We are watching a very rapid change in community attitudes on privacy. One of the strongest contributors is the repeated and significant loss of control of personal information by private and public sector organisations around the world.
This Sea Change was started courtesy of the Californians who passed the first "Data Breach Notification" laws in 2003. This kind of law requires an organisation that loses control of personal information, be it theft, accidental loss or otherwise, to notify those affected by the loss, the authorities or both. Well over 30 of the States of the USA have passed such laws, although Congress has not been able to do so at the Federal level despite many attempts. The Australian Law Reform Commission, in its Review of Australian Privacy Law in Discussion Paper 72, proposes that Australia also put such law in place. See the ALRC website if you want to know more.
As our grandparents used to say, "Sunshine is the best form of disinfectant" and this has proved to be the case with these laws. At least 200 million records of personal information about folk in the USA have been lost since the beginning of 2005, alone. We know this courtesy of the Privacy Rights Clearing House.
Now the UK government has shown it is neither better nor worse, with the acknowledged loss of records from Revenue & Customs service. There are many articles online, but start with the BBC and follow links from there.
And earlier this year, the UK financial institution Nationwide was fined over AUD 2 million for losing a laptop with confidential customer information on it. See the Financial Services Authority website.
In Australia, we simply do not know if we are better or worse. There is no evidence either way. But there is no evidence whatsoever that we should be complacent about it either.
Now we are seeing more evidence of the impact of these developments. The Ponemon Institute in the US has been seeking to put a cost on the loss of personal information and recently issued another report. It has just been covered in "If Security Is Expensive, Try Getting Hacked" in Forbes.com, dated 28 November 2007.
This is an interesting article because it draws together some of the developments in 2007 with regard to the insecurity of personal information.
A couple of points in particular are worth noting:
1. The author thinks that the persistent losses of data in 2007 has worsened customer perceptions & made them more privacy conscious.
2. The sources of the losses are not where you would expect:
"Curiously enough, malicious software and malevolent hackers only accounted for about 9% of the data breaches analyzed. Instead, the study pointed up the need for more internal security, particularly when working with outsourced contractors. The study attributed 40% of the breaches to third-party organizations such as consultants, up from 29% in 2006 and 21% in 2005. Mobile devices, including laptops and USB devices, were also cited in nearly half the breaches."
3. Just as interesting is the next paragraph:
"Ponemon contends that the connection between a breach and actual identity theft is far from clear. In initial studies, his researchers have failed to find any statistically significant correlation between a consumer's data being exposed in a breach and that consumer's probability of being targeted by fraudsters."
Point No 2 is significant. It means that it is NOT the hackers & malicious software that are causing the loss. It is poor company/agency security.
The third is also interesting – it supports earlier research by ID Analytics. In essence, it means we don't know yet the actual financial losses resulting from losses of data. It is like other similar situations – we don't know either way as opposed to having actual results.
CxOs in the wise agency or organisation would be reviewing their security policies and their privacy plans - be they Chief Information Officer, Chief Security Officer, Chief Privacy Officer or even CEO. Most particularly, they might like to consider a disaster plan that is rarely reviewed - their Customer Continuity Plan. In this day and age, any self respecting organisation is likely to have a "Business Continuity Plan" to manage disaster. What does its equivalent "Customer (or Citizen) Continuity Plan" look like? Does it even have one? Or is the customer expected to carry all the risk unassisted?
There is a lot more meat on this bone.