Yet another story of customer data being stolen. Surely the risk should have been mitigated with some form of encryption.The title link is to a news article from the UK in the closing days of 2009. In this case it's a major UK credit card provider (MBNA) having a laptop containing unprotected customer data stolen from one of it's 3rd party contractors (NCO).
MBNA state that the security of it's customers' information is one of it's top priorities and their privacy policy states, amongst other things "We also use vigilant protection measures in order to protect our customers' accounts from fraudulent use."
They also claim to comply with the UK data protection act which states "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental lose or destruction of, or damage to, personal data".
I would argue that some level of encryption of personal data, particularly on laptops, was an "appropriate" technical measure and an "appropriate" organisational measure would be managing and monitoring a 3rd party SLA to ensure compliance.
It is unlikely that this was an isolated laptop lacking encryption and I have found no information to suggest the laptop was unique in this regard.
We therefore have 2 possible scenarios, either MBNA did not specify the need to comply with it's privacy policy in it's SLA with NCO, or the SLA was not monitored and managed.
In either scenario MBNA appears to have dropped the ball with regards accountability.
NCO has accountabilities of it's own, but MBNA retains accountability for the services it provides it's customers, even through outsourcers.
Governance and accountability are things you simply cannot outsource. We hope MBNA has learnt this rather expensive lesson and that other organisations learn from it too.
0 comments:
Post a Comment