Introduction
Many organisations are not addressing their responsibilities in terms of data security and privacy compliance.  Culture is where some analysts are laying blame for the increase and highly publicised breaches in data security.  More are blaming technology as it is getting smaller and more affordable.  Smaller portable storage devices e.g. USB sticks, smart phones, hand held portable devices, smaller laptops and cloud storage all threaten data security and privacy of both organisations and individuals.  
 
‘Today at least 90% of records are created electronically.  In the 1980s the typewriter was replaced by the personal computer (PC).  In the 1990s PC’s became more affordable for businesses. Consequently the concept of electronic recording was created and records could be stored electronically.  This ensured that the record can be copied easily.  The record is the most important part about an electronic record not the physical carrier.’
McKenzie, 1990
John Mancini President of AIIM has reported that over a third of organisations, if challenged, would not be confident that their electronic records had not been changed, deleted or accessed.  These companies would be at a major disadvantage in any legal action- defending or prosecuting.  They also highlighted (in their Annual State of the ECM Industry) that managing electronic office documents is still a challenge for 47% of organisations, modern business communication channels-instant messages, text messages, blogs and wikis- are uncontrolled and off the corporate radar for 75% of companies.  So we are not alone in the challenges we all face in relation to data security and privacy verses culture not only of our organisations but of society.
The way people communicate is constantly changing; social media is becoming an increasingly popular way to communicate, with Twitter, Linked In and Facebook taking more and more people away from traditional forms of messaging.  Organisations need to consider how this information is monitored in relation to data breaches.  Many organisations, including the Northern Ireland Civil Service (NICS) bar access to social networking websites as standard.
 
Cultural Theory
 
We ask ourselves what we mean by culture in an organisation.  There are numerous types of cultures in an organisation.  Identifying the prevailing culture in an organisation is key task in terms of data security and privacy compliance.  In these current economic times organisations have to be efficient, dynamic and provide superior products and customer service depending on the sector the organisation operates in.  Organisational culture has been variously defined (Ott 1989; Schein 1990; Davies, Nutley, and Mannion 2000).  It denotes a wide range of social phenomena, including an organisation's customary dress, language, behaviour, beliefs, values, assumptions, symbols of status and authority, myths, ceremonies and rituals, and modes of deference and subversion; all of which help to define an organization's character and norms.
 
‘...Is a set of fundamental assumptions about what products and organisation should produce, how it should produce them, where, and for whom.  Generally cultural assumptions are taken totally for granted and are rarely publicly announced or spoken about.’
Schien 1985
 
When organisations need to enforce or encourage cultural change in terms of data security or sustainable change, for example after a data breach, management need to fully understand the current culture and plan for how they are going to manage the impact of change for the benefit of the organisation, stakeholders, employees and customers.  The wish and the achievement of some organisations is that their culture has compliant attitudes, behaviours and sensitivity so that security, privacy and confidentiality become second nature and assumed throughout the workforce.  The culture within an organisation can be clan, adhocracy, hierarchy or market.  
 
An organisations culture can be a powerful restraint on change.  This is extremely evident when it comes to technological change as it can encounter a lot of resistance within organisations.  Organisations use technology to reduce cost.  Transactional cost theory implies that firms reduce their transactional cost by using technology to reduce locating and communicating with the market.  A lot of IT projects fail due to the resistance from people within the organisation.  Lorenzi and Riley highlight this in their article on “Managing Change” that people who have low psychological ownership in a system and who vigorously resist its implementation can bring a “technically best” system to its knees.  The approach to be taken is to educate and communicate participation and involvement, facilitation and support, negotiation and agreement, manipulation and co-optation and explicit and implicit coercion (Kotter J.P, Schlesinger L., 2008).
 
‘It's not the progress I mind, it's the change I don't like.’ —Mark Twain
 
The ability of an organisations culture to adapt to change such as legislative, buying patterns, technology, internal structural, external event, suppliers and new market entrants will influence the organisations ability to survive in the long-term.  A prime example of this is that 10% of the Fortune 500 companies in 1919 still exist today (Landon K and Landon C 2006).  Technology helps company adapt to change.  Large organisations use information technology to attain agility and flexibility with mass customisation.
 
Legislation
Some changes to Irish legislation were made in July this year.  The Data Commissioner, Mr. Billy Hawkes launched “Guidance Note on Data Protection in the Electronic Communications Sector”.  The main new requirements are:
Compulsory notification of individuals and the Office of the Data Protection Commissioner in the case of data breaches
More stringent requirements for user consent for the placing of “cookies” on electronic devices
Stricter requirements for the sending of electronic marketing messages and the making of marketing phone calls
There are hefty fines for breaches including €5,000 per breach or fines up to €250,000.  It will be interesting to see if and how these fines will be enforced in the future.  Organisations will have to adjust or inform their employees on the above.  And how they are going to influence this change on culture will be very dependent on the type of their organisation. 
Every Irish Citizen has a right to personal privacy under the Constitution (article 40.3.1) and an explicit right to personal privacy under Article 8 of 1950 European Convention of the Protection of Human Rights and Fundamental Freedoms.  In the Lisbon Treaty that Irish Citizens have voted twice on, as EU Citizens we have an explicit right to Data Protection.  There is a fine line to balancing an individual’s right to privacy and an organisation need for profit.  It was widely reported that Google's online map service, "Street View" has been accused of taking pictures and coming too close inside people's private homes and/or people who walk down the street not knowing they are being watched on Google's service.  Aaron and Christine Boring, a Pittsburgh couple, sued Google for "invasion of privacy".
 
Data Breaches
 
There have been several highly publicised data breaches in the media recently.  The public and the media seem to find this a large area of interest casting widespread condemnation on the offending company.  Recently, there were a large number of organisations that have featured in the media.  Fine Gael, when the details of 2,000 people details held on their website, were compromised in a cyber-attack breach.  The HSE was associated, by the media, in relation to bag of medical records being found in a bog in Abbeyknockmoy and patient records being found in a bin outside a hospital in Mayo.  Tallaght Hospital also had breach when patient information given to a company called Uscribe fell into inappropriate hands.  Even larger world wide global organisations such as Sony, Facebook and Google have all been brought to the attention of the Data Commissioner and the media.  The Revenue Commissioners had 10 laptops stolen from their offices in 2011. 
Organisations, especially after a data breach, need to address the reasons it happened internally.  The impact of these security breaches can be clearly seen and felt throughout all levels of organisation.  It can range from, but is not limited to, furious clients and stakeholders, negative publicity, tarnished reputation, public embarrassment, investigations, lawsuits, fines and penalties, financial losses and a waste of valuable resources.
As an organisation you may need and want to change the culture or implement “cultural transformation” due to a breach in data protection.  In the Information and Records Management Society Bulletin in May 2011 Sean Glynn’s article highlighted the issue of users intentionally or accidentally causing damage to an organisation as now one of the most complex and difficult challenges facing IT security teams.  In 2010 Verizon Risk Team Data Breach Investigation Report stated that almost half (48%) of studied breaches are caused by insiders (an increase of 26th on 2009).  There are two types of internal breaches malicious and non-malicious.   These breaches normally occur through loss of laptops, email, or storage media and exposure to non-authorised parties. 
It was reported in the media in 2007 that an audit of one insurance company discovered that it had access to private data that could only have come from confidential social welfare records. An examination of the records of a second insurer reached the same conclusion after the Data Protection Office audited the firms.
In 2005 the Sunday Times revealed that at least 72 civil servants accessed the social welfare details of Dolores McNamara, the Euro Millions lottery winner. The department’s system logged over 125 hits on McNamara’s files after she scooped a €115m jackpot. Her social welfare details were subsequently published by a newspaper.
There is an accepted and underlying culture in Irish Society that this is alright and that a data breach doesn’t really matter or apply to individual’s invasion of privacy.   This may hold true until it is your personal data that ends up in the wrong hands or you and your organisation are answering to the Data Commissioner.
The Daily Telegraph reported recently that David Brown, a former journalist at the national tabloid newspaper The People, has claimed phone hacking was rife among his colleagues and was covered by up senior executives.  This seems far removed from individuals.  Have you changed the standard pin access to your personal phone mailbox?  Colleagues, family, competitors, media or strangers could be accessing your personal voice messages without you knowing it.
In May 2011 the Guardian reported that there were 187 breaches in the NHS.  The total data breaches of personal information by trusts stands at 899.  In 2010 the media highlighted further issues with regard to the management, handling and loss of records and information in Ireland.  “Caterers had access to patient files”, headlines from an article written by Paul Melia in the Irish Independent on Monday 15th March 2010, when staff in Kerry General Hospital were able to access confidential patient information held on a €60 million Health Services Executive computerised system called Integrated Patient Management Systems (IPMS).  
A security policy including that idle machines will automatically log off the system after a few minutes and a culture of turning off the computer at the end of day to protect confidential data and managers visually challenging why computers with data are left on without an operative in front of them would all have helped reduce data breaches and protect client privacy as well as saving the tax payer cost by reducing electricity cost.
Harry McGee (2008) wrote an article on the laptop that was stolen from the offices of the Controller and Auditor General, also highlighting that 16 laptops have been stolen from the office over the past 10 years.  The laptops, containing names of 380,000 social welfare recipients, were stolen from the headquarters of the Department of Social and Family Affairs on 14th April 2007.  There was no lock on the office door to the 4th floor at the time.  PPS numbers, addresses and some bank details of 10,000 public servants were contained on another laptop.  It would be a reasonable assumption more could have been taken during these burglaries that we have not yet heard about in relation to hardcopy records.  
 
‘SERIOUS CONCERNS and questions have been raised following the discovery of thousands of confidential patient records in a former landfill site in east Cork.
 
The medical records, which date back to the 1970s and early 1980s, contain sensitive information including patient names and addresses of adults and children, and details of medical conditions and treatments.’
McDonagh (2008)
Cultural Change
How we begin to change culture in our organisation is to first have identified the type of culture and subculture that is prevailing; innovative, strong e.g. Disney or aggressive e.g. Microsoft, Outcome-Oriented or stable e.g. Government or people orientated e.g. Starbucks.     
There are several tools that we can use to measure or determine the culture of an organisation.  Scott et Al (2003) compares and contracts nine methods for measuring culture in Health Care Organisations.    Research and choose a standard that your organisation can follow such as ISO 27001 – Information Security Standards.  
Technological advances are moving much faster than most organisations.  To change culture in relation to data protection and privacy, below are some of the steps that you could take;
 
Make a plan using best practice guidelines, organise volunteers for the data and information committee
Set goals, deadlines and agree budget allocation
Check you are registered with the Data Commissioner and identify who is the data controller for your organisation
Porters S.W.O.T. Analysis on the culture of your organisation in relation Data Security and Privacy on a Macro level
Undertake an Information and Data Management Audit that will: 
o Clearly identify what you are trying to achieve
o Identify where data is held and who has access
o Highlight risk areas
Review where your data is stored and if it complies with legislation and is it secure?
Ask for help
Invite the Data Protection office to audit your organisation
Make a plan using best practice guidelines, organise volunteers for the data and information committee
Decide and research standards that are applicable to your organisationon  i.e. ISO 27001, ISO/IEC 27002:2005, ISO15489, ANSI/ARMA 5-2003, MoReq/MoReq2
List the legislation that your organisation need to comply with; 
o Data Protection Act 1998 and Data Protection (Amendment) Act 2003 
o E-commerce Act 2000, 
o IFF/DPC Code of Practice on Data Protection
o EC Electronic Privacy Regulations 2002/58/EC, EUROPOL etc.
List any data breaches in your organisation or in competitor organisation and quantity, if possible in monetary and reputational terms
Read the Data Commissioners Report  2011
Write a report and present to senior management
 
Organisations can take practical steps such as locking down ports, only organisational issued and encrypted UPS sticks can be used, all laptops encrypted and backed up centrally, clean desk policy, locked and controlled hard copy storage areas, training, change or amend employee contracts and job descriptions to include data protection, make sure laptops are secured when left your organisation, computers devices are password enabled and be clear where the “buck” will stop!  
 
Organisations that implement ISO/IEC 27002:2005 will be on a positive pathway.  It establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organisation. The objectives outlined provide general guidance on the commonly accepted goals of information security management.   ISO/IEC 27002:2005 contains best practices of control objectives and controls in the areas of information security management.  ISO 27001 – Information Security Standards is critical to the operation and perhaps even the survival of your organisation. Being certified to ISO 27001 will help you to manage and protect your valuable information assets.
 
Getting the CEO and management “buy in” to this change process is extremely important.  
 
Sarbanes Oxley Act 2002 in the USA clearly lays the responsibility with the CEO to ensure accurate financial practice and corporate governance regulation. It introduced stringent new rules with the stated objective: "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws".  
 
In the UK the Daily Telegraph headlined in 2008 “One official disciplined over data loss every day”.  At HM Revenue and Customs the Chairman in 2008, Paul Gray, resigned after they admitted losing personal details of 25 million people from the child benefit database.
 
 
 
 
Conclusion
 
Culture of an organisation is forever changing. Everybody in an organisation has a responsibility for data security and privacy.  Culture has a large part to play in data breaches.  It is normally a minor breach that hits the headlines and comes to the attention of Data Commissioner or ends up on Joe Duffy.  Hopefully it won’t be you.