Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Data Protection Act

500 European Business Leaders attend the PCI Security Standards Council Community Meeting

This week business leaders and security professionals gathered in Nice, France to discuss payment based security and especially PCI DSS and P2Pe. 

Jeremy King PCI Security Standards Council International Director said, The new European Commission Payment Services Directive 2 along with the European Banking Authority Guidelines for Securing Internet Payments have clear and detailed requirements for organisations in protecting cardholder data. Add to that the soon to be released General Data Protection Regulation which covers all data security, and you have a massive increase in data security, which when implemented will impact all organisations in Europe and beyond, 

These regulations will force organisations to take security seriously, and PCI provides the most complete set of data security standards available globally. Establishing good data security takes time and effort. Organisations need to know these regulations are coming and put a plan in place now for ongoing security

With 70% of all card fraud coming from Card-Not-Present (CNP), a figure that surpasses the previous 2008 record which was set during the EMV chip migration, it is a critical time for the industry. 

A significant amount of the conference was spent on new and developing technologies including::

  • Cloud – Daniel Fritsche of Coalfire presented on Virtualisation and the Cloud
  • Mobile – several presentations including the Smart Payments Association
  • Point to Point Encryption (P2PE) – Andrew Barratt of Coalfire delivered a panel discussion
  • Tokenisation – A presentation by Lufthansa Systems 

Jeremy King added. PCI is committed to helping organisations globally improve their data security. Our range of standards, and especially our supporting documents, are designed to help all companies improve and protect their data security. The annual Community Meeting is a big part of our efforts to engage with companies from all sectors, sharing and exchanging information to ensure they have the very best level of security 

We must work together to tackle card-not-present fraud with technologies such as point-to-point encryption and tokenisation that devalue data and make it useless if stolen by criminals.

Attendees included experts from Accor Hotels, , British Telecommunications, Capita, Coalfire Systems Limited, Accor Hotels, Lufthansa, Virgin Trains, Vodat International and hundreds of others.

ICO response to ECJ ruling on personal data to US Safe Harbor

The ICO has issued a statement in response to the European Court of Justice ruling about the legal basis for the transfer of personal data to businesses that are members of the US Safe Harbor

Deputy Commissioner David Smith said:

“Today’s ruling is clearly significant and it is important that regulators and legislators provide a considered and clear response. This ruling is about the legal basis for the transfer of personal data to businesses that are members of the US Safe Harbor. It does not mean that there is an increase in the threat to people’s personal data, but it does make clear the important obligation on organisations to protect people’s data when it leaves the UK.

“The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take them some time for them to do this.

“It is important to bear in mind that the Safe Harbor is not the only basis on which transfers of personal data to the US can be made. Many transfers already take place based on different provisions. The ICO has previously published guidance on the full range of options available to businesses to ensure that they are complying with the law related to international transfers. We will now be considering the judgment in detail, working with our counterpart data protection authorities in the other EU member states and issuing further guidance for businesses on the options open to them. Businesses should check the ICO website for details over the coming weeks.

“Concerns about the Safe Harbor are not new. That is why negotiations have been taking place for some time between the European Commission and US authorities with a view to introducing a new, more privacy protective arrangement to replace the existing Safe Harbor agreement. We understand that these negotiations are well advanced.”

Cost of Phishing and Value of Employee Training

The Ponemon Institute has presented the results of it’s study the Cost of Phishing and Value of Employee Training sponsored by Wombat Security. The purpose of this research is to understand how training can reduce the financial consequences of phishing in the workplace.

Phishing

The research reveals the majority of costs caused by successful phishing attacks are the result of the loss of employee productivity. Based on the analysis described later in this report, Ponemon extrapolate an average improvement of 64% from six proof of concept training projects. This improvement represents the change in employees who fell prey to phishing scams in the workplace before and after training.

As a result of effective training provided by Wombat, Ponemon estimate a cost savings of $1.8 million or $188.4 per employee/user. If companies paid Wombat’s standard fee of $3.69 per user for a program for up to 10,000 users, Ponemon determine a very substantial net benefit of $184.7 per user, for a remarkable one-year rate of return at 50X.

To determine the cost structure of phishing, Ponemon  surveyed 377 IT and IT security practitioners in organizations in the United States. 39% of respondents are from organizations with 1,000 or more employees who have access to corporate email systems.

The topics covered in this research include the following:

  • The financial consequences of phishing scams
  • The financial impact of phishing on employee productivity
  • The cost to contain malware
  • The cost of malware not contained & the likelihood it will cause a material data breach
  • The cost of business disruption due to phishing
  • The cost to contain credential compromises
  • Potential cost savings from employee training

Phishing scams are costly. Often overlooked is the potential cost to organizations when employees are victimized by phishing scams. Ponemon’s cost analysis includes the cost to contain malware, the cost not contained, loss of productivity, the cost to contain credential compromises and the cost of credential compromises not contained. Based on these costs, the extrapolated total annual cost of phishing for the average-sized organization in Ponemon’s sample totals $3.77 million.

Summarized calculus on the cost of phishing. Estimated cost.
Part 1. The cost to contain malware $208,174
Part 2. The cost of malware not contained $338,098
Part 3. Productivity losses from phishing $1,819,923
Part 4. The cost to contain credential compromises $381,920
Part 5. The cost of credential compromises not contained $1,020,705
Total extrapolated cost $3,768,820

The average total cost to contain malware annually is $1.9 million. The first step in understanding the overall cost is to analyze the six tasks to contain malware infections. Drawing from the empirical findings of an earlier study, Ponemon  were able to derive cost estimates relating to six discrete tasks conducted by companies to contain malware infections in networks, enterprise systems and endpoints. The table below summarizes the annual hours incurred for six tasks by the average-sized organization on an annual basis. The largest tasks incurred to contain malware involve the cleaning and fixing of infected systems and conducting forensic investigations.

Documentation and planning represents the smallest tasks in terms of hours spent each year.

Six tasks to contain malware infections. Estimated hours per annum.

Planning 910
Capturing intelligence 3,806
Evaluating intelligence 2,844
Investigating 10,338
Cleaning & fixing 11,955
Documenting 671
Total hours 30,524

The annual cost to contain malware is based on the hours to resolve the incident. These cost estimates are based on a fully loaded average hourly labor rate for US-based IT security practitioners of $62. As can be seen, the extrapolated total cost to contain malware is $1.89 million.

The adjusted cost of malware containment resulting from phishing scams is $208,174 per annum. The final step in determining the cost of malware containment attributable to phishing is to calculate the percentage of malware incidents unleashed by successful phishing scams.

Response to the survey question, “What percent of all malware infections is caused by successful phishing scams?” The percentage rate of malware infections caused by phishing scams was based on Ponemon’s  independent survey of IT security practitioners. As can be seen, the estimated range is less than 1% to more than 50%. The extrapolated average rate is 11%.

Drawing from the above analysis, Ponemon estimate the cost of malware containment as 11% of the previously calculated total cost of $1.9 million.

Cost of malware not contained

In this section, Ponemon estimate the cost of malware not contained at the device level to be $105.9 million. In other words, this cost occurs because malware evaded traditional defenses such as firewalls, anti-malware software and intrusion prevention systems. In this state Ponemon  assume the malware becomes weaponized for attack.

Following are two attacks caused by weaponized malware:

  1. Data exfiltration (a.k.a. material data breach)
  2. Business disruptions

Ponemon determine a most likely cost using an expected cost framework, which is defined as:

Expected cost = Probable maximum loss (PML) x Likelihood of occurrence [over a 12-month period].

Respondents in Ponemon’s  survey were asked to estimate the probable maximum loss (PML) resulting from a material data breach (i.e., exfiltration) caused by weaponized malware. Ponemon’s research shows the distribution of maximum losses ranging from less than $10 million to more than $500 million.

The extrapolated average PML resulting from data exfiltration is $105.9 million.

What is the likelihood of weaponized malware causing a material data breach? In the context of this research, a material data breach involves the loss or theft of more than 1,000 records. Respondents were asked to estimate the likelihood of this occurring. According to the research the probability distribution ranges from less than .1% to more than 5%. The extrapolated average likelihood of occurrence is 1.9 percent over a 12-month period.

The cost of business disruption due to phishing is $66.9 million. Respondents were asked to estimate the PML resulting from business disruptions caused by weaponized malware. Business disruptions include denial of services, damage to IT infrastructure and revenue losses. The research shows the distribution of maximum losses ranging from less than $10 million to $500 million. The extrapolated average PML resulting from data exfiltration is $66.9 million.

How likely are business disruptions due to weaponized malware? Respondents were asked to estimate the likelihood of material business disruptions caused by weaponized malware. The research shows the probability distribution ranging from less than .1% to more than 5%. The extrapolated average likelihood of occurrence is 1.6% over a 12-month period.

The table below shows the expected cost of malware attacks relating to data exfiltration ($2 million) and disruptions to IT and business processes ($1.1 million). The total amount of $3.1 million is adjusted for the 11% of malware attacks originating from phishing scams, which yields an estimated cost of $338,098 per annum.

Recap for the cost of malware not contained Calculus
Probable maximum loss resulting from data exfiltration $105,900,000
Likelihood of occurrence over the next 12 months 1.90%
Expected value $2,012,100
Probable maximum loss resulting from business disruptions (including denial of services, damage to IT infrastructure and revenue losses) $66,345,000
Likelihood of occurrence over the next 12 months 1.60%
Expected value $1,061,520
Total cost of malware not contained $3,073,620
Percentage rate of malware infections caused by phishing scams 11%
Adjusted total cost attributable to phishing scams $338,098

Employees waste an average of 4.16 hours annually due to phishing scams. As previously discussed, the majority of costs (52%) are due to the decline in employee productivity as a result of being phished. In this section, Ponemon estimate the productivity losses associated with phishing scams experienced by employees during the workday. Drawing upon Ponemon’s  survey research, Ponemon  extrapolated the total hours spent each year by employees/users viewing and possibly responding to phishing emails.

The research shows the distribution of time wasted for the average employee (office worker) due to phishing scams. The range of response is less than 1 hour to more than 25 hours per employee each year.

What is the cost to respond to a credential compromise? In this section, Ponemon estimate the costs incurred by organizations to contain credential compromises that originated from a successful phishing attack, including the theft of cryptographic keys and certificates. Ponemon’s  first step in this analysis is to estimate the total number of compromises expected to occur over the next 12 months. The range of responses includes zero to more than 10 incidents.

How likely will a material data breach occur if the credential compromise is not contained? Respondents were asked to estimate the likelihood of a material data breach caused by credential compromise. Ponemon’s research shows the probability distribution ranging from less than .1% to 5%. The extrapolated average likelihood of occurrence is 4% over a 12-month period.

In this section, Ponemon estimates the potential cost savings that result from employee education that provides actionable advice and raises awareness about phishing and other related topics. As a starting point to this analysis, Ponemon obtained six proof of concept studies completed for six large companies.

These reports provided detailed findings that show the phishing email click rate for employees both before and after training. Ponemon provides the actual improvements experienced by companies, ranging from 26 to 99%, respectively. The average improvement for all six companies is 64%.

As a result of Wombat’s training on phishing that includes mock attacks and follow-up with indepth training, Ponemon estimate a high knowledge retention rate. Based on well-known research, training that focuses on actual practices should result in an average retention rate of approximately 75%. Applying this retention rate against the average improvement shown in the six proof of concept studies, Ponemon  estimate a net long-term improvement in fighting phishing scams of 47.75%.

Proof of concept results Improvement %
Company A 99%
Company B 72%
Company C 54%
Company D 26%
Company E 62%
Company F 69%
Average improvement 64%
Expected diminished learning retention over time (1-75%) 25%
Average net improvement 47.75%

The figures below provides a simple analysis of potential cost savings accruing to organizations that use an effective training approach to mitigating phishing scams. As shown before, Ponemon estimate a total cost of phishing for an average-sized organization at $3.77 million.

Assuming a net improvement of 47.75%, Ponemon estimate a cost savings of $1.80 million or $188.40 per employee/user. At a fee of $3.69 per employee/user, Ponemon determine a very substantial net benefit of $184.71 per user, or a one-year rate of return of 50X.

Calculating net benefit of Wombat training on phishing Calculus
Total cost of phishing $3,768,820
Estimated cost savings assuming net improvement at 47.75% $1,799,612
Extrapolated headcount for the average-sized organization 9,552
Estimated cost savings per employee $188.40
Estimated fee of Wombat training per user $3.69
Estimated net benefit of Wombat training per user $184.71
Estimated one-year rate of return = Net benefit ÷ Fee 50X

Personal data in leaked datasets is still personal data – ICO

By Simon Rice, Group Manager for Technology at the Information Commissioners Office (ICO).

Personal data in leaked datasets is still personal dataThey say ‘no publicity is bad publicity’, but after spending most of the week trending on Twitter, I wonder if the users of the Ashley Madison site might disagree.

Having already prompted a flurry of news stories when the online attack of the Ashley Madison servers was first revealed, this week we’ve seen another wave of coverage as the personal data was published online.

Wherever your sympathies might lie in relation to the people identified in the published data set, the fact remains that such details are personal information, with certain protections in law.

Like many online attacks, the data protection response is international. In this case, we’re liaising with our counterparts in Canada, where the company is based.

But with cases like this, there is still a domestic aspect to consider.

Anyone in the UK who might download, collect or otherwise process the leaked data needs to be aware they could be taking on data protection responsibilities defined in the UK’s Data Protection Act.

Similarly, seeking to identify an individual from a leaked dataset will be an intrusion into their private life and could also lead to a breach of the DPA.

Individuals will have a range of personal reasons for having created an account with particular online services (or even had an account created without their knowledge) and any publication of further personal data without their consent can cause them significant damage or distress.

It’s worth noting too that any individual or organisation seeking to rely on the journalism exemption should be reminded that this is not a blanket exemption to the DPA and be encouraged to read our detailed guide on how the DPA applies to journalism.

This is not the first time an online service has suffered such an attack and unfortunately it’s unlikely to be the last. But it’s important people don’t assume that the law and the protections it affords to UK individuals don’t apply online.

Have your details been published in a dataset?

If you find your personal data being published online then you have a right to go to that publisher and request that the information is removed. This applies equally to information being shared on social media. If the publisher is based in the UK and fails to remove your information you can complain to the ICO.

ICO, Michael McIntyre and the Data Protection Act

ICO response to police force tweeting Michael McIntyre’s picture:

Police forces like all other organisations must comply with the Data Protection Act. The police especially must ensure that they have legitimate grounds for processing personal data and disclosing images of this nature without a justifiable policing purpose could potentially breach the Data Protection Act. We will follow this up with the Force concerned

I have often wondered about the sharing of images and how in certain circumstances it could lead to the wrong person or a known person being identified e.g. a photo-fit image created by a Police Artist often looks like everyone’s next door neighbour.

Equally if a person in the public spot light cannot have their image shared by a public body then how can a media outlet, who is also governed by the Data Protection Act, show images that people do not want sharing.

It will be interesting to see what the outcome will be and if Michael McIntyre complains.

ICO publishes it’s annual report

The Information Commissioner has released its annual report.

Christopher Graham points to the strengthening of his regulatory powers to show how the legislation continues to develop. In the past year, the ICO was given powers to compulsorily audit NHS bodies for their data handling, while forcing a potential employee to make a subject access request for, for example, their spent criminal record was also made an offence. A law change also made it easier to issue fines to companies behind nuisance calls and texts.

Information Commissioner Christopher Graham said:
“It’s thirty years since this office was established in Wilmslow. We’ve seen real developments in the laws we regulate during that time, particularly over the past year. Just look at the EU Court of Justice ruling on Google search results, a case that could never have been envisaged when the data protection law was established.

“Our role throughout has been to be the responsible regulator of these laws. More than that, we work to demystify some of this legislation, making clear that data protection isn’t to be seen as a hassle or a duck-out, but a fundamental right.

“A good example of that is our role in the new data protection package being developed in Brussels. We’ve been asked for our advice, based on our experience regulating the existing law, while we’ve also provided a sensible commentary on proceedings for interested observers.

“That role will continue this year, in what promises to be a crucial twelve months. The reform is overdue, but it is vital that we get the detail right on a piece of legislation that needs to work in practice and to last.”

“It is striking to see how decisions that were so hard fought in the early years have resulted in routine publication of information. Publication of safety standards of different models of cars, for example; or hygiene standards in pubs and restaurants; and surgical performance records of hospital consultants. Publication is now expected and unexceptionable.

“It’s been the ICO’s job to help public authorities to comply with requests,” Mr Graham will say. “The ICO’s role has led to information being released that time and time again has delivered real benefits for the UK.”

“Our Annual Report is our claim to be listened to in the debates around information rights. It shows the ICO knows what it is talking about.”

The ICO annual report reflects on the financial year 2014/15. Key stats include:

  • 14,268 – data protection concerns received
  • £1,078,500 – total CMPs issued, £386,000 of which were for companies behind nuisance calls or texts
  • 195,431 – helpline calls answered
  • 11.4% – rise in number of concerns raised about nuisance calls and texts (to 180,188)
  • 41 – audits conducted of data controllers (as well as 58 advisory visits to SMEs)
  • 1,177 – Information requests responded to
  • 4.9 million – number of visits to our website

The full report can be found here.

.

Most Healthcare Organisations Have Experienced A Data Breach

The Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data reveals that the majority of healthcare organizations represented in this study have experienced multiple security incidents and nearly all have faced a data breach. Despite the universal risk for data breach, the study found that many organizations lack the funds and resources to protect patient data and are unprepared to meet the changing cyber threat environment.

The 2015 study was expanded beyond healthcare organizations to include Business Associates.

Represented in this study are 90 covered entities (hereafter referred to as healthcare organizations) and 88 business associates (hereafter may be referred to as either business associates or BAs). A BA is a person or entity that performs services for a covered entity that involves the use or disclosure of protected health information (PHI), according to the U.S.

Department of Health & Human Services. The inclusion of BAs provides a broader perspective of the healthcare industry as a whole and demonstrates the impact third parties have on the privacy and security of patient data. Respondents were surveyed about their privacy and security practices and experiences with data breaches, as well as their experiences with both electronic and paper security incidents.

Data breaches in healthcare continue to put patient data at risk and are costly. Based on the results of this study, they estimate that data breaches could be costing the industry $6 billion.

  • 90% of healthcare organizations represented in this study had a data breach
  • 40% had more than five data breaches over the past two years

According to the findings of this research, the average cost of a data breach for healthcare organizations is estimated to be more than $2.1 million. No healthcare organization, regardless of size, is immune from data breach. The average cost of a data breach to BAs represented in this research is more than $1 million. Despite this, half of all organizations have little or no confidence in their ability to detect all patient data loss or theft.

For the first time, criminal attacks are the number one cause of data breaches in healthcare. Criminal attacks on healthcare organizations are up 125% compared to five years ago. In fact, 45% of healthcare organizations say the root cause of the data breach was a criminal attack and 12 % say it was due to a malicious insider. In the case of BAs, 39% say a criminal attacker caused the breach and 10% say it was due to a malicious insider.

The percentage of criminal-based security incidents is even higher; for instance, web-borne malware attacks caused security incidents for 78% of healthcare organizations and 82% for BAs. Despite the changing threat environment, however, organizations are not changing their behaviour, only 40% of healthcare organizations and 35% of BAs are concerned about cyber attackers.

Security incidents are part of everyday business. 65% of healthcare organizations and 87% of BAs report their organizations experienced electronic information-based security incidents over the past two years.

  • 54% of healthcare organizations suffered paper-based security incidents
  • 41% of BAs had such an incident

However, many organizations do not have the budget and resources to protect both electronic and paper-based patient information. For instance, 56 % of healthcare organizations and 59% of BAs don’t believe their incident response process has adequate funding and resources. In addition, the majority of both types of organizations fail to perform a risk assessment for security incidents, despite the federal mandate to do so.

Even though medical identity theft nearly doubled in five years, from 1.4 million adult victims to over 2.3 million in 2014, the harms to individuals affected by a breach are not being addressed. Many medical identity theft victims report they have spent an average of $13,500 to restore their credit, reimburse their healthcare provider for fraudulent claims and correct inaccuracies in their health records.

Nearly two-thirds of both healthcare organizations and BAs do not offer any protection services for patients whose information has been breached.

Since 2010, this study has tracked privacy and security trends of patient data at healthcare organizations. Although the annual economic impact of a data breach has remained consistent over the past five years, the most-often reported root cause of a data breach is shifting from lost or stolen computing devices to criminal attacks. At the same time, employee negligence remains a top concern when it comes to exposing patient data. Even though organizations are slowly increasing their budgets and resources to protect healthcare data, they continue to believe not enough investment is being made to meet the changing threat landscape.

Key Findings

In this section, they provide a deeper analysis of the findings. They have organized this report according to the two following topics:

  • Privacy and security of patient data in healthcare organizations and business associates
  • Five-year trends in privacy and security practices in healthcare organizations

To respond quickly to data breaches, organizations need to invest more in technologies.

  • 58 % of healthcare organizations agree that policies and procedures are in place to effectively prevent or quickly detect unauthorized patient data access, loss or theft.
  • 49% agree they have sufficient technologies
  • 33% agree they have sufficient resources to prevent or quickly detect a data breach.
  • 53% of organizations have personnel with the necessary technical expertise to be able to identify and resolve data breaches involving the unauthorized access, loss or theft of patient data.

Background

  • Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
  • A security incident is defined as a violation of an organization’s security or privacy policies involving protected information such as social security numbers or confidential medical information. A data breach is an incident that meets specific legal definitions per applicable breach law(s). Data breaches require notification to the victims and may result in regulatory investigation, corrective actions, and fines.
  • This is based on multiplying $1,067,400 (50% of the average two year cost of a data breach experienced by the 90 healthcare organizations in this research) x 5,686 (the total number of registered US hospitals per the AHA).

Two thirds of British workers willing to breach data protection rules

Despite the risk to their employer of criminal proceedings and heavy fines, two thirds (66%) of UK workers would not report a serious data protection breach if they thought it would get one of their  colleagues into trouble, according to recent research.

The study by telecoms and IT firm Daisy Group, which looked at data security risks, found that 13% UK workers had disabled the password protection features on work laptops, mobiles, or tablet devices because they found them annoying. Of those who did have password protection, 36% said they didn’t change their passwords regularly, and 17% admitted their password was very simple and would be easy to guess.

Data security breaches 

However, if asked by a third party to email a client or supplier’s personal details outside of the company,  56% said they wouldn’t and 19% said they would check with their boss before doing so. Although 7% said that they would send the details without querying the request, as they didn’t think anyone would mind.

When asked if data security was an important issue for the company they worked for, 19% said they had no idea.

Cloud specialist, Graham Harris, explained: When it comes to data security, all too often businesses focus purely on IT processes and forget about the staff that will be using them.

As our research identified, human error is one of, if not the most likely source for data security issues, and fear of reprisal is a powerful force. Businesses must be proactive and educate their staff about what data security processes and policies there are, why they exist, what the staff member’s responsibilities are and reassure them about what to do in the event of a problem

confidential

Estate agents and those working in the property industry were among the most likely to turn a blind eye to colleagues’ data security failings, with 71% saying they wouldn’t report a data security breach that would get a colleague into trouble. Those working in marketing were the most likely to raise the alarm.

Despite the potential risk of commercially-sensitive data theft, business management and professional services workers were the most likely to disable data security features on their mobile devices.

Mobile Device Management 

The research was conducted to assess the demand among UK businesses for ‘mobile device management’. The new cloud-based technology gives organisations more control over smartphones and tablet computers by letting them remotely track and wipe the content of any lost or stolen devices, thereby ensuring the information remains confidential.

According to one statistic, 180,000 computing and communication devices were lost or stolen in the UK last year, but it is likely that the true figure is much higher as not all thefts are reported to the police.

Graham Harris explained: “It is important to ‘common sense’ test any security system. Procedures that are complicated or disrupt the working environment often result in employees finding ways to circumnavigate them or taking matters in their own hands. Similarly, it is important to plan for human error and problems, such as theft or loss of devices that carry important data, so that when they do occur, they can be dealt with quickly and effectively.”

The EU is currently in the process of reforming laws on Data Protection which, among other things, will require organisations to report data protection breaches to the relevant authorities within 24 hours. It is anticipated that the penalties for failure to comply will increase to as much as €100m. The legislation changes are expected to be in force by the end of 2018.

Most consumers do not trust anyone to protect their personal information

Fortinet surveys reveal growing cyber threat concerns as more consumers fear data breaches, while CISOs lack confidence in their ability to stop them.

Despite their concerns, third-party studies reveal consumer behaviours may present greater challenges for organizations that don’t have the right security protections in place.

Two industry surveys commissioned by Fortinet reveals

  • 71% of consumers across the U.S. are more nervous about their personal information being stolen through a data breach than they were just a year ago
  • 28% of IT security professionals are confident they have done enough to prevent a security incident

Despite this shift in consumer sentiment, the research revealed consumers are not taking necessary precautions to protect their personal information. When asked what measures they are implementing to better safeguard their information online:-

  • 76% of respondents said they had merely implemented stronger passwords – a step that is typically required when setting up an online account
  • 20% said they aren’t doing anything at all

It is no question the cyber threat environment remains dynamic and dangerous, and is gaining in severity. According to a recent report released by the Identity Theft Resource Center (IRK), companies in the U.S. experienced a record-breaking 783 data breaches in 2014.

Already in 2015 this trend has continued with the Anthem Health security breach – the largest in history, affecting more than 80 million of its customers, as well as Sony, TV Monde and others. Many of these attacks were initiated by sophisticated hackers looking for ways to circumvent perimeter defences through compromised devices, while others originated from within the network through unsuspecting employees or partners who, without malicious intent, let cyber criminals in.

The amount of entry points cyber criminals can use to infiltrate corporate networks and steal precious information is growing rapidly, as the number of devices connected to the network increase,” said Andrew Del Matte, chief financial officer at Fortinet. “If consumers aren’t taking precautions to protect their devices and proprietary data in their personal lives, it is unlikely they are doing so at work, increasing the possibility of a breach. It is more critical now than ever before for businesses to help safeguard the consumer and customer data for which they are responsible. They must take a multi-layered approach to security to protect against both malicious and non-malicious threats, from both inside and outside of the network

On a scale of 1 to 5 with 1 being “completely trust” and 5 being “don’t trust at all,” consumers were asked how much they trust various business providers and other institutions to protect their information. The survey found:

  • 31% of consumers completely trust their doctors
  • 18% completely trust their health insurance providers
  • 27% completely trust their personal banks
  • 14% completely trust their credit card companies
  • 19% completely trust their employers
  • 4% completely trust retailers

Are Organizations Doing Enough?

In a survey of 250 IT professionals with authority over the security decisions for their organizations,

  • 57% indicated they are most concerned about protecting customer data from cyber criminals.
  • 28% of those surveyed, are completely confident their organizations have done everything possible to prevent a security incident
  • 26% said they were only half-confident that they have taken the necessary measures to protect their organization from potential risk

Consumers are more concerned than ever about their personal information being compromised through a data breach, with good reason,” said Derek Manky, senior security strategist at Fortinet’s FortiGuard Labs. “The evolving threat landscape puts everyone at greater risk, particularly organizations that aren’t taking the time to rethink their approach to security. An old school approach won’t do. Businesses should seek out a best-of-breed security partner with scale, third-party validated solutions and access to the most up-to-date threat intelligence, to safeguard their networks from threats, no matter the type or where it is initiated, today and in the future

A review of websites and apps targeted at children is underway

The UK Information Commissioners Office (ICO), the enforcer of the Data Protection Act, has begun a review of websites and apps used by children as part of an international project to consider privacy concerns around the type of personal information services collect.

The ICO will look at 50 websites and apps, looking particularly at

  • what information they collect from children
  • how that is explained
  • what parental permission is sought

The websites and apps will include those specifically targeted at children, as well as those frequently used by children.

The same approach will be taken by 28 other privacy enforcement authorities from around the world, with a view to publishing a combined report in the autumn. The ICO will also consider action against any website or app that it finds to be breaking the Data Protection Act.

Steve Eckersley, ICO Head of Enforcement, said:

Anyone with children knows how many websites and apps are now targeted at them, and how popular they are with children. That’s true from Canada to Columbia, and the same concerns exist around what information the companies behind these services are gathering.

In the UK, we’re clear that apps and websites should not gather more personal data than they require, and operators should be upfront about how and why they collect information and how they use it. . These principles are true whatever the audience, but they are especially true where children are concerned. This research should give us a valuable insight into whether companies in the UK are operating compliantly, as well as how that fits with what is happening around the world

The work is coordinated by the Global Privacy Enforcement Network, and follows previous reports on website privacy policies, and how apps collect personal data. This year’s focus was chosen after privacy enforcement authorities identified a growing number of websites and mobile apps targeted at, or popular among, children.

Information Commissioner launches Corporate Plan setting out priorities for 2015-18

The Information Commissioner, Christopher Graham, says companies must do more to inform consumers about the way their information is being shared.

The Commissioner’s comments come as new figures show that 85% of people are concerned about how their personal information is passed or sold to other organisations.

The survey also shows 77% of people are concerned about organisations not keeping their personal details secure.

The UK Information Commissioner Christopher Graham said:

Providing people with enough information to understand how their details will be used is a basic principle of data protection. While the vast majority of companies are meeting the letter of the law, figures released today show that most people remain concerned about how their information is being shared. This situation is not good for consumers, or for businesses.

We are set for a new data protection framework in the next three years, but there are still basic things that organisations can be doing today, not only to comply with the current legislation, but also to prepare for the future regulatory landscape.

Businesses should take the results of our survey as a prompt to address consumers’ concerns and provide clearer information to explain when people’s details will be shared and with whom. Getting these basics right today will not only improve consumer trust but also help a business along the road to future compliance

Mr Graham’s comments come as the Information Commissioner’s Office (ICO) published its corporate plan. The plan sets out the ICO’s priorities for 2015-18.

These priorities include:

  • preparing for a period of substantial change with the implementation of a new EU data protection framework and the outcome of the Ministry of Justice’s Triennial Review;
  • developing and promoting an ICO privacy seal scheme as a means of demonstrating a commitment to good data protection practices; and
  • engaging with transparency and Open Data initiatives to ensure a balanced information rights perspective.

The ICO’s Annual Track survey was undertaken by ComRes on behalf of the ICO. The survey involved carrying out online interviews with1,575 individuals for their views on data protection matters.

The survey also involved asking 1,422 people for their thoughts on freedom of information issues. The key findings from this section of the survey were:

  • 75% of respondents think it’s important that private companies acting on behalf of public authorities should be subject to the Freedom of Information Act.
  • 79% of people think it’s important that the regulator is independent of government.

The ICO has to find the right balance of the public interest – between openness to the outside and necessary frankness inside organisations. These decisions are not straightforward and are sometimes controversial, but as guardians of the public interest we are properly accountable to Parliament and the courts

Who breached the Data Protection Act in 2014? Find the complete list here.

2014 was another busy year for the Information Commissioners Office with yet more breaches of the Data Protection Act.

There are normally three types of punishments administered by the ICO

  1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
  2. Undertaking. Typically applied when an organisation has failed to adhere to good business practise and needs the helping guidance of the ICO
  3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act.
  4. Enforcements. A requirement on an organisation or individual to desist from specific activities.

Below is a summary of the ICO’s activity in 2014 across all three “punishment” areas.

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are to HM Treasury.

  • 22 August 2014 a monetary penalty of £90,000 was issued to Kwik Fix Plumbers Ltd for continually making nuisance calls targeting vulnerable victims. In several cases, the calls resulted in elderly people being tricked into paying for boiler insurance they didn’t need.
  • 5 December 2014 a monetary penalty of £70,000 was issued to Manchester Ltd after sending unsolicited text messages and appeared on the recipients’ mobile phone to have been sent by “Mum”.
  • 05 November 2014 a monetary penalty of £7,500 was issued to Worldview Limited following a serious data breach where a vulnerability on the company’s site allowed attackers to access the full payment card details of 3,814 customers
  • 01 October 2014 a monetary penalty of £70,000 was issued to fine to EMC Advisory Services Limited for making hundreds of nuisance calls. The company was responsible for 630 complaints to the ICO and the TPS between 1 March 2013 and 28 February 2014. They failed to make sure that those registered with the TPS, or who’d previously asked not to be contacted, weren’t being called.
  • 26 August 2014 a monetary penalty of £180,000 to the Ministry of Justice over serious failings in the way prisons in England and Wales have been handling people’s information
  • 28 July 2014 a monetary penalty of £50,000 fine to Reactiv Media Limited after an investigation discovered they had made unsolicited calls to hundreds of people who had registered with the Telephone Preference Service (TPS).
  • 23 July 2014 a monetary penalty of £150,000 to Think W3 Limited after a serious breach of the Data Protection Act revealed thousands of people’s details to a malicious hacker.
  • 03 April 2014 a monetary penalty of £50,000 Amber UPVC Fabrications Ltd (T/A Amber Windows) after an investigation discovered they had made unsolicited marketing calls to people who had registered with the Telephone Preference Service (TPS).
  • 19 March 2014 a monetary penalty of £100,000 to Kent Police after highly sensitive and confidential information, including copies of police interview tapes, were left in a basement at the former site of a police station.
  • 07 March 2014 a monetary penalty of £200,000 to the British Pregnancy Advice Service. Hacker threatened to publish thousands of names of people who sought advice on abortion, pregnancy and contraception.
  • 11 January 2014 a monetary penalty of £185,000 to Department of Justice Northern Ireland after a filing cabinet containing details of a terrorist incident was sold at auction.

ICO statement on Monetary Penalties

Undertakings

Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

  • 19 December 2014 Treasury Solicitors Department. A follow up has been completed to provide an assurance that the Treasury Solicitors Department has appropriately addressed the actions agreed in its undertaking signed February 2014.
  • 19 December 2014 Wirral Metropolitan Borough Council. A follow up has been completed to provide an assurance that Wirral Metropolitan Borough Council has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 19 December 2014 Caerphilly County Borough Council. A council that ordered covert surveillance on a sick employee must review its approach after an Information Commissioner’s Office (ICO) investigation. The ICO found the Council breached the Data Protection Act when it ordered the surveillance of an employee suspected of fraudulently claiming to be sick.
  • 15 December 2014 St Helens Metropolitan Borough Council. A follow up has been completed to provide an assurance that St Helens Metropolitan Borough Council has appropriately addressed the actions agreed in its undertaking signed June 2014.
  • 01 December 2014 Dudley Metropolitan Borough Council. A follow up has been completed to provide an assurance that Dudley Metropolitan Borough Council has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 28 November 2014 Oxfordshire County Council. A follow up has been completed to provide an assurance that Oxfordshire County Council as appropriately addressed the actions agreed in its undertaking signed June 2014.
  • 28 November 2014 Aspers (Milton Keynes) Limited. A follow up has been completed to provide an assurance that Aspers (Milton Keynes) Limited has appropriately addressed the actions agreed in its undertaking signed June 2014.
  • 26 November 2014 Department of Justice Northern Ireland. A follow up has been completed to provide an assurance that the Department of Justice Northern Ireland has appropriately addressed the actions agreed in its undertaking signed May 2014.
  • 17 November 2014 London Borough of Barking and Dagenham. A follow up has been completed to provide an assurance that London borough of Barking and Dagenham has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 05 November 2014 Student Loans Company. A follow up has been completed to provide an assurance that Student Loans Company has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 05 November 2014 Royal Veterinary College. A follow up has been completed to provide an assurance that The Royal Veterinary College has appropriately addressed the actions agreed in its undertaking signed October 2013.
  • 24 October 2014 Gwynedd Council. An Undertaking to comply with the seventh data protection principle has been signed by Gwynedd Council following two breaches of the Data Protection Act.
  • 24 October 2014 Disclosure and Barring Service. An undertaking to comply with the first data protection principle has been signed by the Disclosure and Barring Service.
  • 08 October 2014 South Western Ambulance Service NHS Trust. An undertaking to comply with the first, third and seventh data protection principles has been signed by South Western Ambulance Service NHS Trust. This includes the completion of a Privacy Impact Assessment in respect of data sharing. This follows an investigation whereby patient data related to 45, 431 data subjects was shared with a Clinical Commissioning Group (‘CCG’) without a legal basis to do so. There were also security concerns surrounding the manner in which the data was stored on discs when being distributed to the CCG.
  • 08 October 2014 Weathersby Limited. An undertaking to comply with the seventh data protection principle has been signed by Weathersby Limited after the company failed to secure an internal server properly, resulting in personal data relating to clients being made available on the internet.
  • 07 October 2014 Basildon and Thurrock University Hospitals NHS Foundation Trust. An undertaking to comply with the seventh data protection principle has been signed by Basildon and Thurrock University Hospitals NHS Foundation Trust. This follows an investigation into two reported incidents involving disclosures of personal data to third parties in error.
  • 25 September 2014 Norfolk Community Health & Care NHS Trust. An undertaking to comply with the first, third and seventh data protection principle has been signed by Norfolk Community Health & Care NHS Trust. This follows an investigation involving the inadvertent sharing of data with a referral management centre.
  • 22 September 2014 Oxford Health NHS Foundation Trust. An undertaking to comply with the seventh data protection principle has been signed by Oxford Health NHS Foundation Trust.  This follows an investigation into two separate incidents involving disclosures of personal data.
  • 09 September 2014 Isle of Scilly Council. An undertaking to comply with the seventh data protection principle has been signed by the Council of the Isle of Scilly. This follows an investigation into two separate incidents. The first relating to confidential information which was part of a disciplinary hearing being sent unredacted to third parties.
  • 28 August 2014 Racing Post. An undertaking to comply with the seventh data protection principle has been signed by the Racing Post. This follows an investigation whereby the Racing Post website was subject to an internet based SQL injection attack which gave access to a customer database. The data included customer registration details relating to 677,335 data subjects.
  • 13 August 2014 Wokingham Borough Council. A follow up has been completed to provide an assurance that Wokingham Borough Council has appropriately addressed the actions agreed in its undertaking signed April 2014.
  • 11 August 2014 Thamesview Estate Agents Ltd. An undertaking to comply with the seventh data protection principle has been signed by Thamesview Estate Agents Ltd after the company continued to leave papers containing personal information on the street despite a previous warning. The papers were stored in transparent bags and the information was clearly visible to anyone who walked past.
  • 18 July 2014 The Moray Council. A follow up has been completed to provide an assurance that The Moray Council has appropriately addressed the actions agreed in its undertaking signed May 2014.
  • 09 July 2014 Betsi Cadwaladr University Health Board. An undertaking to comply with the seventh data protection principle has been signed by Betsi Cadwaladr University Health Board after sensitive information was sent to the wrong address.
  • 27 June 2014 Oxfordshire County Council. An undertaking to comply with the seventh data protection principle has been signed by Oxfordshire County Council. This follows an investigation whereby a solicitor had removed a number of documents from the office but had dropped these in a street near their home. The sensitive personal data related to three child protection cases concerning 22 data subjects.
  • 23 June 2014 Aspers (Milton Keynes) Limited. An undertaking to comply with the seventh data protection principle has been signed by Aspers (Milton Keynes) Limited, following an email which was sent in error to an recipient outside of the organisation.
  • 19 June 2014 Department of Justice Northern Ireland. An undertaking to comply with the seventh data protection principle has been signed by Department of Justice Northern Ireland. This follows the sale of a filing cabinet that contained documents originating from within the Northern Ireland Prison service. The documents contained personal data, as defined by section 1 of the Data Protection Act 1998 (the Act), which was sensitive in nature.
  • 17 June 2014 Aberdeenshire Council. An undertaking to comply with the seventh data protection principle has been signed by Aberdeenshire Council after a paper file was lost by an employee of the Adult Mental Health section of the council’s Social Work service. The employee had placed the file on the roof of his car before driving off.
  • 16 June 2014 Cardiff and Vale University Health Board. A follow up has been completed to provide an assurance that Cardiff and Vale University Health Board has appropriately addressed the actions agreed in its undertaking signed October 2013.
  • 09 June 2014 Worcestershire Health and Care NHS Trust. An undertaking to comply with the seventh data protection principle has been signed by Worcestershire Health and Care NHS Trust. This follows an investigation whereby the local press were handed a patient handover sheet containing details of 18 patients.
  • 02 June 2014 Jephson Homes Housing Association Ltd. An undertaking to comply with the seventh data protection principle has been signed by Jephson Homes Housing Association Ltd. This follows an investigation into the disclosure in error of several documents containing third party personal data when providing documents to an individual as part of a litigation process.
  • 30 May 2014 Panasonic UK. A follow up has been completed to provide an assurance that Panasonic UK has appropriately addressed the actions agreed in its undertaking signed October 2013.
  • 30 May 2014 St Helens Metropolitan Borough Council. An undertaking to comply with the seventh data protection principle has been signed by St Helens Metropolitan Borough Council after child’s foster placement address was disclosed in error.  Investigations identified that Council had selected the correct recipient and had redacted the majority of documents disclosed however the address was missed on one document.
  • 30 May 2014 London Borough of Barking & Dagenham. An undertaking to respond in a quicker and more effective manner to losses of personal data has been signed by London Borough of Barking & Dagenham. This follows an investigation into the loss of a file containing medical data relating to eleven children, which discovered that although the council knew where the file was, it had still not been retrieved five months later.
  • 27 May 2014 Student Loans Company. An undertaking to comply with the seventh data protection principle has been signed by the Student Loans Company Limited following an investigation by the ICO into three separate incidents involving the disclosure of documents to the incorrect recipients.  The investigation identified that whilst checking procedures were in place documents containing sensitive personal data were subject to fewer checks than those containing less sensitive data.
  • 16 May 2014 Great Ormond Street Hospital for Children NHS Foundation Trust. A follow up has been completed to provide an assurance that Great Ormond Street Hospital for Children NHS Foundation Trust has appropriately addressed the actions agreed in its undertaking signed November 2013.
  • 12 May 2014 The Moray Council. An undertaking to comply with the seventh data protection principle has been signed by The Moray Council. This follows an investigation into the loss of a file containing adoption meeting papers at a café in the local area.
  • 25 April 2014 Dudley Metropolitan Borough Council. An undertaking to comply with the seventh data protection principle has been signed by Dudley Metropolitan Borough Council. This follows an investigation whereby a social worker had left a case file containing sensitive personal data at a client’s home. The case file outlined child welfare concerns and disclosed the identity of the source.
  • 15 April 2014 Wirral Borough Council. An undertaking to comply with the seventh data protection principle has been signed by Wirral Borough Council after social services records containing sensitive personal information were sent to the wrong addresses on two occasions. The information, which was disclosed in February and April 2013, included sensitive personal details relating to two families living in the borough and in one case included details of a criminal offence committed by one of the family members.
  • 15 April 2014 Wokingham Borough Council. An undertaking to comply with the seventh data protection principle has been signed by Wokingham Borough Council, after sensitive social services records relating to the care of a young child were lost. The information, which had been requested by a family member, was lost after the delivery driver left the documents outside the requester’s home in August 2013.
  • 11 April 2014 Royal Borough of Windsor and Maidenhead. A follow up has been completed to provide an assurance that the Royal Borough of Windsor and Maidenhead has appropriately addressed the actions agreed in its undertaking signed September 2013.
  • 28 March 2014 Barking, Havering & Redbridge University Hospitals NHS Trust. An undertaking to comply with the seventh data protection principle has been signed by Barking, Havering & Redbridge University Hospitals NHS Trust. This follows an investigation by the ICO into a series of fax related incidents which revealed that the Trust had a very low attendance rate for Information Governance training.
  • 20 March 2014 Disclosure and Barring Service. An undertaking to comply with the first data protection principle has been signed by the Disclosure and Barring Service.
  • 14 March 2014 Cardiff City Council. A follow up has been completed to provide an assurance that Cardiff City Council has appropriately addressed the actions agreed in its undertaking signed August 2013.
  • 13 March 2014 Neath Care. An undertaking to comply with the seventh data protection principle has been signed by Neath Care. This follows the disclosure of ten client care service delivery plans which were found by a member of the public in the street. The care service delivery plans related to elderly people and contained confidential client information on matters such as personal care, medication and key safe numbers.
  • 26 February 2014 Treasury Solicitor’s Department. An undertaking to comply with the seventh data protection principle has been signed by the Treasury Solicitor’s Department. The data controller agreed to put measures in place to ensure the security of the personal data it handles.
  • 24 January 2014 Hillingdon Hospitals NHS Foundation Trust. A follow up has been completed to provide an assurance that Hillingdon Hospitals NHS Foundation Trust has appropriately addressed the actions agreed in its undertaking signed September 2013.
  • 10 January 2014 Northern Health and Social Care Trust. A follow up has been completed to provide an assurance that Northern Health and

Prosecution

  • 13 November 2014 Harkanwarjit Dhanju. A former pharmacist working for West Sussex Primary Care Trust has been prosecuted for unlawfully accessing the medical records of family members, work colleagues and local health professionals. Harkanwarjit Dhanju was fined £1000, ordered to pay a £100 victim surcharge and £608.30 prosecution costs.
  • 11 November 2014 Matthew Devlin. Company director Matthew Devlin has been fined after illegally accessing one of Everything Everywhere’s (EE) customer databases. Devlin used details of when customers were due a mobile phone upgrade to target them with services offered by his own telecoms companies.
  • 22 August 2014 Dalvinder Singh. A Birmingham banker has been fined after he admitted reading his colleagues bank accounts. He worked in Santander UK’s suspicious activity reporting unit at their Leicester office. His role investigating allegations of money laundering meant he was able to view customer accounts. But he used his access to look at eleven colleagues’ accounts, to learn how much their salaries and bonuses were.
  • 06 August 2014 A Plus Recruitment Limited. A recruitment company has been prosecuted today at Doncaster Magistrates Court for failing to notify with the ICO. A Plus Recruitment Limited pleaded guilty and was fined £300 and ordered to pay costs of £489.95 and a victim surcharge of £30.
  • 05 August 2014 1st Choice Properties (SRAL). A property lettings and management company has been prosecuted for failing to notify with the ICO at Uxbridge Magistrates Court today. 1st Choice Properties (SRAL) was convicted in the defendant’s absence and fined £500, ordered to pay costs of £815.08 and a victim surcharge of £50.
  • 15 July 2014 Jayesh Shah. The owner of a marketing company trading as Vintels has been prosecuted for failing to notify the ICO of changes to his notification at Willesden Magistrates Court today. Jayesh Shah was fined £4000, ordered to pay costs of £2703 and a £400 victim surcharge.
  • 14 July 2014 Hayden Nash Consultants. A recruitment company has been prosecuted for failing to notify with the ICO at Reading Magistrates Court today. Hayden Nash Consultants entered a guilty plea and was fined £200, ordered to pay costs of £489.85 and a £20 victim surcharge.
  • 10 July 2014 Stephen Siddell. A former branch manager for Enterprise Rent-A-Car has been prosecuted for unlawfully stealing the records of almost two thousand customers before selling them to a claims management company. Stephen Siddell was fined £500, ordered to pay a £50 victim surcharge and £264.08 in prosecution costs.
  • 09 July 2014 Global Immigration Consultants Limited. A legal advice company has been prosecuted for failing to notify with the ICO at Manchester Magistrates Court today. Global Immigration Consultants Limited entered a guilty plea and was fined £300, ordered to pay costs of £260.18 and a £30 victim surcharge.
  • 06 June 2014 Darren Anthony Bott. The director of a pensions review company has been prosecuted for failing to notify with the ICO. Darren Anthony Bott of Allied Union Ltd entered a guilty plea and was fined £400, ordered to pay costs of £218.82 and a £40 victim surcharge.
  • 05 June 2014 API Telecom. A telecoms company has been prosecuted by the ICO for failing to comply with an information notice in Westminster Magistrates’ Court yesterday. The company, API Telecom, entered a guilty plea and was fined £200, ordered to pay full costs of £489.85 and the victim surcharge was imposed.
  • 13 May 2014 QR Lettings. A property company has been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act. QR Lettings pleaded guilty at a hearing on 13 May 2014 at Birkenhead Magistrates Court. The company was fined £250, ordered to pay costs of £260 and a £30 victim surcharge.
  • 25 April 2014 Barry Spencer. A man who ran a company that tricked organisations into revealing personal details about customers has been ordered to pay a total of £20,000 in fines and prosecution costs, as well as a confiscation order of over £69,000 at a hearing at Isleworth Crown Court.
  • 25 April 2014 Allied Union Limited. A pension review company has been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act.  Allied Union Limited pleaded guilty at a hearing on 25 April 2014 at Swansea Magistrates Court. The company was fined £400, ordered to pay costs of £338.11 and a victim surcharge of £40.
  • 25 March 2014 Help Direct UK Limited. A financial advisors has been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act. Help Direct UK Limited pleaded guilty at a hearing on 25 March 2014 at Swansea Magistrates Court. The company was fined £250, ordered to pay costs of £248.83 and a victim surcharge of £25.
  • 12 March 2014 Boilershield Limited. A plumbing company and its director have been prosecuted by the ICO for failing to notify under section 17 of the Data Protection Act. Boilershield Limited and its director, Mohammod Ali, pleaded guilty at a hearing on 12 March 2014 at Bromley Magistrates. They were both fined £1,200, ordered to pay costs of £196.87 and a victim surcharge of £120.
  • 11 March 2014 Becoming Green (UK) Ltd. A Cardiff-based green energy deal company, Becoming Green (UK) Ltd, has been prosecuted by the Information Commissioner’s Office after failing to notify the ICO that it handled customers’ personal data. The offence was uncovered when the company was being monitored following concerns about compliance.
  • 24 January 2014 ICU Investigations Limited. Six men who were part of a company that tricked organisations into revealing personal

Enforcements

  • 19 November 2014 Grampian Health Board (NHS Grampian). The Information Commissioner’s Office has ordered NHS Grampian to take action to make sure patients’ information is better protected.
  • 12 November 2014 Hot House Roof Company. The ICO has issued an enforcement notice against Hot House Roof Company ordering them to stop making nuisance marketing calls. The company had failed to honour suppression requests and repeatedly made calls to a number of individuals despite their being TPS registered.
  • 21 October 2014 Abdul Tayub. The Information Commissioner’s Office has served Abdul Tayub with an enforcement notice after he was found to be sending unsolicited marketing mail by electronic means without providing information as to his identity and without prior consent.
  • 12 September 2014 All Claims Marketing Limited. The Information Commissioner’s Office has served All Claims Marketing Limited with an enforcement notice after the company was found to be sending unsolicited marketing mail by electronic means without providing information as to its identity.
  • 03 September 2014 Winchester and Deakin Limited. The Information Commissioner’s Office has served Carmarthen-based direct marketing company Winchester and Deakin Limited (also trading as Rapid Legal and Scarlet Reclaim) with an enforcement notice ordering them to stop making nuisance calls. The move comes after an investigation discovered they had made unsolicited marketing calls to people who had registered with the Telephone Preference Service (TPS) or who had asked not to be contacted.
  • 16 June 2014 DC Marketing Limited. The ICO has issued an enforcement notice against DC Marketing Limited after the company made hundreds of nuisance calls to try and get people to purchase solar panels partly financed by the Green Deal Home Improvement Fund. An ICO investigation found the company also frequently gave a false name to avoid detection.
  • 29 May 2014 Wolverhampton City Council. The ICO has issued an enforcement notice against Wolverhampton City Council, following an investigation into a data breach at the council that occurred in January 2012. The breach was caused when a social worker, who had not received data protection training, sent out a report to a former service user detailing their time in care. However, the social worker failed to remove highly sensitive information about the recipient’s sister that should not have been included.
  • 03 April 2014 Amber UPVC Fabrications Ltd (T/A Amber Windows). The ICO has issued an enforcement notice against Amber Windows ordering them not to call subscribers who have previously told them not to ring or subscribers who have not consented to them calling and have registered the number with the TPS for at least the required 28 days.
  • 10 March 2014 Isisbyte Limited. The ICO has served an enforcement notice on Isisbyte Limited after the company was found to be making unsolicited marketing calls without providing information as to their identity.
  • 10 March 2014 SLM Connect Limited. The ICO has served an enforcement notice on SLM Connect Limited after the company was found to be making unsolicited marketing calls without providing information as to their identity.

Who has breached the Data Protection Act in 2012? Find the complete list here.

Who breached the Data Protection Act in 2013? Find the complete list here.

85% of mobile apps fail to provide basic privacy information

A survey of over 1,200 mobile apps by 26 privacy regulators from across the world has shown that a high number of apps are accessing large amounts of personal information without adequately explaining how people’s information is being used.

The survey by the Global Privacy Enforcement Network (GPEN) examined the privacy information provided by 1,211 mobile apps. As a member of GPEN, the UK’s Information Commissioner’s Office examined 50 of the top apps released by UK developers.

Today GPEN has published the results of its research. The key findings are:

85% of the apps surveyed failed to clearly explain how they were collecting, using and disclosing personal information.

More than half (59%) of the apps left users struggling to find basic privacy information.

Almost 1 in 3 apps appeared to request an excessive number of permissions to access additional personal information.

43% of the apps failed to tailor privacy communications to the small screen, either by providing information in a too small print, or by hiding the information in lengthy privacy policies that required scrolling or clicking through multiple pages. .

The research did find examples of good practice, with some apps providing a basic explanation of how personal information is being used, including links to more detailed information if the individual wants to know more. The regulators were also impressed by the use of just-in-time notifications on certain apps that informed users of the potential collection, or use, of personal data as it was about to happen. These approaches make it easier for people to understand how their information is being used and when.

ICO Group Manager for Technology, Simon Rice, said:

“Apps are becoming central to our lives, so it is important we understand how they work and what they are doing with our information. Today’s results show that many app developers are still failing to provide this information in a way that is clear and understandable to the average consumer.

 

“The ICO and the other GPEN members will be writing out to those developers where there is clear room for improvement. We will also be publishing guidance to explain the steps people can take to help protect their information when using mobile apps.”

The ICO has published ‘Privacy in Mobile Apps’ guidance to help app developers in the UK handle people’s information correctly and meet their requirements under the UK Data Protection Act. The guidance includes advice on informing people how their information will be used. Research carried out last year to support the guidance’s launch showed that 49% of app users have decided not to download an app due to privacy concerns.

From the UK Information Commissioners post which is here.

Travel company fined £150,000 after losing 1,163,996 Credit and Debit Card records

An online travel services company called Think W3 Limited, has been fined £150,000 after it breached the Data Protection Act.

Think W3 Limited was hacked in December 2012 after using insecure coding on the website of a subsidiary business, Essential Travel Ltd.

A hacker extracted a total of 1,163,996 Credit and Debit Card records. Of these records 430,599 were identified as current and 733,397 as expired.

Cardholder details had not been deleted since 2006 and there had been no security checks or reviews since the system had been installed.

Stephen Eckersley, The ICO’s Head of Enforcement, said:

This was a staggering lapse that left more than a million holiday makers’ personal details exposed to a malicious hacker.

“Data security should be a top priority for any business that operates online. Think W3 Limited accepted liability for failing to keep their customers’ personal data secure; failing to test their security and failing to delete out-of-date information.

“The public’s awareness of the importance of data protection is rising all the time. Ignorance from data controllers is no excuse. They must take active steps to ensure the personal data they are responsible for is kept safe or face enforcement action and the resulting reputational damage

The Information Commissioner’s fine will be in addition to the costs levied by the Credit Card schemes under PCI and the banks.

Most European organizations believe using a European cloud is easier from a regulatory and compliance perspective

Perspecsys Infograph from research at InfoSec Europe Conference

8 areas of computer security that have arisen during Data Breach investigations

The UK Information Commissioner’s Office (ICO) has identified eight important areas of computer security that have frequently arisen during their investigations of data breaches.

The eight areas are:-

  1. Software updates
  2. SQL injection (65% of organisations have been breached by a SQL Injection attack)
  3. Unnecessary services
  4. Decommissioning of software or services
  5. Password storage
  6. Configuration of SSL and TLS
  7. Inappropriate locations for processing data
  8. Default credentials

The ICO has provided advice for all eight areas. The report can be found here.

ICO response to European Union Court of Justice ruling on online search results

The United Kingdom Information Commissioner’s Office (ICO) has issued the following statement in response to this week’s ruling by the European Union Court of Justice on the need for Google to amend its search results following a request by a member of the public. 

ICO spokesperson said:

This is an important judgement. We welcome the extent to which it upholds the data protection rights of individuals and confirms the powers of data protection authorities to enforce these. We will be studying the judgement in detail and considering its practical implications for individuals, businesses and ourselves. When we have done so we will comment further

When the revised European Data Protection Act finally arrives I hope they further clarify the “right” of being forgotten and how it will be enforced.

Health sector needs to improve its data protection

The Information Commissioner’s Office report on how organisations providing secondary health care are complying with the Data Protection Act and highlights areas that need improvement.

The report summarises the results of 19 audits, mostly against NHS Trusts.

The audits looked at how personal data is handled by the organisation, and fit alongside NHS information governance guidelines. The organisations voluntarily agreed to work with the ICO to identify good practice and, where necessary, improve procedures relating to the handling of personal data.

The Audits found:

  • All the organisations had data protection policies and procedures in place, though compliance with the policies wasn’t always effectively monitored, for instance through spot checks.
  • All the organisations had a system in place to track health records, though some did not conduct audits for missing files. The physical security of records also varied, with concern raised particularly around unlocked trollies used for moving files.
  • There was also a lack of simple password controls, notably forcing regular password changes.
  • Some organisations had little in the way of fire or flood protection in place for paper records.
  • All organisations had appropriate information governance related risk registers and risk assessments that were regularly reviewed.
  • Concern was raised around the use of fax machines for sending personal information, given the human error associated with using a fax machine.

Before three of the audits, staff were surveyed about their awareness of data protection policies

  • 88% of staff had read and understood the policy in place within their organisation
  • 94% had completed data protection training within the previous year

Claire Chadwick, ICO Team Manager in the Good Practice team, said:

Information about a person’s health tends to be one of the most sensitive types of personal data, and it is clear it must be properly handled.

“Our experiences in these audits suggested that tended to be the case. Only one of the audits suggested a substantial risk of non-compliance with the law, while more than half gave reasonable assurance the law was being complied with.

“By paying attention to this report, more organisations in this sector can ensure they are handling personal information properly. This report is an opportunity to review and improve practices and procedures based on our experiences

The audits followed a letter from the Information Commissioner and the Chief Executive of the NHS Sir David Nicholson to chief executives and finance directors within the NHS.

The full report can be found here.

Who breached the Data Protection Act in the first half of 2013?

As we have passed the first half of 2013, I thought it would be a good time to publish the entire list of who fell foul of the UK Data Protection Act and were punished by the Information Commissioner (ICO).

There are three types of punishments administered by the ICO

  1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
  2. Undertaking. Typically applied when an organisation has failed to adhere to good business practice and needs the helping guidance of the ICO
  3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act.

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are paid to HM Treasury and not to the ICO. Many argue that the ICO would be a stronger body if it had more money and penalties is a good way to generate more revenue – a self funding government department.

  • 12 July 2013 NHS Surrey. A monetary penalty notice has been served on NHS Surrey following the discovery of sensitive personal data belonging to thousands of patients on hard drives sold on an online auction site. Whilst NHS Surrey has now been dissolved outstanding issues are now being dealt with by the Department of Health.
  • 8 July 2013 Tameside Energy Services Ltd. A monetary penalty notice has been served to Tameside Energy Services Ltd after the Manchester based company blighted the public with unwanted marketing calls.
  • 18 June 2013 Nationwide Energy Services and We Claim You Gain. Monetary penalty notices have been served to Nationwide Energy Services and We Claim You Gain – both companies are part of Save Britain Money Ltd based in Swansea. The penalties were issued after the companies were found to be responsible for over 2,700 complaints to the Telephone Preference Service or reports to the ICO using its online survey, between 26 May 2011 and end of December 2012.
  • 13 June 2013 North Staffordshire Combined Healthcare NHS Trust. A monetary penalty notice has been served to North Staffordshire Combined Healthcare NHS Trust, after several faxes containing sensitive personal data were sent to a member of the public in error.
  • 7 June 2013 Glasgow City Council. A monetary penalty notice has been served to Glasgow City Council, following the loss of two unencrypted laptops, one of which contained the personal information of 20,143 people.
  • 5 June 2013 Halton Borough Council. A monetary penalty notice has been served to Halton Borough Council, in respect of an incident in which the home address of adoptive parents was wrongly disclosed to the birth family.
  • 3 June 2013 Stockport Primary Care Trust. A monetary penalty has been served to Stockport Primary Care Trust following the discovery of a large number of patient records at a site formerly owned by the Trust.
  • 20 March 2013 DM Design Bedroom Ltd. A monetary penalty has been served to DM Design Bedroom Ltd. The company has been the subject of nearly 2,000 complaints to the ICO and the Telephone Preference Service. The company consistently failed to check whether individuals had opted out of receiving marketing calls and responded to just a handful of the complaints received.
  • 15 February 2013 Nursing and Midwifery Council. A monetary penalty has been served to the Nursing and Midwifery Council. The council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. An ICO investigation found the information was not encrypted.
  • 24 January 2013 Sony Computer Entertainment Europe Limited. A monetary penalty has been served to the entertainment company Sony Computer Entertainment Europe Limited following a serious breach of the Data Protection Act. The penalty comes after the Sony PlayStation Network Platform was hacked in April 2011, compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk. They failed in their bid to appeal.

Undertakings

Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

  • 16 July 2013 Janet Thomas. An undertaking to comply with the seventh data protection principle has been signed by Janet Thomas. This follows a report made by a member of the public that approximately 7,435 CV files, containing personal data, were being stored unprotected on the website
  • 9 July 2013 Health & Care Professions Council (HCPC). An undertaking to comply with the seventh data protection principle has been signed by the Health & Care Professions Council (HCPC) after an incident in which papers containing personal data were stolen on a train in 2011.
  • 12 June 2013 (issued 10 September 2012) Bedford Borough Council. An undertaking to comply with the seventh data protection principle has been signed by Bedford Borough Council relating to the removal of legacy data from a social care database.
  • 2 June 2013 (issued 18 September 2012) Central Bedfordshire Council. An undertaking to comply with the seventh data protection principle has been signed by Central Bedfordshire Council relating to the removal of legacy data from a social care database and in relation to the preparation of planning application documentation for publication.
  • 31 May 2013 Leeds City Council. A follow up has been completed to provide an assurance that Leeds City Council has appropriately addressed the actions agreed in its undertaking signed November 2012.
  • May Prospect. A follow up has been completed to provide an assurance that Prospect has appropriately addressed the actions agreed in its undertaking signed January 2013.
  • 21 May 2013 (issued 9 November 2011) News Group Newspapers. An undertaking to comply with the seventh data protection principle has been signed by News Group Newspapers, following an attack on the website of The Sun newspaper in 2011.
  • 26 April 2013 The Burnett Practice. An undertaking to comply with the seventh data protection principle has been signed by The Burnett Practice. This follows an investigation whereby an email account used by the practice had been subject to a third party attack. The email account subject to the attack was used to provide test results to patients and included a list of names and email addresses.
  • 4 April 2013 East Riding of Yorkshire Council. An undertaking to comply with the seventh data protection principle has been signed by the East Riding of Yorkshire Council, following incidents last year in which personal data was inappropriately disclosed.
  • 25 January 2013 Mansfield District Council. An undertaking to comply with the seventh data protection principle has been signed by the Managing Director of Mansfield District Council. This follows a number of incidents where personal data of housing benefit claimants was disclosed to the wrong landlord.
  • 16 January 2013 Prospect. An undertaking to comply with the seventh data protection principle has been signed by the union Prospect. This follows an incident in which two files containing personal details of approximately 19,000 members of the union had been sent to an unknown third party email address in error.

Prosecutions

  • 23 May 2013 A former manager of a health service based at a council-run leisure centre in Southampton has been prosecuted under section 55 of the Data Protection Act for unlawfully obtaining sensitive medical information relating to over 2,000 people.
  • 8 April 2013 A Hertfordshire estate agent has been prosecuted under section 17 of the Data Protection Act after failing to notify with the ICO.
  • 12 March 2013 A former receptionist at a GP surgery in Southampton has been prosecuted under section 55 of the Data Protection Act for unlawfully obtaining sensitive medical information relating to her ex-husband’s new wife.

Also read

Irish Data Protection Commissioner publishes his 2012 Annual Report

This week sees the Irish Data Protection Commissioner, Billy Hawkes, release his annual report for 2012.

The report summarises activities of the Commissioner’s Office during 2012 and like his UK counter part focuses on investigations and audits undertaken and provides a commentary on the impact of European and International Data Protection activities.

As with the UK the use and sharing of personally identifiable information (PII), especially in the public sector has been a major issue.

The Commissioner accepts that data sharing can bring benefits in terms of efficient delivery of public services but cautions that it should be done in a way that respects the rights of individuals to have their personal data treated with care and not accessed or used without good reason. Appendix 4 of this year’s report contains the full audit report carried out by the Office of external public agency access to the Department of Social Protection INFOSYS database* which uncovered significant breaches of the data protection legislation in relation to access to and governance of personal data

In the 2011 Annual Report the Commissioner drew attention to the increased demand on the resources of the Office. The Commissioner in his 2012 report points to the Government’s response by providing additional staffing and funding to the Office. In addition, the Government has also given a commitment to keep the resourcing of the Office actively under review to ensure that any additional resources required will be made available. The Commissioner acknowledges that his Office is now well placed to discharge its current statutory responsibilities. Given the likely increased role for the Office, which will emerge from the new “one-stop-shop” arrangement being proposed at EU level for oversight of multi-national companies, the Commissioner welcomes the commitment to ongoing review of further resource requirements.

Complaints:

During 2012, the Office opened 1,349 complaints for investigation, exceeding last year’s record high number with an increase of 188. Complaints from individuals in relation to difficulties gaining access to their personal data held by organisations accounted for just under one-third of the overall complaints investigated during 2012. There was a marked increase in the number of complaints under the Privacy in Electronics Regulations during 2012 (up from 253 in 2011 to 606 during 2012).

The report includes case studies of a number of specific investigations including:

  • Prosecution of three Insurance Companies for Data Protection Registration offences after social welfare data, sourced via a private investigator, was found on insurance claim files held by those companies.
  • Prosecution of a number of companies for unsolicited marketing offences
  • High Court ruling that Dublin Bus must supply copy of CCTV footage requested under the right of access

Breakdown of complaints

Electronic Direct Marketing 44.93% 606
Access Rights 32.77 448
Disclosure 7.86% 106
Unfair Processing of Data 2.59% 35
Unfair Obtaining of Data 0.96% 13
Use of CCTV Footage 2.37% 32
Failure to secure data 2.59% 35
Accuracy 1.41% 19
Excessive Data Requested 1.78% 24
Unfair Retention of Data 1.26% 17
Postal Direct Marketing 0.74% 10
Other 0.74% 10
TOTALS 100.00% 1349

Number of complaints since 2003

Year Complaints Received
2003 258
2004 385
2005 300
2006 658
2007 1037
2008 1031
2009 914
2010 783
2011 1161
2012 1349

Data Breach Notifications

During 2012, the Office dealt with 1,666 personal data security breach notifications. This is again an increase in the numbers dealt with compared to previous years. Of the 1,666 notifications received, it was found that 74 cases were not deemed to be personal data security breaches on the part of the data controller making the notification. This was due to either appropriate security measures, such as encryption, being in place to protect the data or to individuals failing to update their contact details with the data controller, resulting in letters issuing to an incorrect address. A total of 1,592 valid data breach notifications were therefore recorded. This is an increase of over 400 on last year.

The introduction, in July 2011, of S.I. 336 of 2011 made it a legal requirement for telecommunication companies and Internet Service Providers (ISPs) to notify this Office, without undue delay, of a data security breach and to also notify affected individuals of such a breach. In September 2012, two telecommunications companies were prosecuted for failing to meet their legal obligation in this regard. In the first full year of S.I. 336 being in effect, a total of 60 data security breach notifications were received from Telecommunications companies and ISPs.

Due to the year on year increase in the number of data security breach notifications received by the Office, additional resources were allocated to the area. A Technology Advisor has also been appointed to allow the Office properly investigate the more complex Information Technology (IT) related matters that are brought to its attention. During 2012, we have taken a more proactive stance in relation to potential data security breaches and have initiated investigations into matters that have been identified through mention in areas such as social media sites.

While the complexity of certain data security breaches increases, it is the more mundane situation of correspondence being issued to an incorrect address that continues to account for the largest percentage of data security breaches. Over two thirds of all breach notifications received by the Office involved letters being issued by post, either to an incorrect address or containing a third party’s personal data.

The annual report includes a number of “case studies” detailing specific organisations who sustained breaches.

Privacy Audits:

In the course of 2012, 40 audits and inspections were carried out by this Office. This is an increase on the previous year – 2011 – in which 33 audits were completed in total. Included in the list of the audits/inspections, is the INFOSYS investigation which, although initially a ‘desk audit’, eventually led to a large number of meetings and visits to agencies within the public sector who had access to INFOSYS.

Examples of who was audited is below:

  • O2
  • An Garda Síochána
  • Facebook-Ireland (follow-up review)
  • Ulster Bank (reporting procedures with the Irish Credit Bureau)
  • Permanent TSB (reporting procedures with the Irish Credit Bureau)
  • National Irish Bank (reporting procedures with the Irish Credit Bureau)
  • Bank of Ireland (reporting procedures with the Irish Credit Bureau)

The report is 127 pages long with almost 80% focusing on specific case studies. It make interesting reading. The full document can be found here.

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: