This week we learnt that HM Revenue and Customs finally misplaced the 25 million database records they’ve been trying so hard to lose all year through negligence and gross misconduct. I am shocked, but not surprised, at the revelation that the Government has put millions of people at risk of fraud. I’m sure this is just one example of a situation in which public bodies have shown contempt for personal privacy and security.

Why am I not surprised? Because this outcome is the inevitable result of centralising such a large amount of data, then making it available to thousands of authorised users from hundreds of access points. Such databases are IMPOSSIBLE to secure. The Government has been told this many times by eminent security experts, so why does it persist in putting forward ever grander (and riskier) data aggregation and sharing schemes?

The Government wants to take control of our identities, but this incident shows it’s not fit to look after them. The only reason some of the population hasn’t had their security compromised this week is that they don’t have children!

The way to protect sensitive data about individuals is to segregate it, to decentralise it and to empower the individuals to whom it refers to control its use. After all, they’re the ones with the best incentive to take care of it, as it is they who are affected if it falls into malicious hands.

I invite you to join me in rejecting and resisting the data kleptomania of the Government of which you are a member. Rebel! Don’t let these ill-conceived, dangerous policies trample our rights. Help save us all from the tyranny of the database state.

I would be interested to hear your views on the matter of ID cards in particular, and Government’s use of information on citizens in general, in the light of this week’s events.

Yours sincerely

Richard King.

This kind of security breach is nothing new. In fact it happens on a frequent basis, though the news is often buried by companies fearing a consumer backlash.

These problems will continue to plague users until firms start taking privacy seriously. In practice this will only happen once it makes economic sense for them to invest in better security.

In late April, a US Government identity theft task force recommended federal legislation requiring companies to disclose security breaches that expose private information. The aim is to make failing to protect customer privacy more expensive than burying the problem.

This will work because it incentivises those who are in a position to improve security to take action.

If the recommendations become law, I think we can expect all kinds of interesting privacy innovations from the US market. An example appeared in my RSS reader today, suggesting that companies should appoint a Chief Privacy Officer (CPO) (via SecGuru).

A CPO is responsible for identifying information that should be protected (the “what”); Chief Security Officers (CSO) are then responsible for securing it (the “how”). The two roles complement each other.

In the UK, companies that handle private information are already required to comply with the Data Protection Act 1998. A Data Protection Officer – similar to a CPO – often takes responsibility for this within an organisation. However there are currently no requirements for breaches of privacy to be published, so Data Protection Officers regularly operate reactively, in contrast to the proactive CPO. This is especially true in smaller companies that can’t afford to employ a dedicated person in the role.

In the article, CPO Chris Zolads highlights the growing economic incentives for companies to take seriously the management of private data (or “custodianship”, as he sees it):

“Good privacy is good business. The stakes in this area are constantly getting higher and higher . . . now we’re reading about [data breaches] in major media outlets,” he said. “That’s done a lot for consumer awareness . . . and has raised the consciousness and awareness of our managers. That’s a positive move forward.”

It seems unlikely that laws similar to the US proposal will be passed in the UK anytime soon. Data protection legislation is harmonised across the EU – an organisation that moves more slowly than the landmass on which it sits. However if such laws prove successful abroad, the pressure on industry and the UK Government to act will increase.

I certainly hope that PlusNet take a leaf from this new US book of customer privacy – and that’s a phrase I never thought I’d see myself type!