Wednesday 25 August 2010

Zurich UK Data Breach: Are large fines good for Information Security?

Yesterday (24th Aug 10), one of the largest fines for a data breach in the UK was issued, with the Financial Services Authority (FSA) announcing a £2,750,000 fine of the UK arm of Zurich Insurance (Zurich UK). Some 46,000 Zurich policyholders had their unprotected personal data, which included bank account and credit card information, “go missing” during a routine data transfer to a South African data centre in August 2008, with Zurich only noticing the breach a year later. By the way Zurich were actually fined £3.25m but were given a 30% discount for settling the fine early, see the FSA press release for more details -

But do large fines actually work and help businesses, and indeed industries to become more Information Security savvy, and help enforce businesses to operate with better information security practices? Well I think the answer is a clear and resounding YES. And even more so when data breaches and their associated fines are placed into the public arena and not covered up. I say this because many credit card data breaches and fines involving UK merchants are regularly not made public, leaving UK citizens scratching their heads trying to work out how that “Online Poker” fraudulent transaction was made on their credit card by a fraudster.

Of course fines and public scrutiny will not ensure data breaches never occur, nothing will, but I’m sure the pain Zurich has gone through in paying the fine, dealing with the hassle and high cost of quickly addressing their security failings, and then the PR damage, will be a major incentive across their entire mutli-national business, and will help to prevent future data breaches. I am fairly certain other insurance service businesses will be taking stock of this particular fine due to it being a 7 figure amount. I imagine Chief Executives in boardrooms asking their business directors “Could this happen to us?”, which in turn should lead to security reviews of their own business processes. It’s worth mentioning according to the Verizon 2010 data breach report, 96% of data breaches are avoidable. So if businesses did take information security more seriously and apply the industry standard security best practices, they would significantly reduce their risk of data breaches and certainly would not incur such larges fines in the event of a data breach, as how negligent a business was in their information security controls and practices is a major factor in determining the scale of a data breach fine.

Under UK law businesses do not have to publicly disclose personal data breaches, so the UK general public are not being informed and made aware when UK businesses lose or even worst have stolen their personal information. Zurich was only found out because they are regulated by the FSA, so the FSA forced for this breach to be publicly disclosed. Isn’t it about time all UK businesses were regulated for information security best practices and data breaches? Now the Information Commissioner’s Office (ICO) have been given extra powers recently, but this government run office is still a toothless tiger, because private companies do not have to disclose their data breaches to them under law. The ICO certainly doesn’t operate with the same big stick as the FSA does, and as a direct consequence the ICO are generally not respected and feared by UK businesses .

Another angle which proves large fines can make businesses comply, is to look at the history of business Health and Safety obligations. It is fair to say health and safety in the work place has vastly changed since the 1970s. The way businesses were made to apply proper health and safety controls was by solids laws and strong industry regulation, together with large fines and public scrutiny, this is still  the case today. As with data breaches, fining cannot never fully prevent incidents, but it appears large fines can help bring about a culture change in the business world, and large fines do cut down the number of incidents.

The key point here, is that Health and Safety is backed up by strong regulations and law, at present in the UK both industry regulations and the legal requires for businesses to protect personal data is plain old out of date and weak. Sure we have the Data Protection Act but this was written before the Internet really took off, and without the big stick of heavy fines and clearer details of the required security controls in the modern age, many businesses simply do not take proper stock of their obligation to adequately protect UK citizen’s personal information in their care, and so businesses are not committing the financial resources to apply the necessary security controls. I predict (and hope), just as with the progress of Health and Safety, this will eventually change, but I fear it may take several more years yet, and no doubt a few more large and high profile data breaches will occur before we see any significant changes in our law, as the UK government in today’s information age are still in the dark ages when it comes to information security.