Credit Collection & Risk Magazine Article
21st January 2008
Protecting Your Data
When the Data Protection Act 1998 came into force it put a legally binding duty of care on all organisations that stored the personal information of individuals. Under the Act they have to safeguard the integrity of such personal data and ensure that it is not disclosed in any form to any unauthorised person or persons.
The Data Protection Act is mandatory and all organisations that hold or process personal data must comply with its regulations. Therefore it’s incumbent upon such organisations to be aware of the detail of the Act and how it relates to their business. See: http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_1
As has been widely publicised, a significant breech of the act may have occurred recently through the loss of discs containing the personal information of millions of British citizens.
As an organisation involved in credit management you will be similarly responsible for the secure storage, retrieval and transmission of potentially millions of pieces of personal information.
Are you sure that you are legally entitled to hold all the data that you have on file?
Are you confident that your in-house, mobile and online access systems and transmission procedures are totally secure?
These are just some of the questions legal and credit management firms must review on a regular basis if they are to stay on the right side of the Data Protection Act.
One way to ensure that you do is to establish and maintain a ‘security plan’ within your organisation.
Unfortunately, too many firms see data security as an unnecessary expense as it has no immediate impact on their bottom line. On the contrary, we would suggest that rather than categorizing such security as an IT concern, you should consider it as a business issue. Offline and online data access has become an intrinsic part of conducting modern business, which therefore makes security planning as important as any other form of business planning – irrespective of the legal obligations.
We therefore recommend the establishment of an organisation-wide security plan and regular security audits. When conducting such in-house operational audits, the presence of unsecured, badly configured, or unauthorized transmission devices such as modems can undermine the most detailed security plan. People may set up modems accessible with no password or an easily guessed password. These modems are vulnerable to hackers who call numbers systematically until they find a phone number that connects to an unsecured dialup access.
If a computer with a rogue modem is connected to your organization’s network, almost anyone with the appropriate skill and malicious intent can use it to access your network. Firewalls don’t protect against this type of attack. The intruder gains access via phone lines, bypassing the firewalls that protect your organization’s network borders.
Security planning does not simply encompass the methodology involved in the secure storage of personal information. It’s not simply what data is stored or how it is stored, it also includes how it is transmitted and copied between one location and another. Therefore encryption techniques and password protection policies should be an integral part of the plan and reviewed on a regular basis.
In addition, the physical security of IT equipment is an important factor to be included in any comprehensive security plan, as is the physical access to sensitive data storage areas and the policy regarding regular data and transaction backups and off-site storage.
With the increasing use of portable computers for both offline and online data processing, the risk of data loss has increased enormously. According to the insurance company Safeware over 600,000 computers were stolen in the United States last year. Many of these thefts compromised company networks and confidential data.
Apparently over 60% of computer attacks in government agencies, corporations, and educational institutions in the United States were attributed to mobile PC theft. In the same year, mobile PC theft resulted in $6.7 million of losses. These statistics underscore the importance of regularly archiving of all documents, folders and settings so that you can retrieve the data if your mobile PC is stolen or the hard disk drive fails. However no matter how you back-up your data if it contains personal / confidential information about one or more individuals you have a responsibility under law to ensure that it is totally safe and secure.
When holding information on mobile devices or transmitting data, either physically or via the Net, an increasing number of IT managers are building Data Encryption into their security plans. Encryption is the transcription of data from an intelligible format to an unintelligible one which then requires a special decryption ‘key’ to re-activate.
You may have a firewall and antivirus software installed on your mobile computer, but these only protect you from attacks on the Internet. What happens to your confidential files if your laptop is lost or stolen? Encrypting your data means that losing your computer doesn't mean that your data will be compromised. With Windows XP Professional, you can help protect private customer, financial and other personal information by using its Encrypting File System (EFS).
When you encrypt a file or folder, you are converting it to a format that can't be read by other people. A file encryption key is added to files or folders that you choose to encrypt. This key is needed to read the file. Windows XP Professional makes the encryption and decryption process easy—simply follow the steps outlined within Windows to encrypt your files or folders. When you are logged on to your computer, you'll be able to read them. Anyone who tries to use your computer without your logon will not be able to read them. It is important to make sure you have your computer set up so that you have to log on to use it (when you start up, or when you have been away from the computer for a little while).
There are a number of proprietary data security tools for advanced access control, encryption and audit, which provide much more than the standard Windows security services. Such software enables the user to control access rights to various files and folders not only for users, but for applications and system processes as well. These advanced encryption systems prevent data from disclosure, theft, modification, corruption, and deletion by another user or various malicious programs such as viruses, trojan horses, spyware, etc.
Such Window’s independent security systems enable users to set the access rights either for individual users or applications. For example, the system administrator can forbid access to any or all .doc file objects for all applications except Microsoft Word. After that, even if any virus application starts in the system, the file would never be corrupted or deleted by the virus. Also, the administrator can forbid access for a peer-to-peer file exchange program to all files in the system except files in its own folder(s). In this case, even if the program starts a trojan, it will never get access to the data or system files. Such high level protection cannot be achieved by the standard Windows security services because it controls access to files basing on the user's access rights, which the trojan can easily obtain, whereas more advanced systems control the access rights individually for each program.
To protect data from loss, users can create backups of encrypted data / files on a wide variety of external devices visible by the host operating system.
In summary, remember that the Data Protection Act is not a set of guidelines it’s the law and hence your computer systems must reflect its regulations concerning the personal data of the individual.
Phil Snee
Development Director
Linetime Limited