|
 |
 |
|||||||||||||||||||||
|
|
|
|
|
|||||||||||||||||||
|
|
44% of organisations at risk of prosecution under Data Protection Act
Compuware survey reveals many companies misusing live customer data and often relying on minimal measures to protect itLondon, 3 July 2006: Independent research commissioned by Compuware has found that 44% of senior IT decision makers are using live customer data to test applications, putting them at risk of prosecution under the Data Protection Act (DPA). The DPA strictly forbids companies from using actual data for any purposes other than those for which it was collected. The survey, of 100 IT directors, was conducted by research company Vanson Bourne. Despite numerous high-profile fraud, spam and cybercrime cases, companies are still not ensuring that their data protection processes are as stringent as possible. Although the DPA was set up in 1998, 48% of senior IT decision makers admitted to only being "vaguely familiar" with the Act itself, which makes it unsurprising that just under half of the respondents are running the risk of prosecution by using live customer data when testing applications. "Companies have had plenty of time to understand and implement robust data privacy measures since the Act was introduced eight years ago," said Jon Oliver, EMEA IS Director, Compuware. "Unless they have rigorous procedures in place, they run the risk of live data being leaked to third parties. This can have severe repercussions on customer confidence and company reputation, and ultimately affect the bottom line." The research highlights the importance of keeping track of how and why IT departments use customer data. This problem has grown in recent years with many companies outsourcing their workload to external parties. 83% of the survey admitted to only using non-disclosure agreements (NDAs) to control and secure data usage when outsourcing application testing. Although this is a legally binding document, many companies find it difficult to communicate the complex legal terms to their employees. Furthermore, there have been a few high profile cases recently where workers in outsourcing companies have been offered relatively large amounts of money for confidential information. In the future employees may find it hard to resist such offers despite having signed an NDA. "Many businesses are still confused by the ambiguity of a clause within the Act relating to taking appropriate action to protect customer data. It is therefore not a complete surprise that so many organisations have taken what they think is the simplest way to comply with the Act and put in place NDAs. The truth is that most customers would not consider this adequate protection. Therefore companies must reconsider the actions they are taking to protect customer data from being leaked in the application testing environment," continued Oliver. "Testing environments are inherently insecure places in which to process live customer data, with printouts and test sheets being left next to PCs during trials. Although businesses can afford to pay the fines placed on them if customer data is leaked, the cost to company reputation is not as easily recovered. "Legislation already exists in the US that forces organisations
to make public disclosures when customer data has been leaked, and I wouldn't
be surprised to see something similar come into force in the UK in the
future. This will make it even more important for organisations to cover
off all possible angles of attack before the company is put at risk rather
than trying to recover from a major fraud incident," continued Oliver.
One way to deal with this problem is to disguise the data. By exchanging known values, such as addresses, with other known values, customer data can be transformed so that it is unrecognisable from the original but can still be processed by the systems across the organisation, with important fields, such as postcode, left intact. This process can be done automatically, removing the human risk element entirely. "Why try to secure your data in an insecure environment when you
can completely avoid the problem from the beginning?" continued Oliver.
"Dealing with this issue is by no means simple. However, by taking
a holistic view of an organisations' business processes and looking at
the way customer data is used by the applications that support these processes
organisations can start to tackle the problem. This analysis can then
be used to decide the data that should be disguised for use in application
testing. By taking this approach businesses can still comprehensively
test an application but without the risk of sensitive information being
viewed or leaked." About CompuwareCompuware Corporation (NASDAQ: CPWR) maximises the value IT brings to the business by helping CIOs more effectively manage the business of IT. Compuware solutions accelerate the development, improve the quality and enhance the performance of critical business systems while enabling CIOs to align and govern the entire IT portfolio, increasing efficiency, cost control and employee productivity throughout the IT organisation. Founded in 1973, Compuware serves the world's leading IT organisations, including more than 90 per cent of the Fortune 100 companies. For more information visit: www.compuware.co.uk Compuware is a registered trademark of Compuware Corporation. All other product and company names are trademarks or registered trademarks of their respective owners. Compuware is a member of The Prince's Trust Technology Leadership Group
(TLG), a premier industry-networking forum for leaders within the IT industry,
established in May 2002. For Compuware Press Inquiries Contact:Christian Sharp |
||||||||||||||||||||||
