Prepare to be petrified.
This is a Doctor Who moment, except I am not sure that we have a big enough sofa to hide behind.
I try not to scare people. In normal circumstances, I don’t think it is a great business tactic. So since starting this blog I have not overstated the risks. The ICO does not fine everyone. There is not a queue of master criminals waiting for the chance to steal your data. Because that is not the point.
In fact, as I have tried to explain, data security rules and regulations are really more about risk management, and the relatively short list of people who have been named, shamed and fined are the ones who got caught red handed, with their pants down, their hands in the till and the egg streaming down their faces.
But in the space of just two days, three things have happened, which I will relate to you in the order in which they happened to me.
Firstly, the lads were repairing an old fax machine. It was a successful operation and in coughing and spluttering back to life, the faithful old friend spewed out the last ten facsimile’s it had been asked to send; in full, perfectly legible, for anyone to read.
I am not going to reveal what the ten messages revealed but what would they be on your machine? I would guess some innocuous confirmation stuff and a little bit of confidential data, maybe a legal contract? Nothing too serious but still confidential, and in the wrong hands, or in the ICO’s span of attention, you could be in an expensive bit of trouble. Maximum fine will be £500,000 or 5% of global turnover.
Secondly, one of those large printers. The sort that serves a lot of Dilbert’s on the busy floor of a large business, so it has a memory to queue print jobs. I had never thought of that before I joined eReco but a memory is a memory, and this printer had a shed load of stuff.
Part of our process is listing what it does have and reporting back, if we think it might be important to someone, so we have to have a little look. Loads of business documents were on there. Plus some rather funny limerick’s and some fairly rude suggestions about Shirley in accounts. In this case it was not the content we found that rang alarm bells, but what we might have found. It was a risk I certainly would not have considered a few months ago. Again, if there had been something naughty and it had all gone Pete Tong, maximum fine will £500,000 or 5% of global turnover.
Thirdly, something I really can’t go into any detail about, because it is very likely to be sub judice before too long. But I will tell you that we found a document thrown into a toner collection bag. If you knew what the document was, you would not believe me. It would start to sound like the plot to one of those detective dramas where they are trailing money around the world in quantities too vast for anyone who queries the price of a sausage roll in Gregg’s to comprehend.
Which brings me back to apathy and ignorance, two growing themes for my daily wittering.
In the first two cases, no harm no foul. Perhaps unwittingly but certainly sensibly, the two companies involved had done the right thing by engaging a professional ITAD company (Us, eReco, pay attention!) to securely collect and process their redundant kit. Memory wiped and gone forever, £5 per unit, thanks very much for the business guys. Saving your ass is free.
In the third example, a company more than big enough to have a proper data security process and with extra regulations piled on it a mile high, allowed a highly sensitive document to be thrown out with the toner cartridges. No secure collection. If it was not for the eagle eyes of our team, who are all security checked and well aware of the seriousness of the situation, that document could have ended up anywhere.
Mistakes like that should never happen. Never. Ever. Chris Graham (the ICO to people who have not been concentrating...affectionately known as Genghis Khan in this blog) beheads people for this. It gets people on the evening news. It does brand damage. Executives depart the building. Share prices plummet. John Humphreys barks at people.
I hope this has been a cautionary tale. It is still sending shivers down my spine. Don’t be a disaster waiting to happen. Let the professionals (Us obviously, by preference) help you identify the risks and deal with them professionally.