Much of the information that businesses, especially small and medium sized enterprises, have stored on their computers could be illegal and could end up in the hands of criminals, an international consultancy that specialises in sensitive data has warned.
Most UK businesses are taking inadequate steps to safeguard their customers personal data everything from home address details to health records and passport numbers.
In isolation, these bits of information pose minimal risk but when combined, they provide the potential for serious acts of crime such as mortgage or loan fraud a fact that the companies who hold them are often unaware of.
Following analysis of hundreds of UK organisations from High Street retailers to national charities, identity protection specialists Ground Labs has discovered that the vast majority were storing some form of personal data, without knowledge or the consent of customers.
In many cases, there was no requirement for this data to be stored in the first place. This unnecessary storage is often due to standard computer processes such as browser caches and automated email duplications.
By the very nature of SMEs, they have to spend a great deal of time fire fighting issues,” said Mohamed Zouine, European Director of Ground Labs. We often see companies where a small team has responsibility for every technical aspect within the business. It’s a case of having lots to do with very little time and resource available.
Data security becomes an afterthought if it’s even considered at all. Most SMEs do not realise that by storing this kind of data, even on a smaller scale, they are subject to the same, potentially crippling fines as larger businesses.”
Even charities are being are subject to strict regulations, points out Zouine. Earlier this month the British Pregnancy Advice Service (BPAS) was fined 200,000 following a serious breach which affected thousands of personal data records.
Ground Labs has recently launched a new ID retrieval software package called Data Recon. The programme is able to search through all levels of a complex IT infrastructure, seeking out and removing items of personal data.
Data Recon can recognise up to 80 types of sensitive information from passport numbers to card numbers and even medical records. Ground Labs believes that this software should be part of a standard systems maintenance routine to eliminate the risk of such data being stolen.
During trials of the new software, a sample of 200 UK companies revealed that 168 were unknowingly holding information such as birth dates, driving licence details and home addresses – enough to take out a mortgage or substantial loan on behalf of their customers.
For some time, banks have been high profile targets for serious data hackers , said Zouine. As a result of this, many have tightened security measures and are especially vigilant to attacks of this kind. The issue is that other sectors from hospitals to commercial businesses, are leaving themselves vulnerable. Without realising, they often hold huge quantities of information and are negating the effects of increased security elsewhere.
There is some good news for smaller businesses, though. Earlier this month the European Parliament voted to endorse the EU Commissions proposals on data management for SMEs.
The Commission has agreed to the following:
Data Protection Officers: SMEs are exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity.
No more notifications: Notifications to supervisory authorities are a formality and red tape that represents a cost for business of 130 million every year. The reform will scrap these entirely.
Every penny counts: Where requests to access data are excessive or repetitive, SMEs will be able to charge a fee for providing access.
Impact Assessments: SMEs will have no obligation to carry out an impact assessment unless there is a specific risk.
The Information Commissioners Office has more advice for small and medium sized businesses.