I am sure it will not be news to you that you have a responsibility to your customers to keep their data secure. However, what diligence do you go through to ensure this is the case?
Recently, the FSA handed out a £3.25m penalty (reduced to £2.275m for early payment) to Zurich Financial Services for breaching Principle of Business 3 (management and control) and the FSA’s System and Controls rules. Whilst there has been no evidence that there has been any misuse of the data, the FSA identified that in August 2008, Zurich SA lost an unencrypted back-up tape during a routine transfer to a data storage centre. As there were no proper reporting lines in place Zurich UK did not learn of the incident until a year later.
A few things come to mind reading this story:
1. The data was not encrypted
2. The storage and transfer of the data was not properly managed in an auditable fashion
3. It is a lot of money compared to the cost of data storage and encryption solutions
4. The FSA has fined Zurich for the loss of UK customer data by an offshore entity
5. You cannot outsource responsibility for the security of your customers data
Almost all businesses hold sensitive data about customers, employees and suppliers and live in an age where criminals are after this data. You may be surprised to find out that there is a market for stolen personal details which is mature enough to have SLA’s i.e. the criminals selling the data will guarantee it has a level of accuracy.
Data Loss Prevention is something all businesses need to address as you have a duty of care to anyone whose data you hold. However, where perimeter security (firewall, mail, web access) used to be enough to keep you business safe, it is not enough now so the FSA makes the business case for encrypted storage & backup quite compelling.
Do you know where your data is and can you audit it? If you have any questions on security of your IT estate, then please drop me a comment below.