Last week was not a good one for the Skipton Building Society. More than 3,000 of its customers discovered, to their horror, that their monthly statements contained the highly sensitive details of other customers' accounts - names, account numbers, balances, the lot. Skipton attributed this PR disaster to ‘third-party error', otherwise known as a dreaded ‘printing error'.
Such stories are an embarrassment for the brand as well as the third party in question (see page 4). They illustrate just how important it is to get a grip on data. Not only because failure to do so can damage reputations, but also because it can be an expensive mistake - you can be fined up to £500,000 by the Information Commissioner's Office (ICO) for breaching data laws.
Last year, new powers were granted to the UK's data protection watchdog to curb data breaches. The ICO demanded this after a host of reported breaches in 2007 and 2008, which prompted the European Commission to put pressure on the UK to tighten up its compliance to Europe-wide data regulations. The result is stiffer financial penalties, and it's an area that has plenty of relevance to print.
The rise of personalised digital print over the past few years has meant that more and more printers are having to handle sensitive data on a regular basis.
While there are plenty of ways to ensure that you stay on the right side of the law, it's worth noting that there are no magic solutions: handling data sometimes requires a complete rethink in the way your business operates.
Stories about data leaks are hardly new. For the past couple of years they have been a staple of the national news media. Some particularly sloppy examples include HM Revenue and Customs misplacing the personal details of 25m people claiming benefit, while the Ministry of Defence lost the National Insurance, passport and bank details of 600,000 new recruits along with the laptop they were held on.
Boltered powers
It's these type of leaks that the ICO is keen to prevent. In October 2008, it published a report revealing that there have been 277 data breaches since November 2007 - 80 were in the private sector. At the time, the Information Commissioner, Richard Thomas, called for "stronger powers, resources and sanctions" to curb data breaches. Since then, an amendment to the 1988 Data Protection regulations has granted the ICO new powers to impose fines.
James Lewis, managing director of secure file transfer specialist Pro2col, confirms that the European Commission is getting tough on such laptop lapses.
"All of this is being driven by Europe," he says. "The ICO has been effectively told to pull its finger out. I would bet that by April, the ICO will be making an example of a few companies and that could include a high-profile one. Government departments are one set of players that are desperate to get their houses in order."
With those words of warning in mind, printers ought to be making sure they have the right procedures in place for handling sensitive data. But Lewis says that thanks to market conditions, it's not as high on their list of priorities as it should be.
"Are printers banging on our door looking for secure solutions? The answer is no," he says. "There is currently a trade-off between data security and investment. We have some success stories in the market, but the market isn't in great shape right now and print companies don't have a great deal of resources to invest in technology."
Coded solutions
The scale of the problem is frightening. Lewis says he has visited many print firms whose systems "won't cut the mustard" if the IOC ever had to investigate any data breaches.
"I've seen file transfer sites that have been implemented terribly. One FTP server had an anonymous log-in and linked through to data about all the company's customers. It was a schoolboy installation. FTP is antiquated, but at the moment it is prevalent and serves a purpose. It does not cost the earth to put in a standard and secure FTP solution," he says.
Encrypting data is vital. What compounded the missing HM Revenue and Customs data fiasco was that the CD containing the files wasn't encrypted. Lewis says that if a company is handling sensitive information, its communication channel also needs to be encrypted.
When sending files through the web, it's important to have the security in place to put off potential hackers. "There are myriad encryption products that can do that," he adds.
But while investing in software is one solution to making your data secure, there are other factors to consider. Chris Parkinson is group compliance director at Lateral Group and has several qualifications in data protection. He says that if a print firm is going to get involved in handling data the first thing they should do is register with the ICO.
"Why should you be registered? Because you are breaking the law if you aren't," he explains. "Lots of businesses don't realise this. If you go into it cold then it can seem quite daunting. The ICO's website (www.ico.gov.uk) provides a lot of help - it takes around an hour to fill out the forms."
Cultural shifts
Getting the appropriate forms is one thing; the other is getting the right culture in the business. Parkinson observes that it's all about having solid policies and procedures in place at a company. This means that staff in any operation need to know exactly what they're dealing with.
"If any individual does not understand the seriousness of what they are looking at then you have problems," he says. "The culture of the business needs to be right and you need to have policies in place."
Obtaining ISO 27001 is one way to demonstrate to a potential client that you've got your data house in order. However, this isn't an easy accreditation to achieve, requiring plenty of time and resources. Parkinson suggests that the Direct Marketing Association's (DMA) DataSeal standard is a more useful and realistic option for companies that use consumer data for marketing and third-party marketing.
Launched last month, DataSeal has been backed by the British Standards Institution. DMA chief of membership and brand Robert Keitch explains that it was proposed following several high-profile instances of data theft, loss and misuse. He adds that implementing robust security measures should be a top priority for firms that hold sensitive customer data. "Not doing so could strike a serious blow to their bottom line."
Lateral Group's Parkinson applauds the DMA's efforts. "They are trying to build a pathway for DM companies to enhance their data security," he says. "Data is a very complex area and you need to make sure that you have the right solutions in place. It's not nice if you don't and get caught out. Individual directors can face going to prison for breaches in data security. Your company's reputation is likely to suffer too; you would lose your clients and put off potential ones. In this day and age, could your business survive such a loss?"
Clearly, it's not a risk worth taking. If the ICO is going to come down like a ton of bricks on any company found to be in breach of the regulations, it's a good idea to get your data house in order now, before you're caught out.
TOP TIPS: GETTING STARTED
? Before you start handling any kind of sensitive data, you must register with the Information Commissioner’s Office
? Encrypt both the data (especially if you have to carry it on a memory stick or CD) and the communication channel
? Make sure that everything is protected with proper passwords
? Keep sensitive information on-site if possible
? Maintain the strong line on data protection all the way through the production process
? Train your staff to understand all of your practices and procedures. Reiterate to key staff the importance and sensitive nature of the data they are handling
