Having seen many prison films over the years, I know one thing. Whether you’re innocent or not, the first day you get into prison, if you want to avoid being the soap picker you have to make an example out of someone. It could be fashioning a shank out of a biro and stabbing your cellmate in the neck several times in the neck, or biting the ear off a prison warden. This sends a message out to everyone else, that you’re not someone to be messed with and they will leave you alone for the duration of your stay.
Well, today it so appears as if the UK’s information commissioners office received the memo today. As of April 2010, they’ve had the power to impose penalties of up to £500.000 for serious breaches of the Data Protection Act (up from the previous penalty of £5,000).
Come November and many of us were wondering if the commissioner actually had the coconuts to know what to do with their newfound power. I know of some security commentators who’ve been reluctant to believe they would ever fine anyone at all. But today 24th November 2010, they unleashed their vengeance and furious anger on not 1 but 2 data leakers on the same day.
Herfordshire County Council receiving the shank in the neck with a £100,000 fine for sending a fax to the wrong number (twice) and A4e were fined £60,000 for losing an unencrypted laptop which contained sensitive information.
So three cheers for the commissioner and for fighting the good security fight against these careless and sloppy organisations?
Simply fining organisations isn’t necessarily going to address the problem and gives little benefit other than fill the commissioners coffers. You still have data that has been lost which isn’t coming back and no assurance that the same won’t happen again. But there appears to be a disturbing trend whereby Governments, regulatory bodies and the like have agreed on a standard operating model, which is depicted as below:
Don’t believe me? Why do you think PCI DSS is so widely feared and adhered to? Let me give you a hint, it’s not because people truly believe in the security values it stands for.
Sarbanes Oxley, an almost bottomless pit of money poured into achieving compliance.
And then we wonder why people view security in a negative light. It’s because all they ever hear is do this or you’ll get fined, do that or you’ll be sent to jail, threats threats threats. It’s all about negative threats.
I’m not saying that governing bodies or professional certifications are completely useless. It’s just that you can’t go around milking the information security cash cow forever and there’s more to it than just scaring people. Information security isn’t the most complicated thing on the planet, a lot of it is common sense. You just need to identify critical bits of information, make sure only the people who need it can access it for legitimate purposes and once the information is no longer needed it’s destroyed.
If our regulatory bodies actually tried helping by making security easy to understand and accessible by all companies there would probably be a much greater benefit to all. Or an even radical approach would be to, say, where a company hasn’t encrypted their laptops, force them to spend money into rolling out encryption and performing a proper security assessment into their controls and how they handle data.
But then again they wouldn’t make much money if they done that.