Things don’t look so rosy in the FSA report with respects to how financial institutions handle data security.
From eGov Monitor:
The Financial Services Authority (FSA) has published today its report on Data Security in Financial Services. Whilst it might make for uncomfortable reading, this is a timely report from the FSA, and its relevance extends beyond the firms that the FSA directly regulates. The omissions the FSA identifies and standards it expects are not peculiar to the financial services industry.
The underlying message from the Information Commissioner’s Office (ICO) and the FSA is clear in the report: they are going to get tough on firms that are not taking security breaches seriously enough, and firms ignore the guidance in this report at their peril.
Read on.
Well, here is an interesting twist. I can’t say that I’m overly surprised as this type of ranking was inevitable.
From the Associated Press:
Eighteen Japanese firms said Tuesday they were creating the world’s first ratings agency looking at data security, which they said was a rising concern for companies.
The new firm, called IS Rating, will be launched on May 1 and start issuing ratings in July, both to Japanese and foreign companies and organisations.
It will give out ratings based on how they manage data, including files containing personal information, which circulates within the firm or is shared with third parties.
IS Rating will also offer training and edit documents to encourage security.
“For businesses, it’s extremely complicated to measure whether the internal handling of their masses of data is appropriate,” the firms creating the new agency said in a joint statement.
Very interesting indeed.
Well, we get word (thx Chris) that the Georgia state department of human resources suffered a data theft last week. Apparently an external hard drive with the personal information of former and current employees stored on it was stolen “by an unauthorized person”. They did not release the number of affect but, just to put it in perspective there are currently 19,000 employees with DHR.
From Atlanta Journal Constitution:
The agency sent letters to all employees affected by the security breach, urging them to review all credit and other financial records.
DHR officials said there is no evidence the information is being used fraudulently, and the theft remains under investigation.
The incident alarmed employees and former employees.
“On the personal side, I’m concerned that they had this kind of breach,” said Jed Nitzberg, a former DHR spokesman.
He added, “I’ve already been in touch with one company about buying fraud monitoring and information protection services as an extra precaution because of this. I’m worried this could come back to cause real damage months from now.”
Gov. Sonny Perdue said through a spokesman that the theft heightens concerns about computer security in state government.
“The governor is not happy about where the government is on this,” said spokesman Bert Brantley.
To say nothing of the fact that they are running Netscape Enterprise 6.0 as their web server.
Read on.
Policies are necessary, sometimes they’re even really well written. However, if your users aren’t aware of them, let alone follow them, what use are they? User education is a never ending exercise. It’s a myopic point of view to dismiss the end users as un-trainable. If you give up on them you can rest assured they will meet your expectation.
From the Baltimore Sun:
First it was the Department of Veterans Affairs. Then, the Internal Revenue Service. Now, the National Institutes of Health is the latest federal agency that failed to encrypt laptop computers containing sensitive private information.
The recent theft of a laptop that had medical test results for 2,500 patients in an NIH heart imaging study shows that the government is still not guarding private information, despite new rules, privacy specialists say.
“The issue isn’t so much with the policy; it’s with the policy being followed in practice,” said Joy Pritts, a Georgetown University researcher who specializes in health care privacy.
The laptop was reported stolen from Dr. Andrew E. Arai’s locked car trunk Feb. 23, but the National Heart, Lung and Blood Institute alerted patients to the data theft only last week.
Let’s face it. It has been a bad year in the UK for data loss. The BBC inestigative journos have uncovered reams of incidents where data was lost, stolen or otherwise compromised.
From BBC:
In November 2005 a problem with the staff intranet at Comhairle nan Eileann Siar (Western Isles Council) meant National Insurance, bank details and other personal information of all 3,000 staff was accessible.
A spokesman for the Comhairle said: “We are not aware of any problems for members of staff arising from this breach of security, which was promptly rectified.
“Action was also taken to prevent any recurrence of this situation.”
Breaches at other organisations include driving licences being lost in the post and computers and organisers containing personal information being stolen.
Lothian and Borders Police said productions containing the names of accused had been inappropriately discarded.
A force spokesman said: “In terms of the lost items, full-scale and comprehensive investigations were ordered, as was a complete review of information security measures throughout the force.”
Perth and Kinross Council said a USB memory stick was lost containing names and salaries, but later found.
And it goes on like this.
While it may seem self evident that data has to be protected, we still see story after story on this subject. What needs to happen in order to help folks en masse to improve their data protection? It can’t be highly publicized data compromises as we have seen so many of them to date. And it can’t be the tear jerking stories of grandma and grandpa losing everything to identity thieves. Sadly, that happens far too often.
So, what is the catalyst required to turn the tide?
