I once wrote, somewhat flippantly but not entirely jokingly, that if you live in the UK and pick up a newspaper on any particular day there is almost certain to be yet another news report about a government laptop going missing. The very next day another of those articles appeared. My perception is that things have improved since then, but that could be because little has occured for a while on a large enough scale, or frequently enough, to warrant the attention of the mass media.
The sorts of disaster I'm talking about include the occasion when it was reported that the UK's tax website had to be closed temporarily because:
"a memory stick containing confidential pass codes to the system was found in a pub car park."
That was repeated again a few months later, along with another article stating that according to official figures, one official is disciplined over data loss every day. And if that's the "official" figure, there is no doubt in my mind that the actual figure is higher. I wonder what it is when you take into account private companies "losing" data, or Local Authorities "losing" data?
I've even attended a seminar on the subject of missing data and laptops, where a number of experts gave talks on the problem. But it seems to me that the problem could actually be solved very quickly by changing the way we think about data.
One of the aspects of many ICT courses is the effects of IT on society. Perhaps this opinion piece (which, as you will see, is backed up by facts and figures) might be used as the starting point for a debate and other work on the subject.
For those outside the UK who may not have heard about this phenomenon, these are basically what seem to be the common features of these cases.
1. Someone, for reasons best known to themselves, leaves their place of work with a laptop or memory stick containing personal data details of thousands -- or in one case, 25 million -- people.
2. They leave the laptop or usb stick on a train, back seat of a car or other equally safe places.
3. Someone discovers it and reports it to the authorities or the press.
4. There's a press release assuring us that the data was encrypted, but they've changed everything anyway, so there is no need for anyone to worry.
5. The person who lost the item is reprimanded or fired.
6. There's a lot of wringing of hands, promises of internal inquiries and so on.
7. It all goes quiet as the media focus on the next organisation to lose a load of data.
To my mind, there is something wrong with the word "loss" in this context. I'm not sure exactly what the right word would be, but I think of it in much the same way as road accidents. Traffic "accidents" tend not to be called "accidents" these days, because most of them are caused by human error. The word "accident" conveys a sense of "not my fault", when actually most road crashes are someone's fault, as opposed to, say, mechanical failures or acts of God.
In the same way, losing thousands of people's details is not simply accidental, as the term "loss" implies. To leave a laptop lying around or to lose a memory stick in the street surely suggests a lack of attention. We all lose stuff -- I'm always putting things down and then retracing my steps mentally to work out what I did with them -- but I can assure you that when I leave the house with something really valuable, like my passport, I go to absurd lengths to prevent losing it, such as using a bulldog clip to attach it to the inside of my pocket. Or, despite wearing a jacket with zipped pockets, I check that it's still there every 5 minutes.
Why do people feel the need to take such huge amounts of data away from the office in the first place? I've been working now for nearly 35 years, and in all that time I have never taken home the kind of data that seems to go missing virtually all the time now in the UK. If I did take data home, it consisted of pupils' names and their exam grades. School registers, which contained pupils' names and addresses and phone numbers, were never allowed off the premises.
These days, if people have to work from home, they should be able to access the data they need over a secure internet or extranet arrangement. I just don't see why there should ever be a need to physically remove the data from the place of work.
What to do about it?
Health and safety
As long as people continue to think of data loss as losing "data", there is never going to be a real appreciation of the possible consequences of the data loss in human terms. There have been cases of armed forces personnel details going AWOL, fugitive criminals' details, financial records going missing . See this article for a summary of this pretty bleak picture as it stood in August 2008, and then this article for more examples from the first few months of 2009. Just last month someone walked into a council office and walked out again carrying a laptop containing over 14,000 people's names and other details.
So surely the first thing we should do is redefine data loss as a health and safety hazard? According to a report last year into identity theft:
"More than 49% of the respondents reported stressed family life, 22% felt betrayed by unsupportive family members and friends, and 23% said their family didn't understand.
The strongest feelings expressed were: rage or anger, betrayal, unprotected by police, personal financial fears, sense of powerlessness, sense they were grieving, annoyed, frustrated, exhausted, sleep disturbances, an inability to trust people, and the desire to give up and stop fighting the system. ITRC long term emotional responses included: 8% felt suicidal (my emphasis), 19% feeling captive, 29% ready to give up and 10% felt that they have lost everything."
When we discuss e-safety with kids we talk about the need to keep their identity secret from strangers. There's an inconsistency if we fail to regard the losing of data, which could clearly lead to identity theft on a massive scale, as a health and safety issue too.
Now, if a company was poisoning its employees or the local populace with toxic waste or a contaminated water supply, they would risk being fined. The directors could even find themselves arrested on a charge of corporate manslaughter. I wonder what effect it would have on data loss if employees and their managers knew that if a memory stick ended up in a rubbish tip or whatever they could end up facing years in prison?
Learning from schools
Schools in the UK are subject to inspection every so often, and are also obliged to undertake self-evaluation. Why shouldn't companies have to do the same, and be expected to show high standards, and improvement over time, on a range of criteria, including data security?
Learning from photo libraries
If you're in the media business in the UK, and you need to hire photographic transparencies from a photo library, don't lose or damage them. Why not? Because you're likely to be fined between 400 GBP (630 USD) and 600 GBP (945 USD) for each one.
What if, applying this principle, companies or government departments were fined for each unit of data they lost? Even if only £1 per item was levied, losing 25 million names would be a costly business. Or do we as a nation think that in principle photos have more value than people?
Over to you
What do you (or your students) think of my suggestions?
This is an updated version of an article which appeared in 2008.