A media storm blew up in the UK recently when HM Revenue & Customs (HMRC) lost computer discs containing the country’s entire child benefits records, including the bank account details of over seven million people.
But data leaks don’t just happen to government departments. They happen to all kinds of private entities too – and they can be expensive.
The Nationwide Building Society was fined £980,000 earlier this year by the UK’s Financial Services Authority (FSA) for failing to manage its information securely. Nationwide is the UK's largest building society and holds confidential information on over 11 million customers.
The failings came to light following the theft of a laptop from a Nationwide employee's home. By agreeing to settle at an early stage of the FSA's investigation, Nationwide qualified for a 30% discount under the FSA's executive settlement procedures. Without the discount the fine would have been £1.4 million.
In another recent case, computer hackers stole information from at least 45.7 million payment cards used by customers of US clothes retailer TJX, which owns UK outlet TK Maxx.
Any company that holds personal data is vulnerable to cybercrime, says Shaun Cooper, network risk consultant at Aon. “Both the public and private sectors should apply the same approach to mitigate IT risk - in accordance with the ISO standard for information security best practice.”
IT security experts criticised HMRC for not separating the data into different sets and then encrypting each data set. The use of disks was also questioned when secure encrypted data transfer systems could have been used instead.
But if the unthinkable does happen to a business, specialist insurance products can mitigate the financial cost of any loss. E&O insurance provides cover for data loss as a result of negligence and is available from various Lloyd's syndicates, according to Cooper. Companies can also take out a ‘cyber liability’ policy to cover defence costs and class actions from customers following a deliberate attack and these are also available from Lloyd’s, he says.
Lloyd’s broker Safeonline also arranges cover for small businesses and large corporations relating to data loss as a result of hacking, a virus attack or the theft of physical media.
“Awareness of the risks associated with holding customers’ data has grown tremendously as a result of incidents like those at Nationwide and TJX,” says Chris Cotterell, Safeonline partner.
Policies brokered by Safeonline include coverage for costs relating to reconstituting lost data and also the costs relating to third party claims following a breach of security. Policies also provide cover for the cost of notifying people about the incident and the legal costs involved in regulatory proceedings resulting from an incident.
Lloyd’s insurers ACE, Novae and Beazley all write data loss related cover. A medium sized corporation can typically arrange cover with a limit of £25 million, though a programme of between £50 million and £100 million is possible in certain circumstances, Mr Cotterell says.
Nigel Jones, director and IT forensic expert at Aon, says that too many organisations have information security policies that concentrate on the infrastructure that holds the data rather than the data itself. “Encryption techniques today are low cost and still effective if coupled with other processes. Even if the HMRC has the best security practices, you have to ask when the policies were last tested,” he says.
Jones believes the incident serves as a wake up call for all those with responsibility for the security of personal information, whether in the public or private sector.
