The recent controversial Wiki-Leaks publications have yet again highlighted the potential dangers flowing from unauthorised data loss.

Whether loss is caused deliberately (where data is stolen) or carelessly (e.g where it is left in a cab), the repercussions for businesses can be severe.

There is no such thing as a loss-proof strategy. This is largely because no matter how secure the system, human action or omission is often to blame for loss. Worryingly, this appears to be on the increase. A report by KPMG (KPMG's Data Loss Barometer 2010) shows that the cause of data loss by malicious insider incidents has increased from under 5% of total incidents in 2007 to over 20% in 2010.

Given all of that, businesses need to develop bespoke risk management strategies to prevent loss (in so far as possible) and to minimise damage caused by loss (in the event it should occur). The implementation of robust strategies can help prevent or at least minimise financial and reputational damage flowing from data loss.

The sheer volume of data retained by businesses, and number of ways in which it can be retained, sent, received and accessed only serves to multiply the risk. Depending on the sophistication of the method of misuse, the source of unauthorised data loss may not always be readily identifiable, although given enough time and resources can often be traced.

In developing a risk management strategy careful consideration needs to be given to the following:

  • what information do we store and who has access to it?
  • is access restricted, and if not, does it need to be?
  • are staff appropriately educated about the risk of data loss ?
  • do we need to invest in data loss prevention technologies
  • do our contracts restrict the use of confidential data appropriately?
  • are we operating within the rules set down by the Data Protection Act 1998? (The Information Commissioner handed down its first monetary penalties for serious data protection breaches in November 2010, fining a county council £100,000 and a business £60,000);
  • do we have a clear internal strategy in place for dealing with unauthorised data loss (See previous article on " misuse if IT by employees")

Consideration and regular review of these issues allows businesses to formulate and adopt appropriate strategies for prevention of loss and minimises damage flowing from crisis situations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.