Massive data loss by key U.K. government agency could affect millions of British citizens
Not since the infamous U.S. Veterans Administration breach, when a laptop containing information on 26.5 million veterans was stolen in 2006, have we seen a breach of sensitive data like the one that occurred in the United Kingdom last week. According to news reports, two disks containing the records of 7.25 million families and around 25 million people were lost by Her Majesty's Revenue and Customs agency as they were being transferred to the UK's National Audit Office. The disks never arrived and were not encrypted. The employee who sent the disks via the Revenue and Customs agency's contracted courier apparently violated official policy. See this article for more background.
Sound familiar? In the Veterans Administration case in the U.S., the laptop was actually stolen from a VA contractor's house, which violated that agency's policy too, and that data was also unencrypted. As we witnessed last year in U.S., the national government in UK is receiving a lot of scrutiny from citizens trying to figure out how this could happen. Chancellor Alistair Darling is under pressure to resign (as was then VA Secretary Jim Nicholson) and just about everyone is up in arms. The added twist with the U.K. breach is the kind of data that was exposed – it apparently included tons of bank account information, which has the financial industry in the country quite concerned as well, because if fraud happens, they will have direct losses to deal with.
Let's hope for the sake of the millions of British citizens who could be impacted, which literally could be about half of the country's population, that the disks are located before fraudsters can tap into the information – given that the disks were only password protected, that is not expected to take long. The repercussions of this monster breach of sensitive information are likely to be significant even if the data is recovered (which turned out to be the case with the VA data – the FBI located the laptop before the criminals figured out what they had). Following the VA data breach, Congressional hearings were held and federal legislation proposed; President Bush established a national identity theft task force; and the Office of Management and Budget issued guidance to U.S. federal agencies regarding the protection of sensitive data. Oh, and heads rolled – many senior VA officials were fired, as a very intense spotlight started to shine on the VA's information security posture (as well as that of other federal departments).
In the UK, those things have already started to happen. Her Majesty's Revenue and Customs chairman Paul Gray has resigned; opposition Members of Parliament are also calling for Chancellor Darling to step down and many are criticizing Prime Minister Gordon Brown's government over the nature and handling of the incident, which occurred in October according to press reports. I would anticipate that the UK Government will be coming out with proposals of its own as Darling himself has talked about the violation of policy and the lack of sufficient safeguards for protecting this information.
An added wrinkle here is that the UK's House of Lords Science and Technology Committee had issued a report on information security in August 2007 that recommended, among other proposals, the adoption of a data security breach notification law, without waiting for action by the European Commission, as soon as possible. The actual recommendation was stated as follows: "We further believe that a data security breach notification law would be the most important advances that the United Kingdom could make in promoting personal internet security. We recommend that the Government, without waiting for action at the European Commission level, accept the principle of such a law and begin consultation on its scope as a matter of urgency." In its official response in October, the UK Government included the following statement:..."We are, however, clearly not so convinced as the Committee that this would immediately lead to an improvement in performance by business in regard to protecting personal information and we do not see that this would have any significant impact on other elements of personal internet security."
Well, I think that some in the U.K. government may change their view now. While the statement refers to a national data security breach notification law that would also cover businesses, the minimum action that the UK Government should take is to establish more robust safeguard requirements and notification procedures for government agencies. However, because as we all know, this is not just a challenge for the public sector, a national law covering all entities that hold personally identifiable information should be the aim.
At the RSA Conference Europe in October 2007, there was a keynote panel session on this very topic (see this related article). David Smith, the Deputy Commissioner for the U.K.'s Information Commissioner's Office "urged firms to act now to protect their systems rather than wait until Europe passes laws around data breach notification." It sounds like the UK Government should have heeded that advice, too.
Post A Comment