Cover story: Selling security

In February the Financial Services Authority (FSA) fined Nationwide almost £1m for a lost laptop containing client details, including addresses and account numbers. Customers could have been exposed to financial crime, it said. Could a law firm be next to get into a data-protection pickle? Installing encryption systems can enhance information security.

By Kieran Flatt

Spare a thought for the common burglar who suddenly realises the true value of the laptop he fenced for eighty quid in the back room of the local boozer.

“Criminals”, he reads in the Daily Mail, “could easily have used the information to make false applications for debit and credit cards”. For a professional thief, the experience must be akin to finding a winning lottery ticket the day after the deadline to claim it expires. By now the machine has most likely been re-formatted and hastily flogged on to an open-minded member of the public, probably for a few hundred pounds. But the Financial Services Authority (FSA) put a £1m price tag on the information – or, at least, that’s near enough what it fined the Nationwide Building Society for losing it.

Spare a thought, too, for the hapless marketing executive who had downloaded the account numbers, names and addresses of millions of customers onto the laptop. The FSA’s verdict suggests that the perpetrator of what turned out to be a highly embarrassing and costly security breach had no idea they were doing anything wrong.

Getting tough on complacency

The case is unique because, as Nationwide and the police insist, no fraud has actually taken place. At the time of writing, some six months after the theft took place, it seems a long shot that some shadowy underworld figure is still lying low, poised for the strike. So the only crime committed was the theft of the laptop itself; and yet the FSA believes that complacency with regard to data is so widespread in the financial-services industry – and constitutes such a serious problem – that they needed to set a precedent for tough punitive measures.

At an early stage in the investigation Nationwide bit the bullet, admitted liability and called in experts from KPMG to tighten up its processes. This good conduct secured a 30 per cent discount on the fine, which would otherwise have totalled ₤1.4m.

Wake-up call

The judgement against Nationwide will obviously have direct implications for all firms and companies that are regulated by the FSA – for them, it is a wake-up call and most have started tightening up compliance with the agency’s code of conduct for data protection. However, the incident has much broader implications because the FSA rules, which Nationwide inadvertently breached, are mirrored in the Data Protection Act (DPA) that applies equally to all businesses.

Indeed, in the days following the announcement of the fine, at least one national law firm – one that works closely with a number of major building societies – was re-examining its policies and systems to reduce its exposure to data protection-related risks. It’s easy to understand why. As Britain’s biggest mutual fund, the Nationwide was able to spread the fine among its millions of customers, charging them just 8p each, but at many law firms the partnership would end up footing the bill. We’re talking about homes being repossessed, savings squandered and lives ruined. Even for a firm with Limited Liability Partnership (LLP) status, the consequences would be extremely serious.

Common sense

Simon White, a data-protection specialist at Browne Jacobson, says that data protection compliance largely boils down to common sense. “But you do have to think very carefully about the ways in which you use data,” he says. Whether the business holds employee data only – or, like Browne Jacobson, holds claimants’ personal details and those of defendant insurers – the firm has got to make sure that information is stored in a way that takes out as many risks as possible; that the policy is effectively communicated to all staff and that they are all adequately trained.

“The point is that Nationwide didn’t put in place the proper training and the data that was stolen [on that laptop] did not suit being taken home in the first place,” White says. “Here, we are always bringing work home, but we have a full remote-access system, which means that everything is stored on a secure server and we don’t have to store any data on laptops or home PCs.” He says there will always be risks associated with data, but if you put in place the right policies and make sure employees understand them, most won’t risk taking large amounts of data home with them.

A slap on the wrist?

The leaders of many a smaller business will have spat out their cornflakes in disbelief upon hearing about the size
of Nationwide’s fine, but White maintains it was not excessive. “Some people have said that the fine wasn’t enormous, that for a company as big as Nationwide it was little more than a slap on the wrist,” he says. “Certainly, the fine was much bigger than anything the Information Commissioner could impose but it is commensurate with the size of the organisation.”

In most circumstances, the maximum fine the commissioner can levy is just £5,000 – a pittance to all but the very smallest firms and certainly far too small to motivate a firm to change its data policies and invest in IT security systems. But if huge fines are only likely to be charged to huge corporations that can easily afford them, will Nationwide’s penalty have any effect on corporate behaviour? “I don’t know whether the figure itself will have much of an impact, but the publicity might do it,” White says. “For companies not regulated by the FSA, the risk of fines is smaller, but there are no grounds for complacency. The Information Commissioner can impose an unlimited fine if an organisation is found to have been reckless in its use of data or if it has knowingly breached the data-protection rules.” He adds that the DPA also makes directors personally liable for data-related offences if they are directly responsible for them – although that part of the Act has never been used in anger.

Knock-on effects

The most obvious potential knock-on effect of the incident is that many firms may now be more reluctant to issue staff with mobile devices and be less keen on them working from home. “I don’t think [data protection concerns] are a barrier to home-working,” White says. Indeed, many firms are now offering flexible working as a key inducement in their recruitment drives. In any case, White argues that firms will not be able to cite Nationwide’s experience as an excuse for denying people the opportunity to work from home – even if they do not have the right security systems in place. Any business that deals with large volumes of sensitive client data ought to have the technology in place. “Essentially, you have to give people the right systems and the right training,” he says.

Like White at Browne Jacobson, most law firms have their own in-house experts on data-protection issues, but this doesn’t make them immune to embarrassing and potentially ruinous security breaches. “Without a doubt, this could happen to a law firm,” says Derek Southall, a partner and head of strategic development at Wragge & Co. “The security standards of any home worker fall way below the security standards of the office. It is interesting the way that most firms disregard physical vulnerability – the security of people’s homes.” He says the last few years have seen a marked improvement in the quality, scope and usability of the IT security systems on the market for home working, with Citrix’s technology in particular coming on in leaps and bounds. Citrix enables users to connect securely to their firm’s heavily protected office network so they can work on documents, read e-mails and so on, without having to download anything to their laptop or home PC.

From paper files to BlackBerrys

Southall points out that the risk of clients’ data becoming compromised has always been there and must be seen in perspective. “Somehow, the loss of a laptop is seen differently to the loss of a lever-arch file,” he says. “There were no massive fines back in the old days for firms that lost files. It’s just as easy to leave a file somewhere as it is to leave a laptop. At least the laptop might have a password or some other sort of security on it.”

According to Southall, there has been “a massive drop-off in the use of laptops by lawyers”. However, he points out that there are two current trends in the corporate world – moves towards the wireless office and towards the paperless office – that would seem to encourage more widespread use of laptops in the future.

Southall says no portable device is perfect from a security perspective but BlackBerry palm-top units are safer than laptops, pen-drives and USB sticks. The BlackBerry unit is effectively a ‘dumb’ terminal that can be ‘killed’ remotely by a firm’s IT department as soon as the user reports it missing. Also in BlackBerry’s favour is the fact that most users don’t tend to store large amounts of sensitive information on its hard drive. You can manipulate documents and spreadsheets on its tiny screen but few people would bother to do so.

However, even BlackBerry can pose a significant risk to a firm that hasn’t got the right processes in place for dealing with lost units. Just a few years ago, the managing partner of a prominent City firm left his BlackBerry in the back of a taxi, where it was found by a legal journalist. The device’s password protection had been switched off, leaving the managing partner’s e-mail inbox completely unprotected. Only the intervention of the magazine’s publisher, who locked the device in a safe amid howls of protest from her editorial staff, prevented a major embarrassment for the law firm. Astoundingly, when the journalist
called the firm to report the find, he was told to call back a week later when the firm’s BlackBerry administrator was due back from holiday. It took two weeks for the firm to collect the BlackBerry and at no point did anyone use the ‘remote kill’ function that could have switched it off.

Relative weakness

Most law firms have tightened up their IT security over the past couple of years. However, data protection
is still seen by many consultants and some IT directors as an area of relative weakness. What would happen if a malicious person, or an identity fraudster, mounted a concerted attack on law firms? “A lot of firms would find they are much less well protected than they thought they were,” says Janet Day, IT director at Berwin Leighton Paisner. “You can greatly diminish the chance that anyone can harm you, but if someone is really determined, it is very hard to stop them.” She says most, if not all, IT directors do take data protection very seriously and continually monitor their firms’ processes to keep the risks to a reasonable minimum.

However, IT consultant Neil Cameron warns that most large law firms do not have the right policies and technologies in place to minimise the risk of a Nationwide-style security breach. “Law firms have generally been tightening up their policies on data protection, but not as a direct consequence of the Nationwide incident,” he says. “Most firms take data protection reasonably seriously, but very few, if any, routinely encrypt the contents of their hard drives. I do not know of any law firm that does it. Without encryption, someone could simply remove the hard drive from a stolen laptop, put it into another computer and read all the documents, e-mails from clients and so on.”

Encryption

Cameron’s advice to any law firm that wants to dramatically reduce the risk of ending up in a pickle over data protection is to install both software and hardware encryption on all portable devices and all home-workers’ PCs. There is a downside though: encryption systems are getting better but they are still rather expensive, clunky and slow. It might be cheap to install strong encryption on one computer, but Cameron argues that if you have to roll it out firm-wide, to hundreds or thousands of users, the costs quickly add up.

For a concerned IT director it is a tough sell to the partnership. Consider the pitch: ‘We want to install a system that will make your machines run more slowly; require a fair bit of user training; and cost you several hundred thousand pounds – to guard against something that hasn’t happened yet.’ In Cameron’s view the partners are unlikely to go for it until a lawyer’s laptop is stolen and sensitive data is compromised. When it comes to security, business leaders are very unlikely to do anything that they don’t have to do. It is standard practice for clients to include a few questions about security and data protection in their ‘beauty parades’ and tender documents – so they can ‘tick the boxes’, as Cameron says. But despite Nationwide’s recent experience, he says there is currently no evidence that clients, even building societies or banks, are asking law firms to prove their security and data-protection credentials.

A ‘very sensible document’

Still, the ₤1m fine levied by the FSA does suggest that the authorities will be taking a much tougher line on data-security lapses in the future. So how should firms protect themselves? Some experts, such as White at Browne Jacobson, point to British Standard 7799, a comprehensive security strategy that is accepted as best practice in banking circles and other high-risk industries. “BS7799 is a very sensible document,” White says. “I always urge clients to get a copy and see what they can implement.” Some of the standard’s recommendations are simple but effective, White says – for instance, making sure that fax machines are not set up in corridors where lots of people walk past, or ensuring that computer monitors are not facing the windows, where anyone with a good pair of binoculars can read what’s on them.

Achieving full compliance with BS7799 is a major undertaking; one that most law firms – indeed, most businesses – still regard as overkill. “It is expensive to implement and to keep up,” Cameron says. “[Even after the Nationwide incident] I don’t expect many law firms to go down that route.” However, he warns against too much reliance on virtual private networks (VPNs) and related technologies, such as Citrix. “I don’t think a law firm could introduce a blanket policy to ban people from downloading client data and other sensitive information onto laptops,” he says. “Lawyers need to work on aeroplanes, where they cannot connect to their office network via VPN or Citrix.”

Janet Day says the Nationwide incident is a reason to look again at BS7799 – but she says one cannot assume that it guarantees immunity. “All evidence seems to point that way but it’s not guaranteed, it’s only implied, that they would have avoided the fine if they had achieved compliance with the standard,” she says. “The trouble with 7799 is that it is very time-consuming to implement.” Berwin Leighton Paisner is one of only a very few firms that have achieved FAST accreditation, a scheme run by the Federation Against Software Theft, which effectively takes an organisation halfway to achieving BS7799. But she allows that attitudes are starting to change. “I do think law firms are starting to focus on the rules of engagement for taking data out of the office,” she says. “The situation is getting much more complicated. Most firms have been trying very hard to improve their internal [i.e. office-based] IT security – which is logical, because that is where we were all most vulnerable in the past – and firms are now moving on to look at external security. You only build barriers when you know that you need them.” It was the embarrassment to Watson Farley & Williams and Vizards Tweedie in February, which finally woke the legal industry to the dangers of e-mail scams; perhaps the Nationwide’s experience will have a similar effect in bringing data protection to the top of the agenda.

Thin ice

You can’t guard against a thief ripping a laptop off an employee’s shoulder but you can set up proper remote-access systems; you can encrypt data that’s stored on portable devices; you can use strong password protection; you can deploy biometric security – fingerprint recognition, iris scanners and so on – and you can put systems in place to prevent staff downloading large amounts of sensitive data onto portable devices in the first place.

The cost of IT security can easily spiral out of all proportion to the risk of a security breach and many firms may be tempted to do the bare minimum to ensure they comply with the regulations. They are skating on thin ice. If the chips are down and you find yourself just under the threshold of compliance, you could be hit with a very nasty fine.

BS7799 might still seem a bridge too far, but in the wake of the FSA’s verdict on Nationwide, there is undeniably a good business case for law firms to consider data encryption as standard practice. As White says, “This wasn’t the first time that a major financial institution has lost a laptop and it certainly won’t be the last.” But even the regulators aren’t completely safe, according to one partner at a major City law firm. “I wonder”, he muses, “what the FSA will say next time they lose a laptop?”