Keeping Up-to-Date with Security Breaches

Whilst we may not yet have laws forcing the disclosure of personal data security breaches, it is worth keeping an eye on what is being reported elsewhere to see the types of issues that arise.

This week's news story about the purchase of a server from eBay containing more than a million NatWest, American Express and Royal Bank of Scotland customers reminded me of the type of bad publicity organisations can expect to receive if data breach legislation is brought in this country. The data included bank account numbers, sort codes, credit card numbers, names, addresses, mobile phone numbers, mothers' maiden names and signatures - all the types of useful data for identity fraud.

Due to legislation there, many incidents are reported from the United States, but the DataLossDB from the Open Security Foundation, Breach Blog from FRSecure and the Attrition.org Data Loss Archive and Database describe worldwide data breaches. Remember that data breaches occur via non-electronic media too - including on discarded paper.

Marketing and public relations managers should think about reports like this since they can wreak havoc on reputations built up over many years. Although it's best to try to avoid these type of events occurring, do plan what to do when they occur, as they eventually will. I'm not sure that saying it was an "honest mistake" will be good enough in the future.

If you can avoid collecting data in the first place, or dispose of it in a timely manner after the required retention period, this will reduce the risk, and the amount of data that might be compromised.

Update 28th November 2008: The UK's Ministry of Justice has indicated the government has no desire to introduce data breach notification legislation in their report on Response to the Data Sharing Review Report issued on 24th November 2008.