More Data Lost – But What's The Impact?

Data loss seems to have become the latest cheap news story here in the UK. Back in November the UK Government admitted the loss of some really important data from the Child Benefit department of Her Majesties Revenue and Customs. There is no doubting that this was a significant data with potentially massive consequences for the people who’s data was lost (me included). This data set included bank account details and National Insurance Numbers, things that would be very useful to anyone with criminal intent as well as children’s names which would make password hacking a lot easier.

There was lots of information and lots of analysis telling people what the impact of this could be.

Since then though, the stories have come thick and fast, but the information hasn’t.

Yesterday was another announcement from another government minister – Transport Secretary Ruth Kelly. This time the data lost consists of name, address, phone number, fee paid, test centre, payment code, e-mail where provided.

So what is the impact of that data getting out?

In this instance nearly all of the analysis has been on the political impact of the loss. You have to look very hard for any information on how risky this is. About the best I could find on the BBC was this:

The information commission had judged the risks presented by the loss were not “substantial” and there was no need to notify each person individually.

This poses a real difficult challenge to the IT industry, how do we communicate what the risks are and why this loss is “not “substantial””. More broadly, how do we communicate the things that people should protect at all cost, and the things that are already in the public domain. I know, for instance, that my name, address and phone number are all out in the public domain and that there’s no point in worrying that someone has misplaced it, likewise with my e-mail address. I’m not sure what use “fee paid, test centre, payment code” would be other than some form of targeted fraud. I also have a graduated password scheme, my bank password is nothing like the password I give to a site that requires me to register but doesn’t do any financial transactions. I don’t really care about the latter password, but the first one is used in one place only.

My issue here is that we aren’t doing a good job of communicating and that all data loss incidents are receiving a very similar reaction. The problem with that is that people become immune to the message, it’s a bit like the boy who cried wolf, only in reverse. The first data loss from HMRC was a really big issue, subsequent minor ones just blind people to the impact of the first one. If we have another significant loss announced people won’t realise it because they have become deaf to the messages.