William Jackson | Data security policies: Necessary but not sufficient
- By William Jackson
- Dec 03, 2007
Oh dear. Her Royal Majesty's Revenues and Customs office seems to have misplaced detailed personal information on about 40 percent of Britain's population.
We have seen stories like this before, many of them from this country. The lesson we should take away from this is that complacency is the enemy of security.
The outline of the story will by now be familiar: A junior official at HMRC in October downloaded a database of names, dates of birth, identification numbers and financial account information for 25 million recipients of child benefit payments and their families onto two password-protected CDs and dropped them into the internal mail for the National Audit Office, with no registration or tracking. About three weeks later, when the disks had not arrived, it became obvious they had been lost.
There is no evidence that they have fallen into criminal hands. In fact, there is no evidence whatever of what happened to them. The snafu has cost HMRC Chairman Paul Gray his job. I suppose he's lucky. If this had happened in China he might well be dead by now.
Chancellor of the Exchequer Alistair Darling told Parliament, 'It is clear that strict rules governing HMRC standing procedures were not followed.'
This was neither the first nor the last time those rules were flouted. According to Darling, a junior official used the same process to send data to the auditors in March. The data arrived safely and were returned after the auditors were finished with it. When NAO asked for information again in October, a new set of disks were dropped in the mail. This time they were lost. That was not the end of it, however.
'I also have to tell the House that on finding that the package had not arrived at the NAO, a further copy of this data was sent, this time by registered post, and which did arrive at NAO,' Darling told Parliament. 'However, again HMRC should never have let this happen.'
It seems HMRC has a history of being a little sloppy about sensitive information. 'In addition, the House will be aware of other data security breaches by the HMRC, including at the end of September the loss of records of around 15,000 people in transit by HMRC's external courier and in the same month, a laptop and other material containing personal details relating to HMRC customers was also lost,' Darling said.
It goes without saying ' or it should ' that good policy is necessary to security. But as this episode illustrates, policies are not enough.
'People are still going to make mistakes,' said Larry Hamid, chief technology officer at MXI Security. Policies have to be practical enough that they can be followed without interrupting the business process, they have to be enforced and they should be backed up with technology that is as transparent and foolproof as possible.
Policy without enforcement inevitably will erode and be consigned to a shelf to quietly gather dust until a crisis occurs. HMRC might not be any more careless than other U.K. agencies, but like the Veterans Affairs Department in this country, they got caught. The United States got its wakeup call came in 2006 with the theft of a VA laptop PC containing records on more than 26 million people. That laptop eventually was recovered, with the data apparently intact.
'I think the U.S. has learned its lesson,' Hamid said. 'That started a series of memoranda from the Office of Management and Budget' on the protection of personal data.
Agencies were admonished not to keep any more personal information that was necessary, and what information is needed is to be encrypted and controls placed on what is done with it.
These are perfectly good policies, but data continues to leak, both in government and the private sector. Perfect security is impossible, of course, but we need to continue the search for the proper balance between policy and technology, security and convenience. As the HMRC incident reminds us, as soon as we stop thinking about these issues someone will make a mistake.
William Jackson is a Maryland-based freelance writer.