaster’s Anders Pettersson said that he was not surprised by the results of the study, particularly in relation to the fact that most people were still unfamiliar with the new ICO powers to impose far higher fines than before.

Mr Pettersson said that the most alarming fact revealed by the survey was that the only incentive for employees to protect portable storage devices came from the perceived cost of replacing the device itself, and not because of the fines and reputational damage that could be caused if the contained data proved to be sensitive.

Many data protection experts are calling for businesses to make employees aware that the data to which they have access is inherently valuable to the organisation as a whole, and should be treated with respect.

New MoD data losses reported

The Ministry of Defence has unveiled an alarming new report detailing multiple incidents in which confidential data has gone missing.

In 2009 the MoD said that 347 separate data losses occurred and it has now announced that in the first two months of 2010 a further 71 incidents of allegedly protected data going missing have occurred.

In a letter to parliament received on the 8th of April, the MoD said that the data loss figures for 2010 were already approaching the total figures accumulated in the whole of 2005.

Five years ago the MoD suffered 77 incidents of data loss and that figure has steadily risen over the years. 2006 saw 130 separate incidents and this spiked to over 1000 in 2008 according to Defence minister Bill Rammell.

According to Mr Rammell there are two main reasons for the huge growth in data loss incidents in 2008. The first is attributed to the fact that the MoD implemented tougher rules encouraging its members to report data losses and the second was due to a department-wide audit that took into account the portable storage devices which were previously unaccounted for.

Mr Rammell is thus indicating that basic managerial tasks had brought to light far more data loss incidents than those of which the MoD had previously been aware.

Mr Rammell also said that the high number of recent data losses is being exacerbated by inaccurate record keeping. Portable devices which have been safely destroyed by the MoD have not always been properly recorded and thus their absence is sometimes construed as a data loss when this is not in reality the case.

One of the MoD’s biggest data loss scandals occurred in late 2008 when it emerged that a removable hard drive had been lost, leaking the personal information, including financial details, of people who had applied to join one of the UK’s armed forces. A total of 1.7 million UK citizens were affected in this case. Since then the MoD has attempted to completely rework its data protection policies in order to prevent further high profile cases.

Data Loss will incur increased financial penalties

Data loss is increasing……

Last year KPMG reported the worst year for data loss since 2005. More worryingly if the same data loss trend continues, the number of cases of data loss globally could rise to over 190 million this year. However, if the ever threatening possibility of data loss isn’t alarming enough how about adding a large fine as a consequence.
It was revealed last week that The European Commission will pursue a new law that would require most businesses, agencies and organisations in Europe to notify consumers when they lose sensitive customer data. The United States and Japan have had such laws in place since 2003. While it isn’t compulsory for European countries, including Britain, to notify of data loss at present, some do so voluntarily. A company penalised for such a breach was Nationwide Building Society when:

“The British financial regulator in 2007 imposed a £980,000, or $1.5 million, fine on the mortgage lender Nationwide Building Society after an employee laptop with data on millions of customers was stolen.”

So how are organisations reacting to such data security threats?

Well businesses fully understand the negative reputation risk that a data loss incident may bring and are therefore decidedly interested in preventing such incidents. Businesses also realise the reputational risk of neglecting what is a strategic and fundamental business concern to protect data securely.
So what are the key areas to consider when updating and improving an organisation’s data security and methodology?

It is crucial to include senior management when creating a framework that supports strong corporate governance, assurance, confidentiality and data life-cycle management change. Another key consideration is educating employees and creating awareness in data protection and its importance.
There are 5 key questions an organisation should ask themselves to ensure they are using the best methods:

1. Where does your data come from and what is it stored on?
2. How is your data backed up?
3. Is your data backup automated, offsite and encrypted?
4. Do you have a clear disaster recovery plan of what to do should you lose data?
5. Are senior management aware of realistic recovery times is the event of disaster?

If any of these questions can’t be answered with conviction then it’s of paramount importance to address your backup and recovery requirements with immediate effect.

Our Customers

  • ATOS
  • Age UK
  • Alliance Pharma
  • Liverpool Football Club
  • CSC
  • Centrica
  • Citizens Advice
  • City of London
  • Fujitsu
  • Government Offices
  • HCL
  • LK Bennett
  • Lambretta Clothing
  • Leicester City
  • Lloyds Register
  • Logica
  • Meadowvale
  • National Farmers Union
  • Network Rail
  • PKR

Sales question? Need support? Start a chat session with one of our experts!

For support, call the 24-hour hotline:

UK: 0800 999 3600
US: 800-220-7013

Or, if you've been given a screen sharing code:

Existing customer?

Click below to login to our secure enterprise Portal and view the real-time status of your data protection.

Login to Portal