I took the unusual step of completely unplugging from the grid during the Thanksgiving holiday. Didn't even check my Blackberry as the vacation progressed. It was nice, but -- boy! -- is it hard to get going again, not to mention the bazillion emails and RSS feeds to go read.
One event that jumped out was the recent large-scale personal information disclosure at HMRC in the UK. A lot was written about that by many people, but I think the event and its aftermath reinforces some of the basic themes I've been championing over the past year.
Hint: this sort of thing happens far more than you might think, and the consequences will likely be far more dire in the future.
What Happened
Simply put, one agency needed database records from another agency for statistical purposes. The first agency cut a pair of unencrypted CDs loaded with all sorts of personal details on 25m UK residents, and sent them via courier.
They weren't received, so another set was produced and shipped. The second set got there OK. But what happened to the first set? No one really knows ... except for this wag on eBay ...
Fun reading can be found here and here, among other places. Or simply google HMRC.
I guess this struck a pretty sensitive nerve with a whole lot of people.
Sure, They Blew It
Yes, the information could have easily been encrypted. Or sent via electronic file transfer using a secure channel. Or maybe a more secure courier. This could have easily been avoided in any number of ways.
Some of the articles stated that the recipients of the queried information really didn't need the sensitive bits, and the sending organization couldn't be troubled to run a custom query that didn't produce personal information. Wow.
But I think there's more here than meets the eye.
Did Anyone Handling The Information Understand What They Were Really Doing?
Probably not. I bet it looked like a routine IT chore
Some agency is requesting information, see? Why don't you run a query from your PC, and simply copy the file over to these CDs, and send it along to them, OK? Thanks ...
People who routinely handle large amounts of money have certain protocols in place to make sure the money doesn't go strangely missing. I would bet that wire transfer clerks in large banks have certain protocols before simply wiring millions of dollars around.
People who routinely handle large amounts of information probably don't have the same sensitivity. I bet there wasn't any protocol in place for sending around millions of database records.
Hey, someone wants you to send a couple of million dollars to this offshore bank account, see? Why don't you fire up that wire transfer application, and send it along? Thanks ...
Was It Really That Unusual?
I think not. I seem to remember about a half-dozen incidents involving government agencies (mostly in the US) where personal information was lost or disclosed in bulk form.
And I don't think the problem is limited to government agencies, although they seem to be doing more of their share of this sort of thing.
It's All About Consequences
Funny thing about human behavior -- we argue with people not to do bad stuff, but what really gets their attention is a well-understood consquence if they don't follow the rules.
The potential of severe consequences, understood up-front, has a way of getting people's attention.
I remember back to the California personal information disclosure law. As I remember it, the penalty for disclosing personal information was that you had to publicly notify all affected parties.
That turned out to be a pretty severe consequence. There was a spate of press releases, and many of us got some particularly unsettling notification letters in the mail, but -- after a while -- there was a lot less of that sort of thing from companies in the US.
The consequence in this particular incident seems to be the resignation of the head of the HMRC, but I bet there's more coming. The unfortunate part is that this particular outcome wasn't understood up front.
I'd argue that consequences work best when they're well understood by all. I'd bet that the head of HMRC would have had a different approach to data disclosure if he or she knew that each and every event had the potential of being a severely career-limiting move.
Now I guess the consequences are pretty well understood by most government officials, at least in the UK.
Do We Really Understand The Consequences?
My view is that the answer to this question is "no".
Other than a few isolated cases, it's not really clear what happens (or what should happen) when one organization who is trusted to protect sensitive information fails to do so.
There seems to be a wide range: from nothing at all, to much more severe consequences. Not to pick on the folks from TJX, but I would argue they still can't put a total number on what their breach cost them.
For me, this ends up being one of the key roles of information governance within organizations. There should be an understanding regarding the sensitivity of certain kinds of information, which in turn drive policies for handling it, which in turn can be measured for compliance.
We expect organizations to handle our money intelligently.
Why should our information be any different?
Comments