Written by David Adams
David Adams discusses how information management policies are putting organisations and individuals at risk of the wrong kind of publicity
One would hope we were no longer a nation of idiots when it comes to privacy risk. In recent years barely a week has passed without another story in the media about some hapless public servant or bank employee accidentally releasing another batch of sensitive personal data into the public domain, thus exposing the subjects of that data to the risk of identity and other frauds; and their employers to reputational and regulatory admonishment.
Many cases have related to the loss of electronic data, including the loss by HMRC of a disk containing 25 million child benefit records in 2007. But there have also been plenty of cases of paper records being poorly secured, including several stories related to hospital staff leaving old medical records lying around in open skips; as happened at Macclesfield Hospital in 2008, when the documents in question were later found in a back garden 20 miles away.
These mistakes have helped spread awareness of the importance of destroying paper documents and of encrypting and managing electronic data more effectively. But how effectively are UK organisations acting upon this and protecting confidential data today? The answer seems to be: not brilliantly, particularly when it comes to handling paper, which can so easily be handed to the wrong person, misplaced, or thrown into the wrong bin.
It would be great if paper documents burned themselves up when no longer needed, like the instruction messages in Mission Impossible, but life isn't like that.
"I think the fact that the Information Commissioner's Office has had to bring in fines of up to £500,000 [for data breaches] is a signal that they think more needs to be done to protect individuals," says Robert Guice, executive vice-president, EMEA, at secure shredding and data destruction specialist Shred-it, which works for clients across the public and private sectors. "Organisations are aware of the issues but are still guilty of thinking about data as being electronic rather than the skewed photocopy that gets left on the desk."
Guice says he and his colleagues frequently carry out audits of buildings protected by state of the art IT and physical security systems - where they find open recycling bins containing all manner of sensitive customer or human resources data, including payslips, medical records or details of personal circumstances that the subjects might rather keep private. The material is destined to be handled in an insecure way by third party companies. "It can even end up sitting on a dock waiting for paper prices to rise before anyone recycles it," Guice adds.
Some sectors perform better than others when comes to managing this risk. Mike Wilson, commercial director, financial services at information protection and storage specialist Iron Mountain, picks out transport and logistics companies as among those that now recognise the potential damage to the brand data breaches can represent. Interestingly - and contrary to some preconceptions - companies running offshore call centres in India also often perform well, according to Ryan Rubin, associate director, head of security and privacy in the UK at risk and business consultancy Protiviti. "There seems to be this stigma about companies outside the UK, but those companies tend to go the extra mile," he says.
What are the most important steps to take on a journey to best practice in this area? Shred-it's Guice recommends enforcing a consistent policy on shredding documents. "We frequently see organisations allowing staff to make the decisions over what is and is not confidential in an office where you have a recycling bin and a confidential destruction unit next to each other," he says. "But there's a danger that what you deal with every day becomes very familiar and loses its value in your eyes. So we will find payslips in a recycling bin.
"We say shred everything and separate out recycling services that are not secure. Off-site destruction is typically cheaper and organisations are cutting costs and end up taking risks. You have no way of witnessing the destruction of those documents, or being certain that it has happened." As he points out, under data protection legislation, appointing a third party does not absolve a company from liability.
"We would say consider having everything destroyed on-site, so that no information on customers or employees should ever leave the building in its original form. Ensure you secure the custody of documents that are no longer needed. Without that chain of custody if there is a breach you have no way of finding out where it occurred and your chances of minimising risks are much smaller."
Simple, practical steps, such as enforcing a clean desk policy and the use of lockable office furniture make it more likely that staff will follow best practice. But above all, organisations must make their employees active participants in the document security strategy, whether inside or outside the office. Documents in the recycling bin at home are just as dangerous as those left lying around the office.
But staff can only adhere to policies if they actually know about them. William Beer, a director in Pricewaterhouse- Coopers One Security team, is concerned that only about 45 per cent of organisations in the UK have implemented security awareness programmes, according to the findings of PWC's 2010 Global State of Information Security Survey. Worse, many such programmes are only IT-based, making it hard to evaluate their effectiveness and raising the suspicion that they represent a tick-box approach to compliance.
There needs to be buy-in from senior management and training should be delivered by training experts, not just the security team, says Beer. Training should also be tailored to meet the needs of different groups of employees. For example, a retailer's shopfloor staff need to know exactly what to do with a credit card receipt found on the floor.
The ideal must be to integrate security awareness into the culture of the organisation. Beer suggests making security awareness training part of the induction process for new staff, with the message reinforced thereafter using various media including regular training updates.
He advocates using employee training as the first stage of a phased approach to document security policy development. "When you start like that you tend to see an apparent increase in security incidents at first, as people start to report incidents they might not have reported before," he notes. "Then I would go through a data discovery exercise: do some sampling to get an understanding of what is being lost. Then you can produce a roadmap of how to move forward."
In some industries it may also be necessary to try and spread more awareness of the issues among a company's customer base. Rubin cites the hotel industry, where staff may find themselves having to manage paper documents or faxes containing customers' credit card details, despite end users being told repeatedly not to supply them this way. "It's obviously difficult for the hotel to be sure they have shredded or dealt with this information if they haven't created it themselves," he points out.
Naturally, we tried to prise some juicy stories out of the experts interviewed for this article; naturally they refused to do so. But they did reveal some surprisingly and disturbingly common problems. "We've done audits where we've found sensitive material lying on desks that could easily by seen by cleaners or by anyone else who comes in and filing cabinets containing sensitive information left unlocked," says Ryan Rubin. He has also seen instances where the bin into which confidential documents should be placed for secure incineration or destruction is full - so people pile confidential documents loose on top of it. And these things certainly don't just happen in beleaguered public sector organisations. As Guice says, "The private sector is much better at keeping stories out of the headlines."
There will be plenty more such stories in future and plenty more fines from the Information Commissioner. Your aim has to be to ensure that your organisation doesn't become another expensive cautionary tale. The paper will not self-destruct in 30 seconds. Lock up what you need to keep - and shred or burn the rest.