I am one of 550,000 affected people who have had their personal
details exposed to the internet. (The total number of records is
more like 1.3 million). So the whole world might have known
whether I've been involved in "at-risk sexual
behaviour" (which I haven't) and other personal details.
It appears that an RCBS contractor who was doing website
development had copied the personal details to a development area
of the website where it was exposed to the internet. I assume that
the development area wasn't subject to the normal security
I have received the email from RCBS offering their sincere
apologies for the incident. But that's not going to solve their
I find it very frustrating that we all focus on cyber security -
important as it is. We should be focusing on the data. What data do
we have? Where is it? What's its content and value? What
happens if we lose it? And – most important: Who in the
organisation owns it? Who is responsible for understanding our data
and protecting it like the gold that it is?
The way I see it we need to get serious about data, its content,
and value. Otherwise these sorts of breaches will continue.
Let's think about our attitudes around data.
One – No common sense. People don't
apply the same level of common sense in the electronic world as in
the physical world. For example, people readily click on links in
suspicious emails received, then find that crypto-locking software
has made all their data unusable. They then have to either pay a
ransom to the hackers (maybe in bitcoins) or have to restore their
data from a back-up. In the physical world people aren't so
casual with their assets.
Two – No ownership. Businesses are happy
to own the business processes and the controls associated with
them. For example, IT (who are the custodians of data) are happy to
own the infrastructure and the security associated with that
infrastructure, like cyber security, and the controls that stop me
accessing payroll details. But who is responsible for understanding
the value of that data? That value is not just what it cost to get
the data. Or what it might be sold for. Thinking about data has to
include: What duties do I owe to the people who've entrusted
their data to me? How much value might my brand lose if I don't
keep that data safe? What value would I lose if my data was
destroyed? Or if my competitors got it?
So from a data perspective, no common sense and no ownership: a
recipe for disaster!
We need to change our thinking, and fast. Businesses need to
understand what data they have, where it is, and people need to
take responsibility and ownership of that data. That's not just
All this being said, I agree that it remains in the public's
interest for the RCBS to collect information from blood donors. I,
for one, will continue to donate blood, and I hope this episode
doesn't stop others from doing so.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
For the many medium and large sized businesses that the mandatory notification affects, advance preparation will be key.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).