Gary Clark, VP EMEA of SafeNet, discusses how the Government is fuelling the UK’s rate of ID fraud, and what needs to change
In the last year, the Government and public sector bodies have lost 37 million items of sensitive data. In most cases, this wasn’t due to a skilled computer hacking operation. But rather, it was down to basic public sector mistakes, including courier error of unencrypted discs, theft of laptops from parked cars and the accidental upload of very private personal details to public websites.
HMRC quickly established itself as a serial offender. In the space of a few months it lost details of 15,000 Standard Life customers, a laptop containing sensitive information of thousands of taxpayers and, infamously, 25 million unencrypted citizen’s benefit records went missing.
But, while HMRC is particularly prolific in the data loss stakes, it is not unique. Organisations such as the NHS, DVLA and Ministry of Defence have also admitted to losing sensitive data of employees, citizens and army personnel.
Not surprisingly, the public’s faith in the Government’s ability to secure personal data has fallen to an all time low. This is particularly worrying, as a person’s identity has never been so valuable to a criminal. Last year there were 77,500 reported cases of identity fraud in Britain. That is 68,500 more than were reported in 1999. Meanwhile, the cost of the problem exceeds £1.5 billion annually. Considering the rate of errors in the UK public sector, both these figures are likely to be higher for 2008.
While the Government’s ID card initiative is designed to combat ID fraud, I do worry it will create more problems. After all, the Government’s track record in the last year raises serious concerns about its ability to secure the National Identity Register. Can we be 100 per cent assured that personal data held will be safer than, for example, the NHS patients’ data which were held on a laptop?
Quite simply, to ensure the National Identity Register does more good than harm, the data protection culture requires an overhaul – and quickly. The public sector needs to start taking the responsibility of protecting data seriously. In my view, organisations – public and private – that deal recklessly with the personal details they trusted to hold must be held accountable by law.
Recent recommendations from the Justice Committee, which call for criminal charges to be brought for reckless data loss, are on the right track, but do not go nearly far enough. There must be significant steps taken to prevent the loss from happening in the first place.
Organisations should be penalised not only for losing the information they hold on citizens, but for failing to have necessary safeguards in the first place. These include identifying process weaknesses, adopting robust security standards and encrypting all sensitive data. Quite simply, charges must be brought against those organisations which aren’t meeting required standards.
Perhaps the UK public sector should look to the United States for direction. The Government there has already taken steps in this direction. It has mandated encryption protection for all sensitive data for its population, held on discs, laptops and workstations. We know that Government departments already encrypt data in the effort to protect intelligence for the purposes of national security – and rightly so. However, at a time when the level of ID fraud is rising, this same level of security and caution must be applied to ensure the personal security of citizens, patients and employees.
Half-hearted pledges will not regain public confidence, and we need to see meaningful legislation, which puts data protection at the heart of the Government. Otherwise we will continue to make it easy for criminals, and leave the entire UK population vulnerable.
<><><>
Now in its 13th year and held on the 22nd – 24th April 2008, Olympia, London, Infosecurity Europe remains Europe’s number one, dedicated Information Security event. For further information visit www.infosec.co.uk