November 20, 2007
It’s 10pm: do you know where YOUR data are?
The junior staffer at HM Revenue and Customs who just mislaid personal data concerning 25m people is in good company. He/she can draw solace from the experience of Jared Ilovar, the Ohio state intern who earlier this year mislaid 800,000 social security numbers.
Funny how cases like these always follow the same pattern:
Ageing media. Ohio trusted its data to tapes, HMCR burned its information onto disks. When there’s a need to move such sensitive data around, why put it onto storage media that can get lost in the post or stolen from the back of a car?
Encryption. Or rather, lack of it. If the UK’s tax authority doesn’t use data encryption, what are the chances that any other government department will be any more secure?
Access. How come junior employees and even interns in government agencies have access to vast troves of data, and the ability to move them around seemingly at will? It doesn’t seem enough to protest that this was unauthorised. It shouldn’t have been possible.
Lack of accountability. Both of these cases could very well have remained buried. Three weeks after sending (and losing) the first set of disks, the unnamed HMRC official simply sent another in its place. The Ohio intern was told to keep quiet about the theft of tapes from his car. How many other failures like this simply never come to light?
Agree all round, and additional respect for paraphrasing the strapline from ‘Repo Man’!
Posted by: Kevin Smith | November 21st, 2007 at 1:23 pm | Report this commentLost in Space
Sadly anyone who has ever worked for a government department will know that the HMRC data “misplacement” was an accident waiting to happen. The mindset bred into the public sector means that Civil Servants are expected to carry out the instructions of the people above them with very little scope for individual problem-solving or risk awareness.
The UK Civil Service is amongst the best in the world, but the non-strategic way in which it operates means that no one understands what is trying to be achieved, no one takes responsibility, no one is accountable, and no one can prevent disasters like this happening.
The Royal Mail actually has a voluntary scheme to provide customers with some form of redress should their mail be lost or damaged. 12 x 1st class stamps or if there was something of value in the mail, a refund of the market value of that item up to 100 X the cost of a 1st class stamp.
To qualify though, customers must have obtained a Certificate of Posting - a receipt that provides proof of posting. Something I believe is not available on this occasion.
www.Royalmail.com/downloads/public/ctf/rm/inland_(2006current_version).pdf
Posted by: Sara Paine | November 22nd, 2007 at 3:00 pm | Report this commentThere seems to be one more underlying theme in all these reports about lost, stolen, or inappropriately disposed of data: management’s ultimate failure to recognize the full importance of corporate information assets.
Without accurate, accessible information, we can not focus as organizations. Mismanage it and the results can be financially damaging as well as cause irreparable harm to the organization’s public image. Without a doubt, it is one of the most important corporate assets an organization has, and one of the biggest risk areas.
Yet we continue to see these types of stories pop up around the world. Data is not adequately safeguarded and employees organization-wide are not appropriately – and regularly – trained on its proper management. In the U.S. alone, we found that 45% of organizations do not provide enterprise-wide formal training on managing records and information.
The resources are available, it simply requires a commitment to good governance from the upper management of organizations. There are numerous standards and other resources available through professional associations such as ARMA International (www.arma.org). We can only hope that more organizations will take advantage of them and make excellence in managing records and information a priority.
Posted by: Marilyn Bier, Executive Director, ARMA International | December 4th, 2007 at 10:15 pm | Report this comment