Polar bear politics and data breaches

As occurs on a weekly basis, Public Servant magazine has an article about public sector data breaches and what Government should do about them. This one was by the venerable Graham Kemp of SAS and it’s one I have to take issue with.

Graham suggests that there is a simple solution to breaches, and covers at a high level the solution. Well, I’m sorry, but I feel he’s missed something, as the solution is not technical or procedural, but a macro problem.

The problem with data breaches is two-fold:

1. No one cares
2. The punitive damages incurred are too small

I’ve covered the second point many many times. While the ICO’s top limit for fining remains at £500k, there is little disincentive. There is a need for proportionality within this limit, otherwise the ICO might incur appeals based on the proportionality concept, so he can’t just hand out 500k fines every time. If an organisation receives a £70k fine, but it’s perceived that to implement meaningful remediation technology and processes will be much more, no-one is going to do it or care. They’ll take the chance and pay the fine if they get caught out (think about speeding fines: we all do it accidentally from time to time and acknowledge the risk). This was the reason why the soon-to-be-defunct FSA had unlimited fining powers. There’s no point fining a Bank £70k when it probably spends more on toilet roll and flowers for reception on a weekly basis, so the FSA handed out seven figure sums. This is slightly more painful and generates press coverage. Fining a Police Force 70k is not going to generate the kind of press coverage that makes the damages punitive beyond scraping together the pennies to pay for it.

The first point is more interesting. Ask Joe Public ‘would you be happy if your Council lost your personal details?’ and the answer would be a resounding ‘Hell, no’. But most people don’t understand what has happened, and frankly are more worried about their gas bill, the price of a bottle of wine to soothe the pain on a Friday evening or how much a litre of diesel now costs so they can get to work to earn a crust.

It’s the reason why nobody cares about the green agenda right now. Polar bears are cute (unless you are actually face to face with a hungry one) and look great on an HD telly with a soothing Attenborough voice-over. But seriously, I’m skint, and adding tax to my fuel bill just makes me worry about my own, rather than whether a two-ton teddy bear has enough ice to live on. So sod the bear, make the fuel cheaper please.

We are never going to eradicate data breaches until Joe Public feel it’s in their interest to get involved (see fox hunting, fuel blockades, X Factor for when they do) and until it does, no software and procedural changes are going to make the slightest difference.


About Graeme Stewart, McAfee

I work for McAfee as Director of Public Sector Strategy and Relations, UK&I
This entry was posted in Compliance, Cyber, Data Breach, Data Breach Fine, Government ICT strategy, Govt ICT Strategy, ICO, Information Security, InfoSec, Legal, Security, Sophos and tagged , , , , , , , . Bookmark the permalink.

3 Responses to Polar bear politics and data breaches

  1. Graeme, who actually pays the fines? There is little data on whether the full amounts of the fines are paid by public sector organisations: in other words, they have refused to confirm that the amounts were actually paid, and the taxpayer still foots the bill anyway. And in the private sector, it’s the shareholders who takes the hit, while managers still get their bonuses.

    I don’t think it’s just an issue for data breaches. It’s about accountability in office generally.

  2. Christopher
    I think my previous blog entry covered some of this – the ICO is reducing fines on the quiet and refusing FOI requests to explain how much, how far and its MO.

    I’ve consistently argued for bigger fines, since the amounts involved are relatively small. Until there is the threat of frontline services being hit, or Pension Funds seeing a degredation in share value, the practice of shoddy data management will continue as its in nobodies fiscal interest to change.

    Accountability is about liability, and until someone really kicks up a fuss, the liability will be ducked

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s