Backup Anytime

Data loss is only one component of data breach.

In years gone by, the main (even sole) concern which business had regarding data was the direct consequences to themselves of losing data. The questions they asked themselves centred around an inward looking theme.

What data do we need to retain to ensure survival?
How will data loss affect us?
How long will it take us to get backup and running should we lose data which is backed up?
Will we be able to get back up and running if we lose data which is not backed up?

These are all valid questions but every one of them miss the main concern which has always existed but has come to the fore in the past few years.

How will if affect other people and organisations?

Just to bring some clarity to inward looking people, the above question also equates to the following.

Will we be sued, prosecuted or shown in the media to have compromised client data?

This changes the perspective and adds a whole new required functionality to the issue. We are now moving up from basic backup to actual data protection.

So, a manual drag and drop of files to an external pen drive or hard drive which is bandied about in a directors car at night may to a small degree offer an element of simple backup. It does on the other hand however very likely significantly increase the risk of data loss. This is not recognised by companies and individuals who are only interested in retaining a copy of data for themselves. If they look beyond this blinkeed and recklessly narrow focus they will see that the net effect is to place copies of client data in dangerous situations.

Ask yourself this.
Would I be satisfied if every company I have ever dealt with had personal and identifiable information pertaining to me being driven about in staff cars overnight?

Absolutely not. All this does is increase the number of potentially available copies of this information for the companies involved and also increase the risk of breach to those about whom the data relates.

So, simple backup is too narrow a focus. Offsite only helps if it does not as a consequence of being offsite increase data protection risk factors.

The next time you consider the importance of a file, don’t just consider how much you need that file. Also consider how much others need that file (and any other versions of it applicable to you) protected from public release.

xdrive stop charging customers

There has been much talk and speculation about X-Drive for some time now. As of one week ago they stopped charging clients and those same clients have until January 12th to remove their data.

The biggest question is: What happens to clients who do not know about or react in time to the closure?
The official xdrive answer is this.
“After January 12, 2009, you will no longer be able to access your Xdrive account. All files and data will be permanently deleted and you will no longer be able to retrieve your files.”

This is unbelievable. Need it from the horses mouth? Here, see question 3 on xdrive will delete client data.

This is hardly the level of data protection one would expect. This is not the level of data availability which would have been considered acceptable at sign-up. As for data loss, well this looks to be a future data loss story for some. Having an online store (Thinking you have an online data store) could cause recklessness at the client end and while this may be questionable from the clients responsibility viewpoint they can hardly be responsible all on their own.

An obvious and far from well though out response to the horror of this would be to say that a closing entity can not and should not keep client data. A little more client concern would surely result in at the very least a far longer zero charge period. Notice during the paying period does not equate to giving something to those clients who are inconveniencedand may be ruined by the closure. Realistically, any inability to directly communicate the details of the intended closure with verified response from every single client should be seen as of absolute importance. Logs of verified client end account closure could provide a list of accounts which have not been closed. A good communications campaign should result in a short list of accounts pertaining to uninformed or unresponsive clients. These accounts could then be kept open or at least the data retained for a far greater non billing period than two months.
After all, many providers will give a two month trial. If this can be offered to potential clients, many of whom will never pay, surely a far greater period could be given to actual clients.
This all blows smoke in the face of the real question. Why close xdrive?
The answer has obviously to do with financials but the proximatecause of this type of result generally has more to do with aggressive client acquisition through weak cost benefit analysis.

This is common in the data storage industry. You the end user are offered much space and limited functionality and support on the basis of economies of scale and guesstimates about data transport cost.

If the provider gets it wrong, ie the other clients don’t join and behave as anticipated this makes your online storage “data non gratis” and at risk of suffering the plight of the xdrive client.

The moral of the story is that you get what you pay for. If this was lucrative for AOL this would not be happening. If it was considered viable by outside entities (and this does not require it to be lucrative) it would be bought. There will however be no buyout or merger honeymoon for xdrive clients. For most it is provider divorce. For some it may be data divorce.

Your date with data breach.

If you read the papers, watch the TV news, listen to radio reports, browse the Internet or simply go around with your ears open you will be aware that data breach is more than common. The Internet has brought many advantages to business. It has however changed information security from a task to an ongoing process. The continual data breach instances you hear about are just a drop in the ocean. The data loss incidents you hear about in the media are generally those of great significance to small business or any significance to big business. Every breach which makes the headlines is likely representative of thousands which don’t or may in the future.

If you do want to follow data breaches in far greater numbers then a good starting point would be to sign up for breach reports from The Breach Blog. This excellent resource is owned and managed by FRSecure. It’s focus is very much American but this does not limit it’s ability to paint a picture of what is happening worldwide.

The breach blog is regularly updated and is well presented in snippet format so you can browse through the basic stats of a wide number of data protection issues affecting numerous organisations and then focus on any specific entry which interests you. You may then see extended information regarding the breach you want to read about.

So impressed are we with this blog that we are inviting the Breach blog administrator to participate in our Who’s who in data interview series.

We await the reply eagerly and will update you on the response.

UK Cabinet office official to be charged over data loss.

You may recall the story from the UK in June 08 of this man who for security reasons must remain anonymous. He is a cabinet office official. He left top secret documents on a train. These documents were subsequently handed over to the police via the BBC. The actual specific content of the documnets has not been released en Mass but they may have been viewed by the persons or persons who found them, any number of associates of theirs, any number of BBC staff and members of the police force. 

The man at the centre of this investigation was on Ministry of defence secondment. There is no suggestion that this was negative secondment. There is no clear information as to it being positive or normal either. 

The only real indication here of an absence of criminal intent is the part of the act (clause 8.1) under which the man is being charged. This is one of the least serious charges and would point to misfortune with serious information rather than any premeditation.

The documents contents globally provided information about Iran’s military capability and data pertaining to Al-Qaeda. It was believed that this case would be handles by the Mod. The  Crown prosecution direction may be as a consequence of the handing over of the documents by the BBC to the police and not the Mod. This could however have no bearing and be a consequence of the sensitivity of the information. It is unusual however given the general consensus that if the charge is under article 8.1 there is likely no suspicion of intent.

The man at the centre of this case has been moved to an unnamed location. Given that his name has not been released and he has now been moved to an unnamed location one would hope that he has close family who will be following the case and his progress in time to come.

Data loss is something you may read about frequently. You may have had your own details breached or likely know someone who was affected. It is far less likely that you know someone you was compensated due to data loss. When was the last time you heard of data loss compensation? It is quite possible that data about you has been lost and you were not informed. It is much less likely that you will ever be compensated for any data loss incident.

With all the coverage data loss stories get in the newspaper, television, radio and  indeed blogs is remarkable that most people will never have heard of a data loss compensation case let alone know someone who was compensated. This is not specific to Europe but given the existence of a Euro comissioner and data comissioners in every member state, Europe is a good place to start.

Data loss is on an upward climb. Data loss awareness has certainly not been left behind. The medias continued coverage of data loss stories is a good indication not necessarily of the dangers presented by data loss (which are very real) but more so of the keen interest the public have in data loss news stories.

Some may believe that a data loss news story about a bank or corporation is near punishment enough for that institution. This may have been the case some time ago when the number of data loss news stories was minimal compared to now. Today however, a single data loss story will struggle to stand out.

Large businesses appear to continue without great difficulty after a data breach. The situation has become so common that some people may consider the occasional data loss event as normal! How come?

Here are some of the reasons.

Sanction.

Some of the possible sanctions which exist for data loss may appear quite serious to the individual or the small business but given that sanctions are on a per incident basis and not on a per person affected basis they dont actually have much effect on the bottom line and therefore planning of a bank or large corporation. What effect will a fine of one or two million Euros have on a major financial institution?

Breach procedure.

The existence of data protection legislation and data commissioners is intended to provide a level of protection for the public. The number of cases has now got to such a level that an organisation can take the procedures adopted and outcomes of prior cases as a learning curve in how do deal with a breach from the organisations viewpoint. A basic example is that simply reporting an incident on time (no matter how serious the incident is) removes that incident from the worst case scenario list. Organisations will use this and spokespersons will repeatedly say things like “The incident was reported within an appropriate time frame”, giving credence to an organisation which has compromised individuals due to its own failure to implement safeguards.

Compensation.

Data loss compensation is the most important issue here. You are not entitled to compensation because an organisation lost your data. If you need to read that last line again, go ahead. This applies even if the company lost your name, address and bank account number. The data loss has to result in a specific problem such as a crime against you and you need to be able to clearly demonstrate the link. This is rare and unusual compared to the amount of people about whom data is lost.

Number of events.

The number of data loss events reduces the significance of any one story and therefore the impact on the organisation involved. The apparent across the board inability of large numbers of organisations to protect data is actually to a degree legitimising their inaction.

Compensation requirement.

Large fines for corporation are not working. Prosecution at CEO level is always difficult and could be unfair. It’s all too easy to say a CEO is responsible for the business but most moderate people would agree that a line must be drawn somewhere.

A small standardised data loss compensation amount per individual could change everything. This would result in large corporations increasing protection as one mass data loss could hurt. It would also provide recognition that to loose someones data in a manner which puts it in the wild is wrong and is a wrong against that person.

By all means if people were significantly affected by a data loss the door would be open for greater compensation at individual case level but one thing (of many) that is needed to greatly increase protection and data respect is a small per person per case standard amount.

This would not be difficult to implement in Europe (if the will is there) as we have a broadly common framework and this area is in its infancy (one hopes given the apparent lack of control) and clearly needs broad, common action.

The specifics of the amount are not important if it is small enough to be accepted by industry and large enough to make data loss prevention a serious issue.