Thursday, June 18, 2015

Bank of England bans ‘autocomplete’ – but is this really the best way forward?

We’ve all done it. Hit ‘Send’ and suddenly realised you cc’d in Dave from Marketing instead of Dave from HR, felt that immediate sickening feeling and realised at best you’ve made yourself look a bit foolish. At worst – and likely what we all haven’t done – you’ve managed to send highly confidential information about Britain’s potential exit of the EU (or, ‘Brexit) to a Guardian journalist.

Unfortunately, that’s what happened to the Bank of England’s Head of Press last month. Not only did the email include details about research into the financial implications of Brexit, termed ‘Project Bookend’, it ironically also included instructions on how to fend off enquiries about this top-secret activity.

In an arguably knee-jerk reaction, the BoE have since announced the disabling of ‘autocomplete’ functionality for their email platform – meaning employees will need to repeatedly type individual email addresses every time they send an email.

But is this really the right course of action to take?

In some ways, it is encouraging to see the BoE taking information security seriously. Data protection is relevant for all organisations – whether you’re handling traditionally recognised ‘personally identifiable information’ or, as in this case, commercially sensitive data and intellectual property.

However, it is likely that turning off autocomplete is going to meet with a lot of frustration amongst BoE employees. Not only will it be a time-consuming process for staff to laboriously type every single address for every single email sent, just imagine the bounce rate (and therefore repeated processes) for typos! Plus, this solution won’t actually provide any control over the email addresses BoE employees type in.

Frustratingly for them, the technology exists that would allow the BoE to have the best of both worlds – business convenience and data protection. It is mystifying why they haven’t instead implemented smart technology that could control who confidential information is sent to, and accessed by, and what they can do with it. Data protection doesn’t need to take us back into the Dark Ages of Technology – organisations just need to be aware of what information security solutions are already available.