Sujet Anglais LV1 Iena

Sujet Anglais LV 1 lENA 2008

Lost in the post

IT TAKES a lot to produce gasps of astonishment from British politicians. But that was what greeted Alistair Darling, the Chancellor of the Exchequer, when he told parliament on November 20th that two computer discs containing the personal details of 25m British individuals and 7m families had gone missing. The discs were being sent by internal mail between two government departments ; they included names, addresses, bank-account details, dates of birth and names of spouses and children. The fate of the discs is unknown, but they contain just the sort of information sought after by identity thieves, who could use it to procure fake documents, commit fraud and empty bank accounts.

This is the latest in a series of such losses. HMRC, the tax-and-customs department which sent the discs, lost a laptop containing personal data on 400 people in September, and last month it lost another disk in the post, containing pension records for 15,000 people. But this week’s fiasco is on an entirely different scale. It ranks alongside the theft of data on 26.5m people stolen from the home of an employee of the Department of Veterans Affairs in America in 2006 ; and the loss by Bank of America in 2005 of tapes containing information on 1m American government employees. And there have been dozens of smaller cases around the world in which personal data have been lost by, or stolen from, credit-card companies, online retailers, government departments and banks.

Fear of identity fraud means that many people now routinely shred receipts and sensitive documents before binning them. But identity thieves rarely waste time looking in dustbins any more. There is no point bothering to steal one person’s details, when records can be had in their thousands and millions from leaky computer systems. Large databases have become central to the operation of governments, health systems, banks and other large companies.

And despite the howls from libertarians, nobody really wants to turn back the clock and revert to paper records.

What can be done ?

As always with computer security, there are two things to remember. First, that security depends on a combination of technology and policy ; and second, that no system is ever totally secure. It is safer to assume that there will be breaches, and work out how to minimise the damage. That means storing, and moving around, as little data as possible ; anonymising records and linking to personal details stored in a separate database ; and using encryption to protect data in transit. None of this was done by the HMRC. It was asked to supply anonymised data to the National Audit Office, but provided reams of unencrypted personal information instead.

Regulation has a role to play, too. Many European countries and 35 American states have rules that require companies and government departments to disclose breaches of information security to anyone affected. In many cases they are also legally liable for any loss. This gives them an incentive to store as little data as possible and to look after it properly. Britain, alas, has some of the most toothless data-protection rules in the developed world : the government recently rejected a plan to make reporting of breaches compulsory. According to one estimate, setting up new bank accounts for everyone affected by this week’s leak could cost £300m ($600m).

Even when sensible regulation is in place, however, it is no use if the rules are ignored-as in the most recent British case. So data-protection watchdogs need to be able to carry out spot checks to ensure that everything is being done by the book. But where

...