Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
Editor's Blog and Industry Comments

Corporate neglect at Bord Gais leads to data loss

22 June, 2009
With the financial details of 75,000 customers potentially on the open market, Ireland's gas supplier faces some difficult challenges in accounting for its actions
With an average of 16.5% per year revenue growth since 2004 and 2008 pre-tax profits of 151 million Euros, Bord Gais is a substantial organisation with significant financial resources. As a national gas supplier with responsibilities for the Irish Republic's gas network, it is also Government controlled and managed by a team appointed by the Government.

The company's code of conduct states that trust and confidence are the most important ingredients for its success and that its board members must be seen to be beyond reproach.

Bord Gais is very conscious of it's image and places a great deal of emphasis on Corporate Governance, internal controls and external auditing, stating that it has a robust framework for reviewing the adequacy and monitoring the effectiveness of its internal controls.

Despite this, on the 5th June, four laptop computers disappeared from its Dublin offices with the unencrypted financial records of 75,000 of its customers. Clearly, the company's Corporate Governance framework wasn't quite as robust as it thought. In fact, given the number of high profile data loss incidents during the last two years, the media coverage and the dozens of suppliers offering simple end-point security solutions, the word robust seems entirely inappropriate.

The Data Protection Act in the Irish Statute Books was amended as far back as 2003 and one of the amendments states that appropriate security measures shall be taken against unauthorised access to data. 6 years is enough time to become compliant with an important piece of legislation.

Preventing this kind of breach is cheap and simple. A brief look at our "Data Protection" category in the IT Zone will reveal dozens of suppliers offering access control solutions for laptops, end point protection software, full disk encryption, corporate control software for managing the distribution and storage of sensitive information and even software for remotely destroying laptop data in case something does get stolen despite all the other measures.

Compare this to the consequences of a breach. Bord Gais will face a number of challenges:

* Prosecution under the Data Protection Act â€" a number of it's directors could face criminal charges based on their responsibilities.

* Reputational damage â€" Bord Gais supplies both gas and electricity but it isn't the only supplier and customers can just walk away.

* Litigation costs â€" Identity theft is costly and distressing so Bord Gais will be hoping that none of those 75,000 customers are inconvenienced to the point of bringing legal action.

* Clean up costs â€" Bord Gais is reported to be working with the banks in an attempt to prevent any fraud from occurring. It will also be working with the police and other agencies, none of whom will be doing this free of charge.

* Organisational disruption â€" Apart from the potential scapegoats that could lose their jobs at the bottom of the corporate ladder such as the security guard, IT administrator and laptop owner, this will inevitably result in board changes. Which board member is accountable for IT security is unclear although it is often the Finance Director for some unfathomable reason. However, what is clear is that the Chief Executive is the Chairman of the Risk Management Committee and therefore ultimately responsible for risks that haven't been managed.

The company has now implemented a data protection regime to prevent further losses of this nature which, given that it is less than 3 weeks since the theft occurred and that Bord Gais is a large organisation, proves that preventing such losses in the first place is achievable quickly.
Bookmark and Share