OPINION: A breach too far

28 Mar 2011

A tougher regime around disclosing loss of personal information may be what’s needed for organisations to start taking their data protection responsibilities seriously, writes John Ryan.

The data protection landscape in Ireland has evolved significantly in recent years. Not so long ago, it seemed an organisation could mislay customer information with impunity. There did not seem to be any major concern on behalf of the culprit organisation to put proper protection measures in place and there did not seem to be any to compulsion on them to do so.

Philip Nolan, partner and head of commercial law at Mason Hayes and Curran, gave his view of the current legislation and codes of practice at a recent seminar held by Zinopy. In his view, the Irish security breach notification regime is changing and it will soon be compulsory for any personal data breach involving more than 100 records to be reported to the Data Protection Commissioner. A notification process may also have to be initiated by the data controller to inform the data subjects involved.

In Nolan’s view, the pendulum has now swung the other way and the reporting and notification requirements in Ireland are quite onerous compared to certain other EU member states. Maybe like our other state regulations an over-correction is required for organisations to start taking their responsibilities seriously.

Meanwhile, the technology world has evolved and heightened the potential for significant data loss. Consider the following facts:

  • There are more than 1bn phones connected to the internet (Source: IDC)
  • 1bn iPhone apps were downloaded in nine months (Source: Socialnomisc, Eric Qualman)
  • 15 Petabytes (15,000 terabytes) of new data is generated every day and this is forecast to double every 18 months. (Source: IBM estimates)
  • There are in excess of 500m Facebook users with 200m of those accessing it on their mobile phones. (Source: Facebook)
  • 80pc of organisations use social media for recruiting (Source: Socialnomisc, Eric Qualman)
  • More than 800,000 laptops are lost annually in airports around the world, most of which are never reclaimed. In a six-month period 55,843 mobile phones were left in London taxis alone (Source: The Register)

So the users are voting with their feet. They are embracing the new mobility and social media technologies and changing the way they work – collaborating, working remotely and working on the move. That has the potential of exposing vast amounts of corporate data to potential loss.

Most data loss incidents are not malicious but unintentional, caused by user error (sending the wrong email to the wrong recipient) or not complying with best practice (sending documents to their Gmail account so they can work from home). This is often because the organisation has not implemented secure methods for the way they need to work.

The connected world is good for business and productivity. Traditionally, the chief information security officer has been cast in the role of gatekeeper, continually saying ‘no’ to new ways of working because of the security implications, but it is time organisations changed the way they look at security. They need to view it as an enabler for more effective ways of doing business and not as the roadblock for business technology changes.

This does involve a change in mindset for management and will involve security awareness education for all users – as well as the implementation of effective security technologies to protect the organisation. The good news is that security technology solutions are available, such as data loss prevention, identity and access management, as well as code validation for mobile and web applications.

John Ryan is managing director of Zinopy