For procedures that are supposed to be concerned with confidentiality and privacy, how organisations manage the security of their large databases has been the subject of an uncomfortably high number of headlines over the past few months.
By far the most serious breach occurred last November when two computer discs containing the entire child benefit database of 25 million people disappeared after an official at HM Revenue & Customs reportedly mailed them to the National Audit Office using unregistered post.
This news was swiftly followed in December by the revelation that a computer hard drive containing the personal details of three million UK learner drivers had been misplaced, and reports that nine NHS trusts had lost patient information.
But it seems it isn’t just the public sector that is struggling to secure its databases. Among the numerous private sector companies confessing to the loss of important records last year were pharmaceutical giant Pfizer and Cornish tourist attraction the Eden Project, both of which have admitted losing confidential employee information.
These and other serious security breaches have served to highlight the dangers of identity theft, a crime that affected more than 52,000 individuals in the UK during the first three quarters of 2007, according to fraud watchdog CIFAS.
Identity theft or identity fraud are catch-all terms for crimes involving the illegal use of another individual’s identity. The most common form of identity theft is credit card fraud, but criminals who specialise in this very modern crime are also able to use personal information to order items over the internet and even take out loans in another person’s name.
But what can human resources (HR) professionals do to ensure their employee records remain secure and that they are not responsible for exposing their staff to this growing threat?
At the Information Systems Audit and Control Association, a global body dedicated to the security of IT systems, chairman of the strategic advisory group Paul Williams says a thorough understanding of the Data Protection Act is a good place to start.
He believes every HR professional who has access to sensitive data should take time out to download relevant information from the website of the Information Commissioner’s Office, an independent public body set up to oversee the Act and promote best practice in information security.
But this will only take you so far, according to Lars Davies, managing director at Kalypton, a compliance and data management consultancy. He says the problem with the Act is that it only informs organisations of their obligations and not how to actually go about securing data.
He says: “The Data Protection Act goes as far as saying organisations should take ‘reasonable and appropriate’ measures to protect data. But a lot of companies are waiting to be told by regulators how they should do this.
“At the moment there are a lot of businesses sleepwalking towards data protection,” he adds.
And although under the Act managers and directors, including senior HR staff, can be held liable for security breaches, Davies says the Information Commissioner’s Office has until now only gone as far as handing out a few small fines to offending organisations.
“Enforcement has been patchy and, knowing they will only receive a fine of a few thousand pounds, companies have put off the work required to put a proper security framework in place,” he adds.
There are signs, however, that the information commissioner Richard Thomas would like to see major security lapses treated as criminal acts, as he hinted when he gave evidence to the House of Commons justice select committee in December discussing the HM Revenue & Customs debacle.
Davies feels that companies should not wait to be told what to do. They must bite the bullet and take steps to ensure they are not the next organisation making the headlines for all the wrong reasons, he says. But no single department, be it HR or IT, can do it alone.
“The organisation must look at the procedures throughout the company as a whole and identify areas where risks lie. From this a working framework can be developed and policies and procedures produced.”
These policies should be published and made accessible to all employees in terms they can understand, and if companies are serious about protecting their data, employees, even directors, should face serious disciplinary action if they are found to be contravening these policies, says Davies.
“And as an HR director, if you aren’t getting any direction from the board, you should be bashing down the door demanding something be done,” he says.
Williams says certain technologies should be standard, such as encrypting all sensitive data on laptops, making it impossible for anyone to download databases on to discs, and disabling USB ports on corporate computers so that employees cannot copy information onto removable hard drives, such as memory sticks.
“HR can also help by ensuring the IT staff they recruit into information security roles have industry recognised qualifications such as the Certified Information Security Management standard,” he says.
At security software company Tier 3, chief executive Peter Woollacott says security software is evolving to counter the increasingly sophisticated techniques used by hackers to target the large databases that are worth millions of pounds to criminal gangs. His firm has developed behavioural intelligence software that alerts IT staff if unusual activity is occurring on the network, such as someone downloading lots of files and burning a CD at the same time.
But ultimately, he says, data security is about more than just having the right technology in place.
Woollacott says: “Everyone in the organisation has a role to play in ensuring the risks are minimised. All employees should live and breathe data security in their day-to-day roles.”
Case study: Deloitte
Business advisory firm Deloitte has added an identity theft protection option to its flexible benefits scheme, which all 11,000 of its UK employees can choose as part of their annual benefits allowance.
The service, which has just become available, is run by credit reference agency Credit Expert and works by sending out an e-mail or text alert to users if there is major financial activity involving any of their accounts.
“If someone tries to take out a credit card or applies for a mortgage in your name, or spends a large amount on your credit card, you will be alerted,” says Deloitte’s head of reward Neil McKie.
“Obviously, it may just be you who is carrying out these transactions, but if it’s not, you are in a position to stop it. Otherwise, you just wouldn’t know.”
If users fear they are the victims of identity theft they can contact Credit Expert, which will in turn ring the necessary banks and agencies and get to the bottom of what’s going on.
McKie says a key issue with identity theft is that people don’t know who to get in touch with when it happens.
“But Credit Expert is a specialist in undoing the mess. A typical identity fraud case takes around 300 hours to unpick,” he says.
According to McKie, the service is ideal for Deloitte employees – professional staff generally earning high salaries and living in good postcode areas – and about 400 staff have so far opted for the benefit.
“But with the extra publicity around identity theft caused by the HM Revenue & Customs incident and others, I’m expecting more people to join the scheme this year,” he adds.
Case study: Network Data Holdings
Despite the current spate of data loss horror stories, Andreanna Eyre, the head of HR at Network Data Holdings, a group of companies providing intermediary services to the mortgage and property industries, is confident her staff records are secure.
This is because, when she joined the company seven years ago, Eyre took the step of transferring the database containing all employee information onto a standalone server that is not connected to the main company network and cannot be accessed via the internet.
She says: “It is a totally independent database that is not open to the world, so hackers have no chance of getting to it. The only people that have permission to access it are the HR staff and one IT administrator.
“When I came into the job, I took a step back, looked at our processes, and identified where the risks lay. I felt being part of a big network could potentially put the records at risk.”
With only several hundred employees in the company, Eyre admits this solution may not be possible at large multinational organisations. But for small- and medium-sized businesses she feels this solution will ensure a breach of security is unlikely.
“I’m a bit old school and believe individual employee records should be the responsibility of HR,” she says. “If you have a good understanding of your requirements and the security measures needed, you should have no problem sourcing the right solution from technology providers.”