Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

FSA penalties looming for non-compliant organisations

InfoSecurity Europe : 17 April, 2009  (Technical Article)
Alan Calder of IT Governance looks at the risks of facing penalties from the Financial Services Authorities if data protection legislation isn't adhered to
See our events guide listing for more details

For every action there is an equal and opposite reaction - and after prolonged inaction on the issue of safeguarding private data many public and private sector organisations may be about to feel some harsh consequences.

The UK's financial services regulator, the Financial Services Authority, has signalled to retail banks that it may be prepared to start punishing board-level executives for failures by their organisations to adequately protect customer information. This move is bred of a frustration that executives may still be palming-off overall security responsibilities onto the IT department, instead of accepting that the buck must stop with them. Under this new regime, chief executives, compliance officers and board-level IT directors could all be held individually accountable, truly a culture shock for the complacent.

In an age when 'identity theft' has become an everyday term we might have thought that banks would recognise that protecting customer information is a fundamental aspect of customer care. Then again, having learned of the poor judgements and sheer folly that caused the present financial train wreck, it is clear that the many of basics of Risk Management simply haven't had a look in.

Given that much of our national banking sector is now under public sector ownership or influence, it is to be fervently hoped that the FSA's fine words might be turned into deeds. If the issue is allowed to drift further, while more and more data is concentrated under ever fewer market titans, the risks to personal data in the UK can only worsen.

Worryingly, however, Her Majesty's Government doesn't exactly have a great track record when it comes to protecting personal data either. The loss of millions of child benefit records, the constant mislaying of MoD laptops and dossiers, and so forth, are all part of the same problem - an institutional failure to define and implement basic compliance procedures in line with the requirements of the Data Protection Act (DPA).

Such slackness is partly what has prompted the much tougher regulatory regime that is now coming into place, heralded by instances such as the major fines levelled by the FSA on Nationwide Building Society (£980,000) and Norwich Union/Aviva (£1.26 million), both criticised for failing to adequately protect personal data. Added to this there is the recent introduction of the Criminal Justice and Immigration Act, which brought in a system of 'substantial' fines for organisations failing to meet their compliance obligations.

Meanwhile, 2007's Poynter Report confirmed what had been plain to anyone following the string of data losses occurring in the public sector: these aren't just the acts of rogue employees (and it frankly beggars belief that this was the original explanation offered for the HMRC fiasco). Instead, they are emblematic of a continued failure to properly embed data security procedures and training into the organisational culture.

Indeed, research suggests that many data breaches go unreported and managers are very reluctant to officially report data breaches unless they have already been exposed.

It's not like this stuff is going to go away, after all. Identify theft and other data abuse are low-risk, high return options for organised criminals: viz the perpetrator's anonymity, the speed at which crimes can be committed, the volatility or transience of evidence, the trans-jurisdictional nature of cybercrime and the high costs of investigation. Traditional crime, in contrast, including violent robbery and theft, has clearly identifiable risks: it is easy to be recorded on video by CCTV, seen by witnesses or caught by means of DNA, and the returns are relatively low. High-tech crime creates real problems for the police force and is, conversely, relatively low-risk for the criminal.

Which makes it even more astonishing how few organisations are willing to commit the relatively modest investment needed to start fighting back. Doing nothing costs money in any case. The costs of data breaches - legal, restitution, brand damage, lost customers and so on - are significant and it has been suggested that for financial services organisations this can run up to around £55 per compromised record, in a context where breaches many involve deca-thousands of such exposed files. According to a January study on information economies by McAfee, data breaches cost the world's companies an estimated £700bn in 2008.

And while not involving legal compliance, if an organisation has a credit card-related data breach and is found to be in non-compliance of the Payment Card Industry Data Security Standard (PCI DSS) there are potentially severe contractual and financial penalties waiting in the wings, including a bar on the business accepting payment cards.

All these factors make the protection of personal data a key business and compliance responsibility. Fixing the problems calls for more than some extra IT investments - this is a root and branch managerial job to achieve data protection compliance, involving training, process change and the adoption of best practices. It isn't a matter of choice - the public and private sectors owe it to us, as their customers, to protect our data. Hopefully, the FSA's warning will have the positive side-effect of prompting a drastic rethink by all organisations working with client data.

And yet, compared to many of the investments made by the public sector and companies, this all comes at a bargain price. Poynter told us "the investment required to prevent a data breach is dwarfed by the resulting costs of a breach" and that "the return on investment and justification for preventative measures is clear".

The verdict is obvious: any organisation not addressing its information security needs with a formal compliance regime is plainly risking not just horrendous financial penalties - it may be putting its very survival on the line.

IT Governance Limited is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th - 30th April in its new venue Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise.

Alan Calder is Chief Executive of IT Governance Limited, the one-stop-shop for information security books, tools, training and consultancy. He is author of 'Data Breaches: Trends, Costs and Best Practices'
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo