As occurs on a weekly basis, Public Servant magazine has an article about public sector data breaches and what Government should do about them. This one was by the venerable Graham Kemp of SAS and it’s one I have to take issue with.
Graham suggests that there is a simple solution to breaches, and covers at a high level the solution. Well, I’m sorry, but I feel he’s missed something, as the solution is not technical or procedural, but a macro problem.
The problem with data breaches is two-fold:
1. No one cares
2. The punitive damages incurred are too small
I’ve covered the second point many many times. While the ICO’s top limit for fining remains at £500k, there is little disincentive. There is a need for proportionality within this limit, otherwise the ICO might incur appeals based on the proportionality concept, so he can’t just hand out 500k fines every time. If an organisation receives a £70k fine, but it’s perceived that to implement meaningful remediation technology and processes will be much more, no-one is going to do it or care. They’ll take the chance and pay the fine if they get caught out (think about speeding fines: we all do it accidentally from time to time and acknowledge the risk). This was the reason why the soon-to-be-defunct FSA had unlimited fining powers. There’s no point fining a Bank £70k when it probably spends more on toilet roll and flowers for reception on a weekly basis, so the FSA handed out seven figure sums. This is slightly more painful and generates press coverage. Fining a Police Force 70k is not going to generate the kind of press coverage that makes the damages punitive beyond scraping together the pennies to pay for it.
The first point is more interesting. Ask Joe Public ‘would you be happy if your Council lost your personal details?’ and the answer would be a resounding ‘Hell, no’. But most people don’t understand what has happened, and frankly are more worried about their gas bill, the price of a bottle of wine to soothe the pain on a Friday evening or how much a litre of diesel now costs so they can get to work to earn a crust.
It’s the reason why nobody cares about the green agenda right now. Polar bears are cute (unless you are actually face to face with a hungry one) and look great on an HD telly with a soothing Attenborough voice-over. But seriously, I’m skint, and adding tax to my fuel bill just makes me worry about my own, rather than whether a two-ton teddy bear has enough ice to live on. So sod the bear, make the fuel cheaper please.
We are never going to eradicate data breaches until Joe Public feel it’s in their interest to get involved (see fox hunting, fuel blockades, X Factor for when they do) and until it does, no software and procedural changes are going to make the slightest difference.