Losses of personal information, trust and privacy: This is going to change your life

| December 1, 2007

We are watching a very rapid change in community attitudes on privacy.  One of the strongest contributors is the repeated and significant loss of control of personal information by private and public sector organisations around the world.

This Sea Change was started courtesy of the Californians who passed the first “Data Breach Notification” laws in 2003.  This kind of law requires an organisation that loses control of personal information, be it theft, accidental loss or otherwise, to notify those affected by the loss, the authorities or both.  Well over 30 of the States of the USA have passed such laws, although Congress has not been able to do so at the Federal level despite many attempts.  The Australian Law Reform Commission, in its Review of Australian Privacy Law in Discussion Paper 72, proposes that Australia also put such law in place.  See the ALRC website if you want to know more.

As our grandparents used to say, “Sunshine is the best form of disinfectant” and this has proved to be the case with these laws.  At least 200 million records of personal information about folk in the USA have been lost since the beginning of 2005, alone.  We know this courtesy of the Privacy Rights Clearing House.

Now the UK government has shown it is neither better nor worse, with the acknowledged loss of records from Revenue & Customs service.  There are many articles online, but start with the BBC and follow links from there.

And earlier this year, the UK financial institution Nationwide was fined over AUD 2 million for losing a laptop with confidential customer information on it. See the Financial Services Authority website.

Not worried yet?  Have a look at the views of Ben Laurie, Google’s self titled “Privacy Curmugeon”, or Kim Cameron, Microsoft’s Chief Identity Architect.  There’s plenty more.

In Australia, we simply do not know if we are better or worse.  There is no evidence either way.  But there is no evidence whatsoever that we should be complacent about it either.

Now we are seeing more evidence of the impact of these developments.  The Ponemon Institute in the US has been seeking to put a cost on the loss of personal information and recently issued another report.  It has just been covered in “If Security Is Expensive, Try Getting Hacked” in Forbes.com, dated 28 November 2007.

This is an interesting article because it draws together some of the developments in 2007 with regard to the insecurity of personal information.

A couple of points in particular are worth noting:

1. The author thinks that the persistent losses of data in 2007 has worsened customer perceptions & made them more privacy conscious.

2. The sources of the losses are not where you would expect:

“Curiously enough, malicious software and malevolent hackers only accounted for about 9% of the data breaches analyzed. Instead, the study pointed up the need for more internal security, particularly when working with outsourced contractors. The study attributed 40% of the breaches to third-party organizations such as consultants, up from 29% in 2006 and 21% in 2005. Mobile devices, including laptops and USB devices, were also cited in nearly half the breaches.”

3. Just as interesting is the next paragraph:

“Ponemon contends that the connection between a breach and actual identity theft is far from clear. In initial studies, his researchers have failed to find any statistically significant correlation between a consumer’s data being exposed in a breach and that consumer’s probability of being targeted by fraudsters.”

Point No 2 is significant.  It means that it is NOT the hackers & malicious software that are causing the loss.  It is poor company/agency security.

The third is also interesting – it supports earlier research by ID Analytics.  In essence, it means we don’t know yet the actual financial losses resulting from losses of data.  It is like other similar situations – we don’t know either way as opposed to having actual results.

CxOs in the wise agency or organisation would be reviewing their security policies and their privacy plans – be they Chief Information Officer, Chief Security Officer, Chief Privacy Officer or even CEO.  Most particularly, they might like to consider a disaster plan that is rarely reviewed – their Customer Continuity Plan.  In this day and age, any self respecting organisation is likely to have a “Business Continuity Plan” to manage disaster.  What does its equivalent “Customer (or Citizen) Continuity Plan” look like?  Does it even have one?  Or is the customer expected to carry all the risk unassisted?

There is a lot more meat on this bone.


Malcolm Crompton is Managing Director of Information Integrity Solutions (IIS), a globally connected company that works with public sector and private sector organisations to help them build customer trust through respect for the customer and their personal information.



  1. Nick Mallory

    December 3, 2007 at 12:08 am

    Excellent points
    Mr Crompton makes some excellent points.

  2. gapadmin

    December 7, 2007 at 4:43 am

    Posting a comment on behalf of Andrew Waterhouse

    These repeated exposures of information come down almost universally to a failure by large organisations to correctly implement information security policies mandating that all sensitive information not be held as plain text. If these were observed, then the loss of information would be commuted to simple loss of media, and so long as the original copy is held somewhere, any potential exposure is fully mitigated. As I go around the traps, I repeatedly find that implementers give up on the last leg of storage because it creates, in their minds, too many impediments to efficient processing. This then propagates to poor storage practices in other areas of the enterprise, and ultimately serious breaches.

    Given that the inclination amongst all of humanity is to take shortcuts, the best policy is to implement electronic safeguards that remove the 'classification decision' from the hands of those involved in moving data about the place.

  3. Nick Mallory

    December 17, 2007 at 11:27 pm

    Another records scandal

    One of the sorry excuses trotted out for the data loss scandal in Britain was that although lots of people had access to the data, the rules regarding how they should be used and shared were actually top secret and so those using the records weren't allowed to know the rules about using them!  You couldn't make it up. 

    And today we hear that the records of three million British learner drivers have gone missing, another nail in the coffin of the entirely doomed ID card in Britain.  It doesn't really matter if these records are never exploited in some way by criminals (or, more likely, advertisers!), the public perception of incompetence is enough.

    There is simply no way that any sane Government is going to spend billions of dollars on setting up new systems of this kind, if they work it'll take ten years for the benifits to accrue, so they won't get any credit, while the huge and inevitably spiralling costs and administrative cock ups are certain vote losers.

    One advantage that Britain does have though is that a driving license there is for life, for the NSW Government to extort a hundred dollars every three years out of every driver to 'renew' their license is outrageous.  This is extortion, pure and simple.