Take the case of Juan Renteria, 22, who worked at a printing plant in Wisconsin, US. He let slip pre-publication copies of Business Week that subsequently helped an insider-trading ring net more than $6.7m (£3.41m).
In this case, only Renteira, not his employer, McGraw Hill, was prosecuted, but the publisher’s data had been compromised – a serious breach of client trust – and it would have been asking serious questions about the printing firm’s security procedures.
Despite such cases, in the UK there is very little legal imperative for printing firms to improve data security, which covers everything from credit card details to customer IP held on site.
However, following the fiasco at HM Revenues & Customs (HMRC) last November, when one careless individual managed to lose 25m personal records, there have been calls for cases of data loss to be punishable by law.
The House of Commons’ Justice Committee and the House of Lords’ Science and Technology Committee have been most vocal. The Science and Technology Committee is pushing for a US-style data breach notification law, which would force any business to make public any loss of data. The Justice Committee goes further, urging that “reckless or repeated breaches of data security become a criminal offence”.
The investigation into HMRC continues, but it is widely expected that the final report by Kieran Poynter of PricewaterhouseCoopers will recommend tougher data breach and protection laws.
With such legislation almost inevitable, one way that printing firms can protect themselves is to gain certification – for instance, ISO 27001 – for IT systems and data management procedures. Unless you have a large IT team, it is likely you will need external help for this.
If you handle sensitive data, ISO 27001 will be a minimum requirement. If, as a merchant, you accept any of the major payment cards, you will soon be obliged to adhere to the Payment Card Industry Data Security Standard (PCI DSS). Supported by Visa, MasterCard, Amex and others, the scheme is not backed by law but it does carry weight.
There are many data security consultants that can advise you how to become PCI DSS compliant. It will mean, at the very least, encryption, reliable drives, firewalls and backup.
Since the PCI scheme is voluntary, the temptation is to do nothing and hope for the best, which is fine, until you lose a customer’s card or have their details hacked into, and Visa or MasterCard take away your payment facilities or impose their own fines (this will be in the small print of your agreement).
Having said that, the payment card industry has struggled to introduce the standard, and numerous deadlines for compliance have come and gone – the next one is 31 March. It would be foolish to think the issue will go away, however. It won’t.
Finally, a word about your staff. They are not paid to be information security experts, and while security training is useful, it can be forgotten. People will always make mistakes, but with laws and fines looming, the best way to pre-empt such inevitabilities is to install smarter IT, sooner rather than later.
STAMP OUT DATA LEAKAGE
SC Conference
10 June 2008
For more information on this event, go to www.stampoutdataleakage.com
Other useful sites
www.pcisecuritystandards.org
www.parliament.uk/parliamentary_committees/justice.cfm
www.ico.gov.uk
Paul Fisher is editor of SC Magazine, the leading magazine for IT security professionals