Beyond the pail

The HMRC data disaster brought to mind a bucket. A bucket
full of water. And a bucket full of holes. And a bucket full of water and holes
and which, therefore, leaks remorselessly. But no matter how much the bucket
leaks, it never empties. Never. It’s always full of water. It sounds like a
sorcerer’s apprentice’s nightmare. And in a way, it is. Because although two CDs
containing data relating to 25 million beneficiaries of child benefit has been
lost, the fact is that the data itself hasn’t been lost. Data is probably the
only thing that can be stolen or carelessly mislaid, while never actually being
lost. Ctrl-c, ctrl-v has a lot to answer for. Ditto drag-and-drop. Hence the
bucket: data can leak out of an organisation, and yet never be lost.

Imagine for a moment what would happen if the leak of data meant its
permanent loss. Imagine slapping the details of 25 million people onto a couple
of CDs and the data simultaneously and permanently being wiped from the computer
whence it came. (If it makes it easier to get your head around this concept, try
imagining removing 25 million Roladex cards and then shipping them in a few
dozen crates.) You would take a lot better care of your data if you could
actually, permanently be deprived of it like this.

This then brought to mind the issue of risk, which also features quite
heavily in this month’s magazine: if the downside of having data stolen is
simply that someone else has a copy, then there’s certainly nowhere near as much
downside as if the data had actually been lost. Companies would take so much
better care of the information in their possession if improper use or copying of
data meant that they would no longer have it themselves. That’s the way it used
to be. And this could well be a good starting point for a data security
strategy: to treat information as precious as if the organisation could be
permanently deprived of it. If the data is so valuable that you would pay a
fortune for its safe return, then it probably makes sense to prioritise its
security.

Simple concept, more difficult in practice. Moreover, it’s not exactly true
to say that data misuse has no downside. The reputation of HMRC has certainly
taken a knock but that’s no big deal. We’re still going to have to pay our
taxes. For companies in the private sector, though, reputational risk is very
real, if a little intangible. When companies such as Norwich Union get hit with
a £1.26m fine, that does make the eyes water. Perhaps what is needed is some
really swingeing financial penalties in order to bring home the fact that data
comes with bone-crushing responsibilities.

But I readily concede there wouldn’t have been a lot of point in fining the
taxman.