Brian Pennington

A blog about Cyber Security & Compliance


October 2011

Who fell foul of the Information Commissioner in October?

A week after Calls for tougher penalties for breaches of the Data Protection Act (read my post here) I thought it would be good time to have a look at who the Information Commissioner’s Office (ICO) has taken action against during the month of October 2011.

To add some consistency I have also included actions taken since the 7th September because a previous posting “Who has the Information Commissioner caught in the last 3 months?”, read it here.

28 October 2011
An undertaking to comply with the seventh data protection principle has been signed by Newcastle Youth Offending Team. This follows the theft of an unencrypted laptop containing sensitive personal data. Read my post on this incident here.

27 October 2011
An Undertaking to comply with the seventh data protection principle has been signed by University Hospitals Coventry & Warwickshire NHS Trust. This follows two separate incidents involving the loss of personal data by the Trust.

19 October 2011
An undertaking to comply with the seventh data protection principle has been signed by Spectrum Housing Group. This follows a non-secure e-mail with an excel attachment containing personal data relating to employees of the data controller, being sent in error to an unintended recipient outside of the organisation. It was also discovered that data within ‘hidden’ pivot cells forming part of the spreadsheet could be revealed.

17 October 2011
An undertaking to comply with the seventh data protection principle has been signed by Dumfries and Galloway Council. This follows the accidental online disclosure of current and former employee’s personal data in response to a Freedom of Information (Scotland) Act request.

5 October 2011
An undertaking to comply with the seventh data protection principle has been signed by the General Secretary of the Association of School and College Leaders (ASCL). This follows theft of a laptop containing sensitive personal data from the home of an employee.

An undertaking to comply with the seventh data protection principle has been signed by Holly Park School. This follows the theft of an unencrypted laptop containing personal data relating to nine pupils.

See my blog on these two incidents Education, education, when will people learn, encrypt your data as two more education establishments lose data here.

4 October 2011
An undertaking has been signed by Dartford and Gravesham NHS Trust following the accidental destruction of 10,000 archived records. The records – which should have been kept in a dedicated storage area –were put in a disposal room due to lack of space. See my post, Hospital Destroys 10,000 Archived Records here.

An undertaking has also been signed by Poole Hospital NHS Foundation Trust after two diaries – containing information relating to the care of 240 midwifery patients – were stolen from a nurse’s car. The diaries included patients’ names, addresses and details of previous visits and were used by the nurse during out of hours duty.

20 September 2011
An undertaking to comply with the third and seventh data protection principles has been signed by Eastleigh Borough Council. This follows the potential disclosure of a document containing sensitive personal data.

15 September 2011
An undertaking to comply with the seventh data protection principle has been signed by the Child Exploitation Online Protection Centre (CEOP) and its parent organisation the Serious Organised Crime Agency (SOCA). This follows the discovery that CEOP’s website reporting forms were being transmitted insecurely. See my post on this here ICO takes action against the Child Exploitation and Online Protection Centre and the Serious Organised Crime Agency here.

An undertaking to comply with the seventh data protection principle has been signed by Royal Liverpool & Broadgreen University Hospitals NHS Trust. This follows two separate incidents involving the loss of personal data by the Trust.

14 September 2011
An Undertaking to comply with the seventh data protection principle has been signed by Eastern and Coastal Kent Primary Care Trust. This follows the loss of a CD containing personal data during a move of office premises.

9 September 2011
An undertaking to comply with the seventh data protection principle has been signed by Walsall Council. This follows the accidental disposal of postal vote statements in a skip by the council’s data processor. The council did not have a written agreement with the data processor selected to store this personal data.

see other posts related to the Information Commissioner


Newcastle Youth Offending Team breached the Data Protection Act after theft of an unencrypted laptop

Newcastle Youth Offending Team breached the Data Protection Act by failing to encrypt a laptop containing personal data which was later stolen, the Information Commissioner’s Office (ICO) said today.

The laptop – which contained personal data relating to 100 young people – was reported stolen from a contractor’s home in the Northumbria area in January. The contractor had been working on a youth inclusion programme on behalf of the Team. The majority of the personal data stored on the laptop included names, addresses, dates of birth and the name of the school the young person attended.

The ICO’s investigation found that, although Newcastle Youth Offending Team had a contract in place with the contractor, there was a failure to ensure that its employees were complying with necessary security measures.

Newcastle Youth Offending Team has stated that it will now take reasonable steps to ensure all data processors contracted to act on its behalf comply with the principles of the Act, including that all portable and mobile devices, including laptops, are encrypted.

Acting Head of Enforcement, Sally-Anne Poole, said:

“Encryption is a basic procedure and an inexpensive way to ensure that information is kept secure. But, to their detriment, not enough data handlers are making use of it. This case also highlights how important it is to ensure that watertight procedures are in place before any work is undertaken by contractors. Organisations shouldn’t simply assume that third parties will handle personal data in line with their usual standards. I’m pleased that Newcastle Youth Offending Team has learned lessons from this incident and hope that it encourages others to heed our advice.” 


Calls for tougher penalties for breaches of the Data Protection Act

In the United Kingdom there is an Act of Parliament that seeks to protect the personal data of its citizens, it is the Data Protection Act 1998 (DPA).

The enforcer of the Act is the Information Commissioner’s Office (ICO). The ICO also has responsibility for other Acts of Parliaments, specifically the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

Within the Data protection Act, anyone who processes personal information must comply with eight principles, which make sure that personal information is:

  1.  Fairly and lawfully processed
  2.  Processed for limited purposes
  3.  Adequate, relevant and not excessive
  4.  Accurate and up to date
  5.  Not kept for longer than is necessary
  6.  Processed in line with your rights
  7.  Secure
  8.  Not transferred to other countries without adequate protection

The Justice Committee has recently produced a report on referral fees and the theft of personal data and concluded that the fines for breaching the Data protection Act needed to be tougher.

Sir Alan Beith, the Chair of the Justice Committee said:

“Using deception to obtain personal information – sometimes known as blagging – or selling it on without permission are serious offences that can cause great harm.

Fines are used to punish breaches of data protection laws, but they provide little deterrent when the financial gain exceeds the penalty.

“Magistrates and Judges need to be able to hand out custodial sentences when serious misuses of personal information come to light. Parliament has provided that power, but Ministers have not yet brought it into force – they must do so.”

Report on the Potential misuses of personal data
Potential misuses of personal data are also not being fully investigated, the MPs warn, because the Information Commissioner does not have the power to compel private sector organisations to undergo information audits. If the Commissioner had been able to compel audits of insurance companies and personal injury lawyers the issues around referral fees might have been identified and tackled sooner.

Sir Alan Beith MP added:

“The Information Commissioner’s lack of inspection power is limiting his ability to identify problems or investigate potential data abuses.

Ministers must examine how to enable the Commissioner to investigate properly without increasing the regulatory burden on business or the public sector.”

Report on Referral fees
The committee welcomes the Government’s commitment to ban referral fees in personal injury cases. The MPs call on Ministers to take into account the fact that referral fees reward a range of illegal behaviour. The report concludes that banning referral fees, together with custodial sentences for breaches of Section 55 of the Data Protection Act, would increase the deterrent and reduce the financial incentives for such offences.

Case studies quoted in the Justice Committee Report:

  1. In one case, a nurse was providing patient details to her partner who worked for an accident management company. A fine was imposed of £150 per offence, but accident management companies pay up to £900 for on client’s details.
  2. A woman whose husband had been jailed for sexual assault accessed the bank account details of the victim. The woman attempted to monitor the victim’s spending and social activities but was only fined £100 per offence.

Information Commissioner, Christopher Graham said:

“The Government should lose no more time in bringing in appropriate deterrent sentences to combat the unlawful trade in personal data. Lord Justice Leveson’s Inquiry into press standards should not be used as an excuse for inaction. The Ministry of Justice still has not given a response to the previous administration’s public consultation of two years ago. We need action, not more words. Citizens are being denied the protection they are entitled to expect from the Data Protection Act.

“We shouldn’t have to wait a further year for the 2008 legislation to be commenced when today’s highly profitable trade in our data has little if anything to do with the press.

“The Commissioner recently called for stronger powers of audit. The ICO is building a business case for the extension of Assessment Notice powers to parts of the private sector such as motor insurance and financial services as well as to the NHS and local government.

“I welcome the support of the Justice Committee”


Students are concerned that information online might affect their careers

42% of Students are concerned that personal information available about them online might affect their future employment prospects, the Information Commissioner’s Office (ICO) said, as it launched its 2011 Student Brand Ambassador campaign.

New figures also show that many students are not adequately protecting themselves against the risk of identity theft.

  • 33% students who have lived at a previous address while at university still haven’t arranged the redirection of all their important post to their current university address
  • 76% haven’t checked their credit rating in the last year
  • 66% have never checked it, allowing suspicious credit applications to go unnoticed

The ICO has launched its 2011 Student Brand Ambassador Campaign, a nationwide project aimed at raising young people’s awareness of information rights.

Students at 15 universities across the UK, including Manchester, Cardiff, Edinburgh and Ulster, have been recruited to promote the ICO’s work on campus. Tasks involve spreading the word using social media, generating local media coverage and doing promotional work.

Information Commissioner, Christopher Graham, said:

“In tough times, young people are clearly less relaxed about privacy, particularly in relation to information that they post online – but many may not know what they can do about it. The Student Brand Ambassador campaign is about arming students with the advice they need to protect themselves from obvious dangers such as identity theft and keeping their social lives private. It’s about empowering young people to take back control of their information and I hope the campaign is embraced by students at universities across the UK.”

All figures, unless otherwise stated, are from YouGov Plc.  The survey’s total sample size was 500 full time university students. Fieldwork was undertaken between 14 and 17 October 2011.


The 10 Ten Early Warning Signs Of Fraud In Organisations

After completing a survey on the activities of the National Fraud Authority (NFA) has offered advice on how to minimise the impact of fraud.

Ten Early Warning Signs Of Fraud In Organisations
1. Erratic reporting
Erratic, incomplete, late or excuse laden management reporting is often a classic sign that something is wrong. One of the possibilities is the existence of fraud. Further investigation will reveal common excuses used are often the frequent occurrence of IT failures, technology compatibility issues between different company systems or international systems. Act: Insist on up-to-date reporting. Wherever appropriate adopt an enterprise-wide approach to technology to help with systems issues.

2. Apparent Process Laziness
A weakening of anti-fraud and data security systems can happen naturally, over time; and is normal – especially when things get busy. However, with the seemingly right processes in place, top level management are often lulled into a false sense of security that they are actually being used, whilst the fraudster is busy at work getting around them. Act: Make sure you implement the suggestions of your internal compliance managers. Where systems/processes are under pressure when used in practise, introduce a review process – and then adapt them promptly.

3. Organisational change and the desire to dump data
A major indicator can be the act of deletion or pressure on staff to delete, remove or otherwise dump past records following a restructure. An excuse of, “oh I’m sorry those files were destroyed.” should be cause for alarm. Act: Take care to establish and log where paper documents are and when they should and should not be stored. Identify who is in control of the system processes and who is responsible for and has ownership of the records.

4. Data Inconsistencies
Whether it is archive data or cross reference checks that are missing or wrong; factual inconsistencies will also occur naturally. The cheats who seek to defraud an organization will use the possibility to explain such inconsistencies and hide their fraud. Act: Make sure that all files are electronically stored, with appropriate back-ups as part of your compliance systems and that no-one has the access to any files that include a DELETE capability.

5. Audit-Time Delays
Excuses, confusion or wild goose chases when disclosing to auditors, be they internal or external, can be a telltale sign too. We need to remember though that the audit team is not there to find fraud, rather to ensure that the correct processes are in place that will deliver appropriate protection. Act: Ensure that everyone treats audits as important and make sure that they are completed on time and properly, and with appropriate audit skills. Make sure that the business critical and financial exposure areas take a priority and act upon all failings both quickly and completely; with follow-up audits if necessary.

6. Behaviour Abnormalities
These can range from acute defensiveness and resistance to attending review meetings, through to blaming strategies or even aggression when specific questions are asked about processes or figures. Research shows that internal fraudsters are most likely to be either ‘youngsters who cut across the processes and systems’ or ‘middle aged executives with the authority and a gripe’. Act: Get HR more closely involved. Then if you still have concerns about such people upon closer inspection, all the relevant files need to be pulled and checked.

7. Gossip Mongers in overdrive
Staff whispers and rumours “that all is not right” should always be taken seriously. These are, however, so often overlooked by senior management. Act: Listen, take all such rumours seriously and investigate the reality.

8. Twitchy Non-Execs
Good non-execs provide a considered, independent and external perspective. Often they bring in specific expertise from outside the board’s immediate experience and their skills can vary from financial knowledge through to IT. When their comfort factor ‘goes south’ or when they have a ‘bee in the bonnet’ about something that does not add up or make sense, they often have good reason to worry. So must you. Act: It is always good for the business to maintain a fresh supply of new thinking, new approaches and new concerns. Thus if non-execs have concerns about particular issues, one should allow them to bring in the appropriate specialist experts that can investigate matters more deeply.

9. Unofficial IT Work
Technical staff working around the enterprise conducting unsupervised IT activity often outside normal hours, can also be a worrying sign, both from a risk and a cost perspective. Not every company is large enough to have a full IT department that might spot such issues through system audit trails. Act: Do the IT security staff look and think further than just password expiry issues? Make sure that someone is on the look out for data-theft, IPR theft, time theft (people spending all day on facebook etc.), or simple theft of IT assets. Make sure you have a proper asset register and IT audit system in place.

10. Scapegoating
Where people are given a title but without actual responsibility, it can effectively cover up what is going on with those who do have responsibility or power in a situation. The fraudster’s hope is that should the balloon go up the scapegoat takes the blame, at least long enough for records to be destroyed and evidence removed. Act: Make sure that you have strong and cascaded accountabilities. Ensure that people know what they should be doing, and that they are doing what is required of them. Make sure that everyone is contributing to the business objectives. Make sure HR is involved in creating or reviewing job specifications.


Advice for Small Businesses on how to avoid Identity theft

The Identity Theft Council (ITC) has recently issued a press release promoting Identity Theft awareness and offered advice on how to avoid the problem.

They quote from a Javelin Strategy & Research study found that fraud suffered by

  • Small Business Owners (SMBO) totaled an $8 billion
  • Banks, merchants and other providers absorbed at least $5.43 billion of that loss
  • The cost to victims was $2.61 billion

According to the U.S. Small Business Administration, the small business represents more than 99 percent of all U.S. businesses, and of the estimated 27 million small businesses, more than 21 million are sole proprietors. The ITC concluded that small business were ideal candidates for identity theft.

“The ITC works with individual identity theft victims and small business owners to educate them about identity theft and to provide resolution services,” said Neal O’Farrell, Executive Director of the Identity Theft Council (ITC), and security expert. “Unfortunately, small business owners are being targeted more today than ever before due to the criminals ability to easily access important information and go undetected.”

Identity Theft Council Tips for Preventions and Detection:

  • Write a security plan. Security starts with a plan. A plan can be as simple as the security rules, guidelines, and goals for your business, and the consequences for ignoring them. A plan is also an easy way to help you remember your security priorities.
  • Do an inventory of your data. Data is what the thieves want, whether its customer account or credit card data, employee Social Security numbers, or even databases of target customers. If you don’t know what data you have in your business, or where it is, then you can’t effectively protect it.
  • Train your employees. Enlist every employee, family member, partner, and contractor as a vigilant sentry so that every stakeholder understands how to protect their corner of cyberspace. Most thieves will target the weakest link, and that’s usually a careless or untrained employee.
  • Guard your business accounts well. As a business owner you don’t enjoy the benefits of zero liability, so if your account is emptied by crooks, the bank won’t bail you out.
  • Restrict employee and insider access to data. For everyone’s safety employees should only have access to the data they need to do their job. And that access should also be monitored.
  • Be especially wary of banking Trojans. These highly sophisticated programs can easily creep on to your computers, steal banks logins and passwords, and quickly empty your bank accounts.
  • Monitor your bank accounts and credit cards constantly. These can often provide the earliest warning that thieves have obtained your account information and have started to use it. Most financial institutions provide free instant alerts to warn you about any unusual account activity.
  • Be wary of business identity theft, too. Business identity theft is a growing problem, and it involves criminals using publicly available information about your company to pretend to be the legitimate owners of your business so they can take out substantial loans and leave you to clean up the mess. An easy precaution is to regularly Google your business name for any clones.
  • Use the available technologies. As a small business owner you have many choices when it comes to protecting your employees, your computers, and your data from cyber thieves. And some of the best tools are free. So make sure every computer in your business is locked down with layers of security technology.

“As a co-founder of the Identity Theft Council, Intersections believes in helping victims of ID theft find resolution, and in educating the community about how to protect themselves from the crime,” said Michael Stanfield, Chairman and CEO of Intersections Inc. “Small business owners are a unique group of victims that straddle between the consumer and business world, and are a prime target for criminals.”

Find the ITC website here


PCI Security Standards Council opens election for new Special Interest Groups

The PCI Security Standards Council (PCI SSC) opens election for new Special Interest Groups (SIG).

The Council developed Special Interest Groups (SIG) to leverage the expertise of more than 600 Participating Organizations and provide a vehicle for incorporating their ideas and input into the work of the Council. SIGs focus on providing recommendations to the Council which often results in guidance for the Community to interpret and implement the PCI Standards.

To date SIG participants have made significant contributions to Council resources on topics such as

  • Wireless security
  • EMV chip
  • Point-to-Point Encryption
  • Virtualized environments

Participating Organizations are invited to submit votes for their top three of the seven shortlisted proposals. The proposals were submitted by a cross-section of merchants, acquirers, industry associations, service providers, Qualified Security Assessors (QSA) and vendors. They cover the following topics:

  • Small ecommerce merchants
  • Effective patch management that is compliant with PCI DSS requirement 6.1
  • Administrative access to systems and devices
  • Cloud
  • Small businesses
  • Hosted, managed application and service providers
  • Risk assessments

“The Council is delighted at the level of input we’ve received from the community in the form of SIG proposals,” said Jeremy King, European director, PCI Security Standards Council. “I’m particularly pleased to see such broad global representation and perspectives in submissions. Securing payment card data is a global challenge and the Council’s worldwide stakeholders are uniquely positioned to partner with us in tackling this.”

The polls close on Friday November 4th 2011.Results will be announced following the election, together with next steps on how to volunteer for the Special Interest Groups.


Information Commissioner: Businesses ‘waking up’ to Data Protection responsibilities

Christopher Graham, the UK Information Commiss...
Image via Wikipedia

The Information Commissioner has reported that businesses may be ‘waking up’ to their obligations under the Data Protection Act (DPA) but public confidence in how personal information is being handled continues to decline, the Information Commissioner’s Office (ICO) said today.

Figures published show that nearly three quarters of businesses surveyed now know that the DPA requires them to keep personal information secure. This is up 26% on last year’s figure.

Public confidence has fallen with less than half of those surveyed believing organisations process their data in a fair and proper manner. Concern is particularly high in relation to web-based businesses with almost three quarters of individuals believe that online companies are not keeping their details secure.

Information Commissioner, Christopher Graham said:

“I’m encouraged that the private sector is waking up to its data protection responsibilities, with unprompted awareness of the Act’s principles higher than ever. However, the sector does not seem to be putting its knowledge to good use. The fact is that security breaches in the private sector are on the rise, and public confidence in good information handling is declining. Businesses seem to know what they need to do – now they just need to get on with doing it. It’s not just the threat of a £500,000 fine that should provide the incentive. Companies need to consider the damage that can be done to a brand’s reputation when data is not handled properly. Customers will turn away from brands that let them down.”   

The ICO’s annual track survey looks at information rights issues across the board. Other figures released today show that awareness of citizens’ rights under the Freedom of Information Act is increasing.

    • 90% of public authorities surveyed are aware that individuals have a right to see information.
    • 84% – also agreed that the Act is needed.
    • 24% of respondents were sceptical that the information they’d like to see is actually being made public.
    • Just half of those surveyed are satisfied that information is readily available and accessible.
    • 70% recognise the ICO’s role as the enforcer of the Data Protection Act, the highest awareness level since the question was introduced to the annual survey in 2004.
    • 53% of businesses surveyed now have a clear understanding of the ICO’s role in this area compared with 20% last year, This increase is partly driven by the private sector.
    • 58% more breaches have been reported to the ICO so far in 2011/12 than in the same period last year.
The Information Commissioner, Christopher Graham added:

“This survey highlights the increasing importance of accountability and transparency, and the public’s right to know. Almost all public authorities can see the clear benefits of having freedom of information laws. But more needs to be done to make sure that the right information is being made available since only half of citizens surveyed feel they have easy access to the information they want.”


Housing Group breaches the Data Protection Act by Emailing a spreadsheet

Spectrum Housing Group based in Dorset breached the Data Protection Act by sending the personal data of 200 employees to the wrong email address, the Information Commissioner’s Office (ICO) said today.

In March 2011, an employee of Spectrum Housing Group accidentally emailed a non-secure excel spreadsheet containing employees’ data, including details of their pension contributions, to the wrong external email address. The error was discovered 30 minutes after the email had been sent, at which point the unintended recipient was informed and the data destroyed.

The ICO’s investigation found that at the time of the incident Spectrum Housing did not have a sufficient policy in place to help prevent such incidents and has ordered the company to take action.

Acting Head of Enforcement, Sally Anne Poole said:

“While on this occasion the information compromised was not sensitive, the fact is that at the time of the incident Spectrum Housing Group did not have appropriate controls in place. This case highlights the need for organisations to make sure that adequate checks are in place and documents suitably protected before they are sent out.”

Wayne Morris, Group Chief Executive, of Spectrum Housing Group, has now signed a formal undertaking to ensure that spreadsheets or other documents containing personal data are only sent by email where necessary and only contain the minimum amount of data required. The organisation will also consider, where appropriate, password protecting or encrypting documents containing personal information.


PCI SSC updates PTS program for Encryption and Mobile

The PCI Security Standards Council have provided and update to the PIN Transaction Security Program for secure point-to-point encryption (P2PE) and mobile payment acceptance.

PTS 3.1 adds two new approval classes that facilitate the deployment of P2PE technology in payment card security efforts, building on the Secure Reading and Exchange of Data (SRED) module previously introduced in version 3.0 to support the secure encryption of account data at the point of interaction. Until now, the PIN Transaction Security program has applied to PIN acceptance devices only. With the release of version 3.1, requirements will expand for the first time to include protection of account data on devices that do not accept PIN, meaning any card acceptance device can now be PTS tested and approved and eligible to deploy point-to-point encryption technology.

Additionally, the requirements have been updated to address secure (encrypting) card readers (SCR), further facilitating the deployment of P2PE technology and the use of open platforms, such as mobile phones, to accept payments. Merchants looking to use magnetic stripe readers (MSRs) or MSR plug-ins now can ensure these devices have been tested and approved to encrypt data on the reader before it reaches the device.

The Council published a roadmap outlining its approach to point-to-point encryption technology in the cardholder data environment late last year and recently released the PCI Point-to-Point Encryption Requirements, the first set of validation requirements in its P2PE program. Findings from its initial examination of mobile payment acceptance applications in light of the PA-DSS were published in June, and in collaboration with industry experts in an SSC-led Mobile Taskforce, the Council aims to deliver further guidance by year’s end.

“We know how eager the market is to implement P2PE, said Bob Russo, general manager, PCI Security Standards Council.― By releasing these updated requirements now, merchants using any type of card acceptance device will have the ability to encrypt data at the point of interaction and ensure its protection. Additionally, we・ve opened the standard up to address mobile devices ・ another area of great interest to our stakeholders.”

The updated PTS Security program requirements and detailed listing of approved devices are available on the Council’s website.

There will be a session devoted to PTS program updates, including a dedicated question and answer forum, at the PCI Community Meeting taking place in London, England on October 17-19.

Additionally, the Council will host a Webinar for Participating Organizations and the public outlining the newest updates to the PIN Transaction Security program, followed by a live Q&A session.

To register for the November 8 session, please visit here.

To register for the November 10 session, please visit here.

For more details on PCI visit the PCI Resources page here.


Security should not be viewed as an isolated activity

In IP EXPO’s 2011 security index survey which was conducted among IT professionals from businesses of all sizes and sectors on behalf of Imago Techmedia and the IP EXPO show organisers.

Respondents to our survey overwhelmingly agreed that IT security should not be viewed as an isolated activity, but would best be treated as an integrated part of businesses’ entire technology reviews and processes,”

said Mike England, Social Business & Content Director at IP EXPO event organiser Imago Techmedia

The key findings include:

  • 70% said they believed security would be best considered collaboratively and routinely across all aspects of ICT
  • 47% said they believed their own organisations needed more security-related collaboration between different ICT disciplines
  • 44% of respondents stated that at least a quarter of their jobs involved IT security.  For 23%, security took up more than half their time
  • 23% of respondents said that their approaches to compliance compromised their security
  • 26% said mobile devices such as smartphones and laptops posed the highest risk of data loss to their businesses.
  • 18% said memory sticks being used for data theft posed the highest risk to their businesses
  • 18% of IT pros say their businesses may not survive the consequences of a major security breach
  • Nearly one-fifth of IT professionals fear their businesses may never re-open for business or would fail shortly after a major security breach
  • 68% said they viewed IT security as “a necessary evil”

CSA UK & Ireland President Des Ward commented on the results of the survey:

Lack of collaboration and a perceived disconnect between security and business would explain the view of security being deemed ‘a necessary evil’, or even a cost of doing business online and consequently having little real business value. Businesses need to evolve beyond compliance risk management to information risk management in order to implement strategies that reduce the likelihood of breaches occurring, while at the same time affording a level of business agility fitting today’s interconnected society,” he suggested.

Of the main findings, Nigel Stanley, security practice leader at Bloor Research and IT Security Pathfinder at IP EXPO, said:

What’s clear is that even if someone’s job doesn’t directly involve security per se, everyone needs to be actively engaged in dealing with the problem.  And the way that businesses are going about it is encouraging, because security management needs to be a two-way process with the users actively engaged in the process.  Generally, taking compliance steps should enhance an organisation’s security – unless of course it is doing just enough to tick the boxes but failing to see the broader benefits of building a compliant business.  However, reducing security posture to achieve compliance is bonkers.

The IT security industry has been left wanting in respect of the consumerisation of IT that’s been fuelled by smartphone adoption.  Only now are we starting to see management tools for these devices, so it’s no surprise that these have been identified by respondents as the biggest risk area,” he commented.

IP Expo will be in london on the 19th and 20th October 2011.


Disclosure rules clarified, or made more confusing?

Seal of the U.S. Securities and Exchange Commi...
Image via Wikipedia

Following the UK’s Information Commissioner’s call for compulsory audits and Disclosure Laws in France and Germany the US Securities and Exchange Commission (SEC) has release a statement containing Disclosure Guidance.

In setting the scene for their Gisclosure Guidance the SEC points out the risks and results of a Cyber attack,

Victim(s) to successful cyber attacks may incur substantial costs and suffer other negative consequences, which may include, but are not limited to:

  • Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused.
  • Remediation costs may also include incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack;
  • Increased cybersecurity protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants;
  • Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
    Litigation; and
  • Reputational damage adversely affecting customer or investor confidence

When identifying the situations when a post Cyber Attack disclosure is required the SEC notes the following:

  • Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.
  • Registrants should address cybersecurity risks and cyber incidents in their MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.
  • If one or more cyber incidents materially affect a registrant’s products, services, relationships with customers or suppliers, or competitive conditions, the registrant should provide disclosure in the registrant’s “Description of Business.”
  • If a material pending legal proceeding to which a registrant or any of its subsidiaries is a party involves a cyber incident, the registrant may need to disclose information regarding this litigation in its “Legal Proceedings” disclosure.
  • To the extent a cyber incident is discovered after the balance sheet date but before the issuance of financial statements, registrants should consider whether disclosure of a recognized or nonrecognized subsequent event is necessary.

As with other governmental “guidance”, the overall theme is slightly vague. Even the initial summary raises the question “why offer the guidance if it has no meaning or enforcement“.

This guidance is not a rule, regulation, or statement of the Securities and Exchange Commission. Further, the Commission has neither approved nor disapproved its content.”

It is going to take an organisation to suffer a data breach and then not deal with the resulting fall-out in a professional and appropriate way for the SEC to step in and make an “example” of them. Then the case will be proven and the vagueness will be taken out of the guidance, hopefully.

As always, the answer is prevention it is better than the cure. Some simple precautions are below:

  • Policies. Ensure your staff know how to deal with data and to know what to if a breach of suspected breach occurs
  • Procedures. Documented and test procedures for data handling, change management, etc
  • Security Solutions.  Do not rely on Anti Virus and Firewalls, implement access controls, Security Information & Event Management (SIEM) and of course Encryption.
  • Audits. Regular and thorough audits or people, processes and solutions
  • Incident response planning and testing. No matter how much time and money is invest in prevention things can go wrong and it is how an organisation deals with the incident that can be the difference a good or bad outcome.

The SEC’s full statement is here.


Information Commissioner calls for powers to conduct compulsory Data Protection Audits

Christopher Graham, the UK Information Commiss...
Image via Wikipedia

The Information Commissioner has called for powers to conduct compulsory data protection audits in local government, the health service and the private sector are needed to ensure compliance with the law, the Information Commissioner said today at the 10th annual data protection compliance conference in London.

Christopher Graham’s call came as figures showed that the ICO is being blocked from auditing organisations in sectors that are causing concern over their handling of personal information.

The only compulsory data protections audit powers the ICO currently has are for central government departments.  For all other organisations the ICO has to win consent before an audit can take place.

Data breaches in the NHS continue to be a major problem. Of the 47 undertakings the ICO has agreed with organisations that have breached the Data Protection Act since April, over 40% (19) were in the healthcare sector.

In addition, the most serious personal data breaches that have resulted in a civil monetary penalty occurred in the local government sector. Four of the six penalties served so far involved local authorities.

Businesses remain the sector generating the most data protection complaints. Despite this, as reported in July, just 19% of companies contacted by the ICO accepted the offer of undergoing an audit.

The ICO has written to 29 banks and building societies and so far only six (20%) have agreed to undergo an audit. The insurance sector has also shown reluctance in this area. Of the 19 companies contacted this year by the ICO, only two agreed to an audit.

Information Commissioner, Christopher Graham said:

“Something is clearly wrong when the regulator has to ask permission from the organisations causing us concern before we can audit their data protection practices. Helping the healthcare sector, local government and businesses to handle personal data better are top priorities, and yet we are powerless to get in there and find out what is really going on.”

“With more data being collected about all of us than ever before, greater audit powers are urgently needed to ensure that the people handling our data are doing a proper job. I am preparing the business case for the extension of the ICO’s Assessment Notice powers under the Coroners and Justice Act 2009 to these problematic sectors.”  

The Information Commissioner also used his speech at the conference to give a six month update on the ICO’s complaints handling performance.

Complaints about marketing texts, some of which are known as spam texts, have trebled in volume since 2008/9, and now account for approximately 13% of all data protection complaints to the ICO. Over 1,000 complaints have been received since April.

The overall number of new Data Protection (DP) complaints is up by 2% compared to the same period last year.

The number of Freedom Of Information (FOI) complaints has also risen by around 5%. The ICO has increased its output to match the increase and has closed a record number of FOI cases during the first half of the year. Closures on DP cases are also up.


Hotel association to create unified security standards for Credit Card payments

Image by (aka Brent) via Flickr

Under the banner of the Hotel Technology Next Generation (HTNG), 16 major hotel groups from around the world are planning to work together to develop an industry specific IT Security framework  for handling sensitive and credit card data.

The HTNG will be a not for profit trade body which will develop solutions and standards that can be used in the hospitality industry.

Hotel credit card transactions are more difficult to secure than in other industries.  During the hotel reservation process, sensitive data often flows across systems managed by different companies. The data could be stored for weeks or months from the initial booking, to the checking in, charges for additional services e.g. bar bills all the way through to the final check out.

There are lots of different systems and software used in the processing of reservation making Security Standards very important.

Solutions like tokenization can provide an answer for a single hotel or hotel chain but they will require a great deal of sharing and integration if more than one company wishes to share the same token.

Wiki leak definition of Tokenization is “the process of breaking a stream of text up into words, phrases, symbols, or other meaningful elements called tokens. The list of tokens becomes input for further processing such as parsing or text mining. Tokenization is useful both in linguistics (where it is a form of text segmentation), and in computer science, where it forms part of lexical analysis“.

To find out more about Tokenization download the Tokenization for Dummies booklet by clicking here, registration is required.

While major hotel companies have invested heavily in security within their own systems, they have no control over the hundreds of third-party systems that may touch their reservations prior to their guests arrival.

Early discussions indicate a broad agreement that a single industry framework is required, and that the framework needs to work with existing security approaches in place at major hotel companies and in commonly used systems for example PCI DSS.  There was also agreement on the key elements needed for the industry framework.  The group intends to document this framework conceptually in a white paper that will form the basis for subsequent standards development.

Doug Rice, CEO of HTNG, said organization initiated the process for the industry security framework in June. A charter has been created to ensure the hotels and organizations involved are on the same page. The group’s first meeting will take place in November.

Rice said everyone involved in accepting payments in the hotel industry needs to agree on the same framework for it to work effectively. Online travel agencies, distribution partners and payment processors will all need to be on board. The plan is for the major hotel companies to inform their partners of the plan at approximately the same time. Vendors will realize this is what they need to do if they want to meet the needs of the hotel industry, he said.

Once the partners are on board with the solution, independent hotels will start getting involved, too.

Rice said education will not necessarily be the role of HTNG. However, the group expects to work with organizations such as the Hospitality Financial and Technology Professionals to help implement the solution and spread the word in the industry.

“This is not going to be an overnight solution, it’s a journey, but it’s something that the industry has recognized needs to be addressed,” Rice said

Read the HTNG Press Release here.

Also read “77% of Hospitality Sector Mistakenly Believe They Are PCI Compliant“.


Merchants are complacent about PCI DSS, report reveals.

Verizon logo
Image via Wikipedia

Verizon have launched their 2011 Payment Industry Compliance Report which draws on their experiences as a QSA company and previous annual reports.

Extracts from the report are below.

Unchanged from last year, only 21 % of organizations were fully compliant at the time of their Initial Report on Compliance (IROC). Verizon commented with “This is interesting, since most were validated to be in compliance during their prior assessment”.

  • Organizations met an average of 78% of all test procedures at the IROC stage
  • 20% of organizations passed less than half of the DSS requirements
  • 60 % scored above the 80 % mark

Organizations struggled most with the following PCI requirements:

  • 3 (protect stored cardholder data)
  • 10 (track and monitor access)
  • 11 (regularly test systems and processes)
  • 12 (maintain security policies).

The PCI Requirements showed the highest implementation levels were:

  • 4 (encrypt transmissions over public networks)
  • 5 (use and update anti-virus)
  • 7 (restrict access to need-toknow)
  • 9 (restrict physical access)

Organizations do not appear to be prioritizing their compliance efforts based on the PCI DSS Prioritized Approach published by the PCI Security Standards Council even less so than in the previous year.

A mini-study comparing governance practices to the initial compliance score suggests that the way organizations approach compliance significantly factors into their success.

Once again, organizations that suffered data breaches were much less likely to be compliant than a normal population of PCI clients. Analysis of the top threat actions leading to the compromise of payment card data continues to exhibit strong coverage within scope of the PCI DSS. For most of them, multiple layers of relevant controls exist across the standard.

In the pool of assessments performed by Verizon QSAs included in this report

  • 21% were found fully compliant at the completion of their IROC
  • This is just 1% less than in their last report, and effectively the same number

The lack of change is a disappointing, as many in the industry were hoping to see an increase in overall compliance as the PCI DSS became more familiar to an increasing number of organizations.

79% of organizations were not sufficiently prepared for their initial assessment

Having established that only 21% “passed the test” the next question becomes “what was their score?”

  • On average, organizations met 78% of all test procedures defined in the DSS at the time of their IROC.
  • Down 3% from Verizon’s last report; but again, the difference is nominal.

Therefore, the baseline set by the PCI DSS must not reflect the baseline set by the companies themselves. For most organizations, to achieve compliance they must do things they were not previously doing (or maintaining).

Another common Achilles heel of merchants and service providers in the PCI assessment process is over confidence

 “It was painful, but we made it through last year, so this year should be a breeze”

is a typical sentiment with which many organizations approach the yearly assessment. That can be a costly mistake. When the QSA arrives on-site, a mere 1/5th of businesses are found to be compliant, even when given the extra time between the on-site visit and completion of the IROC.

Complacency and fatigue are two additional drags that make maintaining compliance year over year difficult. Too many businesses approach PCI from the point of view that “what was good enough last year will be good enough this year.” But unless someone’s been babysitting a process, such as documenting and justifying all services allowed through the firewalls, things can easily be forgotten in the haste to get business done.

When examining the percentage of organizations passing each requirement at the IROC phase.

  • Some requirements show percentages dipping below 40%, while others exceed the 70% range.
  • Six of the twelve show an increase over last year, and the average is up two points.
  • However, the average number of test procedures met within each requirement is down 4%.
  • None of these numbers is indicative of a clear change given the size and makeup of the dataset, but it certainly reinforces the notion that
  • organizations continue to struggle (at varying degrees) in all areas of the DSS.

How do organisations perform against the 12 Requirement? The four highest rated Requirements are:

  • 4 (encrypt transmissions)
  • 5 (AV software)
  • 7 (logical access)
  • 9 (physical access)

Requirement 10 (tracking and monitoring) boasted the highest gain+13 %

Requirement 5 (AV software) may lose its place in the top three, which is an odd development, since AV software has for so long been among the most basic and widespread of security controls.

Requirement 4 (encrypt transmissions) showed a marked improvement which may indicate that administrators are deciding it’s easier to direct all Internet traffic containing credit card data over SSL.

Requirement 7 (logical access) showed a slight improvement, which could mean more strict attention is being paid to who is given access to cardholder data.

Requirements 3 (stored data) and 11 (regular testing) are once again in the bottom tier, while Requirement 12 (security policies) ousted 10 (tracking and monitoring) from the bottom. This suggests that the encryption of data at rest continues to be a major headache for organizations, especially the more detailed portions, such as annual key rotations.

Requirement 11’s low showing reminds us why ‘set and forget is a very bad bet’ should be a core mantra of the security profession. The fact that security policies rank among the lowest of the low is not a good sign since policy drives practice.

Requirement 1 remains virtually unchanged since last year, at 44% compliance, compared to the 46% in the last report. Only 63% of companies met Requirement 1.1.5 regularly

Compliance is the continuous state of adhering to the regulatory standard. In the case of the PCI DSS there are daily (log review), weekly (file integrity monitoring), quarterly (vulnerability scanning), and annual (penetration testing) activities that an organization must perform in order to maintain this continuous state of compliance

The entire report can be found on the Verizon web site here.


The huge and unexpected administrative costs of a data breach

Logo of TRICARE, the health care plan for the ...
Image via Wikipedia

Reading about another large data breach had me thinking about the non-technical side of a data breach.

In these current times it is impossible to avoid the stories of data breaches because the press and blogs spin into gear almost immediately.

Coming from the IT Security industry, I always think about the “normal” costs:-

  • The cost of forensics
  • The cost of the improved security, which may involve new solutions
  • The inevitable cost of training staff to understand and manage the new and improved security solutions
  • Then there is the compliance costs, the fines, the legal actions, credit monitoring, etc

However, when I saw that Tricare, who had lost 4.9 million records, is going to POST out a notification to all those affected by their data breach I started to consider the “other” costs.

  • 4.9 million Database consolidations and data merging in readiness for the mailing
  • 4.9 million Address labels
  • 4.9 million Envelopes
  • 4.9 million Letters
  • 4.9 million Folds, inserts and sealings by machine or individual
  • 4.9 million Stamps or franks. For Tricare the affected ex-patients will be spread across the whole of America, with thousands out of the country. Even with bulk mailing discounts that is one very very large bill.
  • Then there is the helpdesk to deal with hundreds of thousand of calls from concerned individuals affected by the breach.
  • There will be other costs but this is a quick summary

All together that will be millions of dollars in direct costs, paper, postage etc and probably millions in in-direct costs with staff tied up for weeks preparing the mail shot and then handling all the inbound and outbound calls resulting from the mail shot.

These “other” costs will be many multiples the cost of encryption and retraining required to close the door.

According to Tricare, the risk of the data’s misuse remains low. “Reading the tapes takes special machinery. Moreover, it takes a highly skilled individual to interpret the data on the tapes. Since we do not believe the tapes were taken with malicious intent, we believe the risk to beneficiaries is low,” their press release states.

The risk may be low but the costs are high. A real important lesson to anyone storing Personally Identifiable Information (PII).

The information, contained on backup tapes of electronic health records, was stolen from the car of an employee of Science Applications International Corp (SAIC). The employee was transporting the tapes between federal facilities. The data was partially encrypted, a spokesman said… “partially”…


UK Card Association offers advice on avoiding fraud

Please enter you personal identification numbe...
Image by hugovk via Flickr

The UK Card Association has recently published advice on avoiding fraud.

Some common sense advice that should be used:-

i) Ensure you are the only person who knows your PIN. Your bank or the police will never phone or email you and ask you to disclose it.

ii) Your bank will never ring you and tell you that they are coming around to pick up your card, so never hand it over to anyone who comes to ‘collect it’.

iii) Shield your PIN with your free hand when typing it into a keypad in a shop or at a cash machine.

iv) Only shop on secure websites. Before entering card details ensure that the locked padlock or unbroken key symbol is showing in your browser.

v) Rip up or preferably shred statements, receipts and documents that contain information relating to your financial affairs when you dispose of them.

vi) Never accept a cheque from someone unless you know and trust them, especially if the cheque is for a high value.

vii) When writing a cheque make sure you draw a line through all unused space on the payee line and the amount line to help prevent the cheque being fraudulently altered.

viii) Make sure you have up-to-date anti-virus software installed on your computer.

Some common sense advice.


Card fraud and online banking fraud down, but cheque and phone banking fraud up

New figures released on the 5th October 2011 show that fraud losses on UK cards decreased in the first half of 2011 compared with the same time last year, as did fraud on online bank accounts. However, cheque fraud and fraud on phone banking accounts increased over the same period.

Total fraud losses on UK cards fell to £169.8 million

Between January and June 2011 a 9 per cent reduction compared with losses in the first half of 2010. This half-year total is the lowest for eleven years and also the third consecutive decrease. The sustained fall is due to the success of a number of industry initiatives such as the increasing use of fraud detection software, the roll-out of updated chip cards and the increasing roll-out of chip and PIN technology abroad. Lost and stolen card fraud losses rose slightly, increasing by £4.4 million. Initiatives such as chip and PIN have made it harder to commit ‘high-tech’ frauds, and criminals are instead reverting to more basic frauds centred around stealing people’s cards and PINs. These scams range from distracting people in shops or at cash machines and then stealing their cards without them noticing, to simply tricking them into handing over their cards and PINs on their own doorstep.

Online banking fraud losses totalled £16.9 million

During January to June 2011 a 32 per cent fall on the 2010 half-year figure. A variety of factors have contributed to the decrease in online banking fraud, including increased customer awareness of computer security combined with banks’ use of fraud detection software.

Phone banking fraud losses rose to £8.6 million

A 48 per cent increase during January to June 2011. As with card fraud, criminals are focusing on the straightforward crime of duping a customer into believing they are dealing with a bank or police representative and getting them to disclose their financial security details, such as PINs, passwords and login details, which the criminal then uses to access the customer’s bank account over the phone.

Cheque fraud losses increased

Cheque fraud losses increased from £14.0 million in the first half of 2010 to £16.4 million during the same period in 2011. Although this is a 17 per cent increase, the overwhelming majority of this type of fraud is stopped before the cheque is paid. In fact, more than £254 million of attempted cheque fraud was spotted and stopped during the clearing process in the first half of this year.

DCI Paul Barnard, Head of the Dedicated Cheque and Plastic Crime Unit (DCPCU), the special police squad which is sponsored by the banking industry and has an ongoing brief to help stamp out organised payment fraud across the UK, said:

Losses are appreciably lower than they were a few years ago and everyone involved in tackling fraud has reason to be encouraged by this and that includes bank customers who, as their own front-line of defence, have certainly played their part too.

“However, there has been an increase in old fashioned scams criminals using distraction techniques and social engineering methods to get hold of people’s cards or phone banking details. We are urging everyone to be on their guard. Your bank or the police will never cold call you or email you and ask you for your login details, cards or PINs. If anyone does, they are probably  a criminal, so hang up the phone or delete the email.”

Card Fraud Type – on UK issued credit and debit cards Jan-June 2007 Jan-June 2008 Jan-June 2009 Jan-June 2010 Jan-June 2011 +/- 10/11
Phone, internet and mail order fraud (Card-not-present fraud) £137.0m £163.9m £134.0m £118.2m £109.2m -8%
Counterfeit (skimmed/cloned) fraud £72.3m £88.8m £46.3m £28.2m £18.0m -36%
Fraud on lost or stolen cards £30.7m £26.8m £25.1m £21.3m £25.7m 20%
Card ID theft £18.7m £19.5m £23.9m £15.0m £11.5m -23%
Mail non-receipt £4.9m £5.3m £3.5m £3.8m £5.4m 42%
TOTAL £263.6m £304.2m £232.8m £186.8m £169.8m -9%

The release places some of the success on fraud detection solutions and Chip and Pin but lets not underestimate the impact of the improved focus on IT Security which is being enforced by compliance and regulatory requirements like PCI DSS and the Data Protection Act.


Education, education, when will people learn, encrypt your data as two more education establishments lose data

The Information Commissioner has announced today two actions against education establishments who have lost data by failing to adequately protect their laptops.

Having a policy that leaves the decision on what information needs to be encrypted to the user is always likely to lead to trouble.

Encrypt everything and then the user cannot be blamed for the loss of data, especially as a result of a theft.

The details of the two instances are below.

The Association of School and College Leaders (ASCL) breached the Data Protection Act in May 2011 when a laptop – containing sensitive personal data – was stolen from an employee’s home in Yorkshire. The ICO’s enquiries found that, while the laptop had encryption software installed on it, the decision on whether to encrypt individual documents was left to the employee. At the time of the theft the laptop included unencrypted personal information relating to approximately 100 individuals, including details of their membership of the union and in some cases, details of their physical or mental health.

Holly Park School in Barnet breached the Act when an unencrypted laptop was stolen from an unlocked office at the school on 1 May. The device contained details of pupils’ names, addresses, exam marks and some limited information relating to their health. After investigating the breach the ICO also discovered that the school had no data protection policy in place at the time of the theft.

Acting Head of Enforcement, Sally Anne Poole said:

“The ICO’s guidance is clear: all personal information – the loss of which is liable to cause individuals damage and distress – must be encrypted. This is one of the most basic security measures and is not expensive to put in place – yet we continue to see incidents being reported to us. This type of breach is inexcusable and is putting people’s personal information at risk unnecessarily.

“We are pleased that the Association of School and College Leaders and Holly Park School have taken action to make sure the personal information they collect remains secure.”

Both organisations have now taken action to make sure the personal information they handle is protected. This includes ensuring that portable devices used to store personal data – including laptops – are appropriately encrypted. Both organisations will also introduce adequate checks to make sure their employees are following policies and procedures governing the secure use of personal information.


Hospital destroys 10,000 archived records – Information Commissioner not impressed

NHS logo
Image via Wikipedia

Dartford and Gravesham NHS Trust breached the Data Protection Act by accidentally destroying 10,000 archived records, the Information Commissioner’s Office (ICO) said today.

The records – which should have been kept in a dedicated storage area – were put in a disposal room due to lack of space. The records were then mistakenly removed from the room and destroyed between the 28 and 31 December 2010. The hospital failed to realise that the information was missing for three months.

The Trust has been unable to establish how many of the records would have contained personal information – the majority of which would have been several years old. Some records included the names and addresses of former patients and some staff, and a limited amount of medical information relating to the patients’ previous treatment. The Trust has confirmed that the loss of these records does not pose a clinical risk to data subjects affected by this incident.

The ICO has today ordered the Trust to take action to ensure its staff are made aware of data protection polices and procedures and that they receive suitable training on how to follow them. The Trust will also regularly monitor their staff to make sure policies are being correctly followed.

Acting Head of Enforcement, Sally Anne Poole, said:

“Although the majority of information lost was several years old and only being kept for archiving purposes, there is no excuse for failing to keep it secure. The hospital should have ensured that the records were kept in a safe area – and, had they had adequate audit trails in place, they would have been able to keep track of where this information was at all times.”

Jonathan Bamford, the ICO’s Head of Strategic Liaison, is today delivering a keynote speech at the Healthcare, Technology and Innovation exhibition in London. He will stress that the health sector needs to do more to protect sensitive patient data, making sure healthcare workers implement vital safeguards in practice. The ICO has an exhibition stand at the conference and staff will be on hand to offer delegates support and advice on information rights issues.

A further undertaking has also been signed by Poole NHS Trust after two diaries – containing information relating to the care of 240 midwifery patients – were stolen from a nurse’s car. The diaries included patients’ names, addresses and details of previous visits and were used by the nurse during out of hours duty.


Create a free website or blog at

Up ↑

%d bloggers like this: