Potential for data leakage rife in Irish organisations

25 Apr 2008

The failure by Bank of Ireland and other financial institutions as well as some of the largest corporations and government bodies to sign up to an international security standard accredited by the Irish Government means that more embarrassing data leak scandals such as laptop theft will occur again.

Earlier this week, the nation was rocked by the news that four laptops belonging to Bank of Ireland and containing personal details of 10,000 customers have been stolen since last summer.

Not only were the laptops not secured with encryption software but “a breakdown in procedure” meant the loss of the laptops was only reported to the Data Protection Commissioner and the Financial Services Regulator last week.

The revelation follows another scandal that saw a laptop containing 175,000 records of Irish blood donors stolen in New York in recent months. Fortunately, in this case, the laptop had encryption software and the Data Protection Commission said it was satisfied the data couldn’t be accessed.

Siliconrepublic.com has learned that an important data security management standard ISO 27001, which governs the prevention and handling of security breaches and is used worldwide by financial institutions and government bodies, is not in place in any Irish financial institution – save a Credit Union in Waterford.

The ISO 27001 standard sets out best practices for IT security techniques and management systems.

In the UK, for example, all financial institutions have had to qualify for the standard, otherwise the payments association APACS won’t do business with them.

In Ireland, it is understood that less than 30 organisations currently meet the standard. Those which do include Vodafone, Eircom, BT Ireland, BT Northern Ireland, Wyeth Medica, Elan, the Department of Defence, HSE South East Division, the Health Protection Surveillance Centre and secure printers involved in cheque printing.

Waterford Credit Union is the only financial institution in Ireland currently qualified for the standard.

“This is a voluntary standard but there are moves in certain sectors to make it mandatory,” said Michael Brophy (pictured), chief executive of Certification Europe, an organisation accredited by the Irish Government to deploy the standard.

“It is a source of personal frustration at this point. The revelation about the laptop theft was redundant. Clearly the standard wasn’t in place and in fact no financial bodies in Ireland meet this standard. Bank of Ireland obviously weren’t meeting the best management practice. For regulatory bodies to engage in public commentary on the issue afterwards … it was clearly a redundant argument.

“The discussion should focus on whether organisations are meeting standards, well before incidents happen.

“If basic security controls were in place, if an incident containing a breach or loss of a device happened, the senior management would know as soon as possible. Whether the laptop theft could have been prevented or not, at least if the standard had been in place, an organisation wouldn’t have gone 10 months unaware the data went missing.”

Asked if organisations are perhaps unaware of the ISO 27001 standard, Brophy said: “Three or four years ago that might have been the case. Anyone who works in IT would know that this standard is a basic minimum requirement and can be tailored to suit any organisation of any size. Waterford Credit Union achieved the standard in recent months. Why larger financial organisations haven’t seen the need to go for it is beyond me.”

On the subject of whether Irish government bodies are subscribing to the standard, Brophy said that despite healthy attendance by government bodies at ISO 27001 training courses, no government body has moved to get certified.

“It has come to the point where waiting for organisations to step up to the mark is pointless. We now need to look at regulatory authorities like the Data Protection Commission, the Financial Services Regulator and the Central Bank to demand this standard.

“And the public needs to ask why government departments, particularly those in the health sector entrusted with citizens’ private data, are not meeting international data security standards,” Brophy pointed out.

By John Kennedy