vnunet.com readers have said chief executives should be held responsible for security breaches
CEOs should take the rap for data losses
/v3-uk/news/2010428/ceos-rap-losses
26 Nov 2008, Madeline Bennett , V3
Chief executives should be held responsible for data breaches, according to the results of a new vnunet.com poll.
Despite high-profile incidents such as the TK Maxx data breach and HM Revenue & Customs' (HMRC's) two lost CDs, it is clear that many organisations still have a lax approach to protecting customer details as data losses continue to occur on an alarmingly regular basis. We polled vnunet.com readers on what would be the best approach to ensuring firms take personal data security seriously.
Of the almost 500 readers who responded, 43 per cent (208 respondents) felt that the buck should stop at the very top with chief executives being held directly responsible for data breaches. Measures suggested in the past have included prison time or personal fines.
Almost a third of readers preferred the idea of hitting firms where it really hurts – in the wallet. Thirty-two per cent (153 respondents) said slapping fines on organisations that lose customer details was the best approach to forcing improvements to data protection.
A smaller proportion favoured a legal approach: 16 per cent (78 respondents) called for the introduction of US-style data breach rules, which oblige firms to notify customers of any security lapses that could put them at risk.
Somewhat surprisingly the option of customers voting with their feet gained little traction among readers. Only nine per cent (44 respondents) felt that boycotting firms with poor security records would have an impact.
As part of the government response to the ongoing issue of data breaches, this week it was revealed that Information Commissioner Richard Thomas has been granted new powers to help prevent further data losses.
Meanwhile, this month marks the one-year anniversary of the HMRC data breach, details of which first surfaced on 20 November 2007. It was this breach that proved the catalyst for the huge public sector data protection shake-up of the past year.
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093
Do you agree?
But what course of action is best?
It's clear from this research that organisations agree about the need for action to prevent data breaches. What seems unclear, is the best course of action. There are three major contributing factors to data breaches. First, there's an institutionalised lax approach to data security, where staff do not fully understand how to handle sensitive data. Second, there's no technology in place to manage which computer users are able to copy confidential data to removable media devices like laptops or USB sticks. Third, data that's legitimately copied to such devices isn't adequately protected.
These contributing factors mean that no single measure will bring an end to data losses. While drastic action such as legislation and severe fines will shock companies into taking the issue more seriously, there needs to be a change in attitude throughout organisations. All employees need to be educated about the risks associated with handling sensitive information and the importance of securing confidential data. Additionally, the right technological methods of protection need to be in place for the rare occasion there's a real business need to transfer data of this nature to a third party. I would insist on the data being encrypted with a 256-bit cipher and that it's sent by a private courier (or preferably an employee) direct to its destination.
Posted by Matt Fisher, FrontRange Solutions, 27 Nov 2008