Companies Lacking in Data Protection

Large numbers of companies are taking risks with data protection, because they are not aware of the requirements of the law.

Nearly half (44 percent) of companies use live data in test environments—something the 1998 Data Protection Act warns against explicitly, according to a recent survey of IT directors by Compuware.

Half the directors (48 percent) were only “vaguely familiar” with the act itself, according to the research, which highlights the importance of understanding the demands and keeping track of how customer data is treated.

A further “83 percent used only minimal measures such as using nondisclosure agreements (NDA) to control data when outsourcing,” said Ian Clarke, worldwide enterprise solutions director at Compuware.

But companies find it difficult to communicate the complex legal terms to their employees or to outsourcing partners, said the survey report. “Unless they have rigorous procedures in place, they run the risk of live data being leaked to third parties. This can have severe repercussions on customer confidence and company reputation, and ultimately affect the bottom line,” Clarke added.

An NDA doesn’t mean a lot when an employee in an outsourcing company in India who earns $100 a day, for example, can earn much more by selling confidential data, he said.

Last week, an HSBC call center employee in India was arrested for swindling 233,000 pounds (US$428,000) off 20 customers in the United Kingdom. According to news reports elsewhere, the employee was paid 1,000 pounds by a criminal gang in the United Kingdom to leak confidential information.

“Companies have had plenty of time to understand and implement robust data privacy measures since the act was introduced eight years ago,” said Clarke, “but the security measures are just not there.” Since it was written in 1998, the DPA has been updated regularly to keep up with the changing needs of technology.

“Many businesses are still confused by the ambiguity of a clause within the act relating to taking appropriate action to protect customer data.” Clarke explained. “Now, what does ’appropriate action’ mean?” he said.

In the United States, “a number of states make companies publicly declare a data breach,” he said, and this requirement could cross the Atlantic. “This makes it important for organizations to cover off all possible angles of attack before the company is put at risk, rather than trying to recover from a major fraud incident.”

The one way around this problem is to disguise the data, said the survey report. “It is easy to mask data,” said Clarke. For example, companies can blank out certain fields, or in the case of credit cards, the last four digits can be scrambled, he said.

The survey report further stated that, by exchanging known values, such as addresses, with other known values, customer data can be transformed so that it is unrecognizable from the original but can still be processed by the systems across the organization, with important fields such as the postcode left intact.

This can be an automatic process, thus removing the human risk element entirely, concluded the report.

— Radhika Praveen, Techworld.com

Keep checking in at our Security Feed page, or subscribe via RSS, for updated news coverage.