This concern has been magnified by the number of public high profile data losses - UK tax office losing 25m records, a US company used by the UK driving licence authority losing learner driver details, and a generous handful of financial institutions being rather porous too. Some have included critical financial or identity data, others simply a loss of privacy, but they have hit the headlines so often that politicians are taking the only actions they can - apologise, blame others and then say they will throw consultation or legislation at the problem until the fuss dies down. Anything, except leadership and decisive action.
In common with many, I found that this issue only hits home when it's your own personal data, and while my recent exposure was pretty trivial by comparison to all those in the media, it does highlight some of the challenges, which even a whole parliamentary session of legislation would do little to fix.
The data leak affecting me was caused by being on the prospective property list of an estate agent. When they sent out a mass mailer over the Christmas break (no festive greetings, just waffle), they included all the email addresses of all the recipients in the body of the email. All house-hunters in the area, ripe and ready for some targeted SPAM. It's not the first company to do this, and no doubt not the last, but it could be simply fixed by auto-checking sent email for potential SPAMming behaviour, or by a policy of requiring management approval and a manual check.
However, being an analyst in search of a reason and hopefully a safe conclusion, I decided to check the company's website for policy and their feedback mechanism. The privacy page was comprehensively written, with more get outs and detail than a set of property particulars. So, safe in the knowledge that "we are committed to protecting your privacy", I sent an email to their email account specifically set up for dealing with these issues.
It bounced. No such address.
Just like politicians: all words, no action.
What use is a policy that is not followed through? Sadly, just like a government department, it's easy for the directors of the estate agency to blame some poor unfortunate minion for sending the data out in the wrong format or unprotected. But where does the haste, drive to save costs or need to cut corners come from? Generally from the management, and indirectly, ultimately from the top.
Now before we clutch the other end of the straw and try to simply throw technology at the problem, it is useful to look at the individual attitudes to information and data that exist across the organisation. Previous Quocirca research has shown that IT managers generally characterise users as more irresponsible with data than do the line of business managers. There is also a lack of clear direction as to the importance of safe and secure management from the top. For example the executives who don't believe the mandatory policy of PINs for the mobile phone or the BlackBerry applies to them, also don't realise that this information filters through the organisation and sets the tone - ‘well if they don't, then why should I bother'.
Technology products aimed at preventing data leakage can be deployed to support and enforce a policy, but as with all technology, the weakness is in the interface, in particular the one with the ‘wetware', or people. By all means identify and deploy powerful authentication and cryptography, write comprehensive security and privacy policies, and, if you must, put some legislation to punish the misdemeanours of those eventually caught.
But, to really get to a cure, everyone - from the courier to the board members - must understand their individual responsibilities and the higher up the organisation, the more it has to be clearly visible to everyone else. In this case, as in many others, perception is reality.
