Brian Pennington

A blog about Cyber Security & Compliance


Information privacy

DMA Privacy

UK’s Information Commissioner believes 2013 will the year businesses handle data correctly…!

2013 is the year that commercial imperative of good data handling will be realised

Speaking at the launch of the ICO’s annual report today, Christopher Graham will highlight that consumers have a strong awareness of how their data should be handled, and how this affects their relationship with businesses.

An ICO study into public attitudes toward data protection found that 97% of those surveyed were concerned that organisations would pass or sell-on their personal details. The survey also found more than half (53%) considered details of the products they had bought to be personal information.

Yet in spite of these consumer concerns, only 10% of businesses were aware of the legal limitations of how they could use customer’s personal data.

Information Commissioner Christopher Graham said:

Education and empowerment have been two of the key areas we’ve focused on in the past twelve months. That work is having real benefits: consumers’ awareness of their rights remains strong, and that is empowering people to demand more in return for their data.

“The result is consumers expecting organisations to handle their personal data in a proper way, and in a legal way. Businesses that don’t meet that basic requirement are going to quickly find themselves losing customers.

I think 2013 is the year that organisations will realise the commercial imperative of properly handling customer data. The stats we’ve seen about public concern around personal data show that, as does a company the size of Microsoft choosing privacy as a theme of a national advertising campaign.

“The message to business is simple: consumers understand the value of their personal data, and they expect you to too.

Find the complete report here.

Is the concern for data protection making half of all employees less productive?

In 2010, the Visual Data Breach Risk Assessment Study revealed that two out of three working professionals are displaying sensitive information on their mobile devices, such as social security numbers, credit card numbers and other non-regulated but sensitive company information, when outside the office. This points to the insight that in certain circumstances people value productivity over data protection when working. However, in circumstances when an individual values data protection, is the company potentially losing productivity due to visual privacy concerns?

The 2013 Visual Privacy Productivity Study, conducted by The Ponemon Institute, revealed that companies can lose more than data as remote working increases, with 50% of employees answering that they are less productive when their visual privacy is at risk in public places.

The Visual Privacy Productivity Study showed that employees are forced to either trade-off working and risking private data being overlooked by nosy neighbours, or stop working altogether. Based on these findings, lost productivity due to employee visual privacy concerns is potentially costing a US business organisation with more than 7,500 people over $1 million dollars per year.

While many companies realise that snooping and visual privacy presents a potential data security issue, there has been little research regarding how the lack of visual privacy impacts a business’ bottom line,” says Larry Ponemon, Chairman and Founder of The Ponemon Institute. “As workers become more mobile and continue to work in settings where there is the potential for visual privacy concerns, companies need to find solutions to address productivity as it relates to computer visual privacy in addition to dealing with the fundamental security issues of mobile devices

The study of 274 US individuals from 5 organisations in a variety of sectors. More than half stated that their visual privacy had been violated whilst travelling or in other public places such as cafes, airports and hotels, and two out of three admitted to exposing sensitive data on mobile devices whilst outside the workplace. When asked how their organisation handles the protection of sensitive information in a public location, 47% did not think any importance was put on this and that no adequate policies were in place.

Other interesting findings include:

  • Employees are 50% less productive when their visual privacy is at risk and lost productivity costs an organisation approximately £350 per employee per year
  • Visual privacy impacts on transparency as users that value privacy are less likely to enter information on an unprotected screen.
  • Women value privacy more (61%) than men (50%), and women’s productivity is more positively impacted than men’s when the screen is protected with a privacy filter.
  • Older employees value privacy more, with 61% of over 35s compared to 51% of under 35s placing importance on privacy.

Productivity loss is a major discovery in this survey and will hopefully encourage companies across all sectors to consider employee working practices and behaviours,” said Rob Green, Marketing Executive at 3M’s Speciality Display & Projection Division

According to the survey the devices used for work-related activities were:-

  • Smartphone 65%
  • Laptop computer 65%
  • Desktop computer 45%
  • Tablet computer 29%
  • Netbook computer 14%
  • Other 2%

The 2010 Visual Data Breach Risk Assessment survey revealed that visual privacy on computer screens was an under-addressed area in corporate policy. Seventy percent of working professionals said their organization had no explicit policy on working in public places and 79% said that their company had no policy on the use of computer privacy filters.

The 2012 Visual Privacy Productivity Study reinforced these findings with

  • 47% of those surveyed saying they were unsure or did not think their company placed an importance on protecting sensitive information displayed on a screen in public places
  • 58% were unsure or did not think other employees were careful about protecting sensitive information on computer or mobile device screens in public places. Corporate policy and education on that policy continues to be areas for improvement as it relates to visual privacy.

The full study is very informative about how the sponsor’s (3M) privacy filters can improve productivity and reduce risk and can be read here.


EU Commission proposes a comprehensive reform of the Data Protection rules

This week the European Commission proposed a comprehensive reform of the EU’s 1995 data protection rules to strengthen online privacy rights and to boost Europe’s digital economy.

The press release states:

Technological progress and globalisation have profoundly changed the way our data is collected, accessed and used. In addition, the 27 EU Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year. The initiative will help reinforce consumer confidence in online services, providing a much needed boost to growth, jobs and innovation in Europe.

“17 years ago less than 1% of Europeans used the internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds,” said EU Justice Commissioner Viviane Reding, the Commission’s Vice-President. “The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data. My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information. The reform will accomplish this while making life easier and less costly for businesses. A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation.”

The Commission’s proposals update and modernise the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights in the future. They include a policy Communication setting out the Commission’s objectives and two legislative proposals: a Regulation setting out a general EU framework for data protection and a Directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.

Key changes in the reform include:

  • A single set of rules on data protection, valid across the EU. Unnecessary administrative requirements, such as notification requirements for companies, will be removed. This will save businesses around €2.3 billion a year.
  • Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors – a requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for increased responsibility and accountability for those processing personal data.
  • For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).
  • Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU. Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.
  • People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This will improve competition among services.
  • A ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it.
  • EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
  • Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company.
  • A new Directive will apply general data protection principles and rules for police and judicial cooperation in criminal matters. The rules will apply to both domestic and cross-border transfers of data.

The Commission’s proposals will now be passed on to the European Parliament and EU Member States (meeting in the Council of Ministers) for discussion. They will take effect two years after they have been adopted.

The official press release was a short summary of what will be debated by the politicians. For a more detailed summary, based upon the January 2012 release and other research read my May 2012 post “Proposed European wide Data Protection Act – a review“.

As for the politicians debating the Act before passing it to law it is worth while reading the post “The Information Commissioner provides an update on the European Data Protection Act“.

It is disappointing that the delays will see the revised Act and the improvements in Data Protection and Privacy not being enforced until 2015.


The Prudential is fined £50,000 for breaching the Data Protection Act

The UK’s Information Commissioner’s Office (ICO) has fined the Prudential £50,000 after an administrative error in two accounts that led to tens of thousands of pounds, meant for an individual’s retirement fund, ending up in the wrong account.

This is the first monetary penalty served by the ICO that doesn’t relate to a significant data loss.

The original error, in March 2007, was caused when the records of both customers, who share the same first name, surname and date of birth, were mistakenly merged.

The problem was eventually resolved in September 2010. This was despite the company being alerted to the mistake on several occasions, including a letter from one of the customers in late April 2010 which clearly indicated his address had not changed for over 15 years. The company failed to investigate thoroughly at this point and the penalty imposed today relates to the inaccuracy then present which continued for a further six months.

Stephen Eckersley, ICO Head of Enforcement, said:

“Organisations must make sure the information they hold on their customers’ files is accurate and kept up to date in order to comply with the Data Protection Act. In this case two customer files were consistently confused and the company failed to remedy the situation despite being alerted to the problem on more than one occasion before it was finally resolved.

“This case would be considered farcical were it not for the serious sums of money involved.”
Last year the public made more complaints about the way money lenders were handling their information than for any other sector. Around 15% of the almost 13,000 data protection complaints received by the ICO during the last financial year were due to concerns relating to this group, with inaccurate data the third most complained about issue across all sectors.

Commenting on the ICO’s concerns in this area, Stephen Eckersley continued:

“While data losses may make the headlines, most people will contact our office about inaccuracies and other issues relating to the misuse of their information. Inaccurate information on a customer’s record, particularly when the record relates to an individual’s financial affairs, can have a significant impact on someone’s life.

“We hope this penalty sends a message to all organisations, but particularly those in the financial sector, that adequate checks must be in place to ensure people’s records are accurate. Staff should also receive adequate training on how to manage and maintain them, with any concerns fully investigated in order to ensure problems are addressed at an early stage.”

Prudential has committed to staff training and an improvement in processes to ensure that the accuracy of customers’ records is maintained at all times.


Information Commissioner publishes guidance on cloud computing

The UK’s Information Commissioner’s Office (ICO) has published guidelines to on how business treat personal information in the cloud whether that is a private or public cloud.

The data protection regulator ICO is concerned that many businesses do not realise they remain responsible for how the data is handled whilst it is in the cloud.

This has resulted in the ICO publishing a guide to cloud computing, to help businesses comply with the law.

The guide gives tips including:

  • Seek assurances on how your data will be kept safe. How secure is the cloud network, and what systems are in place to stop someone hacking in or disrupting your access to the data?
  • Think about the physical security of the cloud provider. Your data will be stored on a server in a data centre, which needs to have sufficient security in place.
  • Have a written contract in place with the cloud provider. This is a legal requirement, and means the cloud provider will not be able to change the terms of the service without your agreement.
  • Put a policy in place to make clear the expectations you have of the cloud provider. This is key where services are funded through adverts targeted at your customers: if they’re using personal data and you haven’t asked your customers’ permission, you’re breaking data protection law.
  • Don’t forget that transferring data internationally brings a number of obligations – that includes using cloud storage based abroad.

Speaking as the guide was launched, author Dr Simon Rice, ICO technology policy advisor, said:

“The law on outsourcing data is very clear. As a business, you are responsible for keeping your data safe. You can outsource some of the processing of that data, as happens with cloud computing, but how that data is used and protected remains your responsibility.

“It would be naïve for an organisation to take the attitude that these guidelines are too much effort to simply store some data in a different place. Where personal information is involved, the stakes are high and the ICO has already demonstrated it will act firmly against those who don’t meet data protection laws”


The Information Commissioner’s 5 Tips on how to better protect personal information

The UK’s Information Commissioners office has created a list of 5 useful tips for protecting personally identifiable information (PII).

The list comes on the back of an offer by the ICO to help charities and other third sector organisations to help them protect data and avoid potential fines of up to £500,000.

Louise Byers, Head of Good Practice at the ICO, said:

“We are aware that charities are often handling extremely sensitive information relating to the health and wellbeing of vulnerable people. With these organisations often lacking the money to employ dedicated information governance staff, there’s a danger that many charities may be struggling to look after people’s data.

“We have published today’s top five areas for improvement to show the voluntary and charity sector that good data protection practices can be cheap and easy to introduce, providing they have the right help and support.

“A one day advisory visit from the ICO provides charities with a data protection ‘check up’ and practical advice on how they can look after people’s information. We are now calling on these organisations to use the summer period to check that their data protection practices are adequate and get in touch before it is too late.”

Sam Younger, Chief Executive of the Charity Commission said:

“Trustees are responsible for ensuring their charity complies with relevant legislation – including the Data Protection Act – and for protecting their charity’s reputation. Mishandling sensitive data not only causes individuals serious distress, it can also damage the good name of your charity. So I encourage trustees of charities that handle sensitive data to take note of the ICO’s guidance and consider taking part in an ICO advisory visit.”

The ICO’s top five areas for improvement are:

  1. Tell people what you are doing with their data. People should know what you are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice) so it is important you are open and honest with people about how their data will be used.
  2. Make sure your staff are adequately trained. New employees must receive data protection training to explain how they should store and handle personal information. Refresher training should be provided at regular intervals for existing staff.
  3. Use strong passwords. There is no point protecting the personal information you hold with a password if that password is easy to guess. All passwords should contain upper and lower case letters, a number and ideally a symbol. This will help to keep your information secure from would-be thieves.
  4. Encrypt all portable devices. Make sure all portable devices – such as memory sticks and laptops – used to store personal information are encrypted.
  5. Only keep people’s information for as long as necessary. Make sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required.

I would like to add that whilst these tips are useful most businesses, especially charities, should review their requirements under the Payment Card Industry Data Security Standard (PCI DSS) as credit cards are the life blood to most organisations.


Aftermath of a Data Breach

Ponemon Institute, sponsored by Experian®, has released the findings of their Aftermath of a Data Breach study.

The study was conducted to learn what organizations did to recover from the financial and reputational damage of a data breach involving customer and consumer records.

Consumer and customer information collected by organizations is at great risk due to employee negligence, insider maliciousness, system glitches or attacks by cyber criminals. Since 2005, according to the Privacy Rights Clearinghouse (PRC), 543 million records containing sensitive information have been breached. PRC says this number is conservative because they track only those breaches that are reported in the media and many states do not require companies to report data breaches to a central clearinghouse.

In 2011, what is considered the biggest consumer data breach ever occurred. As reported by PRC, as many as 250 million consumers received notices telling them that their email addresses and names were exposed. Another significant data breach took place at the end of the year and involved the theft of credit card information.

The organizations represented in this study have had at least one data breach involving customer and consumer records in the past 24 months.

A summary of the study is below: 

All of the organizations in the study had at least one data breach involving consumer information and 85% report that more than one breach involving customer/consumer data occurred in the past 24 months.

In the aftermath of a data breach, IT respondents believe the following:

  • They are more confident than senior leadership about the ability to keep customer data secure from future breaches.
  • By far, negligent employees, temporary employees or contractors make organizations vulnerable to future breaches. Accordingly, conducting training and awareness programs and enforcing security policies should be a priority for organizations.
  • Privacy and data protection became a greater priority for senior leadership following the breach. As a result, IT security budgets for most organizations in this study increased.
  • They are concerned that customer data stolen from their organizations will be used to commit identity fraud.
  • The top three actions believed to reduce the negative consequences of the data breach are hiring legal counsel, assessing the harm to victims and employing forensic experts.
  • Lessons learned from the data breach are to limit the amount of personal data collected, limit sharing with third parties and limit the amount of personal data stored.

In Ponemon’s previous study, Reputation Impact of a Data Breach, the findings reveal that it can take a year to restore an organization’s reputation with an average loss of $332 million in the value of its brand.

For purposes of this study, they asked respondents to focus on the one data breach they believe had the most significant financial and reputational impact on their organizations. The study is organized according to the following three topics:

  • Circumstances of the data breach
  • Response to the data breach
  • Impact of the breach on privacy and data protection practices

In most cases, sensitive data lost or stolen was not encrypted

  • 60% of respondents say the customer data that was lost or stolen was not encrypted
  • 24% said the data was encrypted
  • 16% are unsure

Organizations report that their most sensitive data was lost or stolen

Respondents to the study were asked to focus on the one data breach that had the most severe consequences for their organizations.

What type of data did your organization lose? %
Name 85
Address 69
Email   address 70
Telephone   number 58
Age 43
Gender 35
Employer 20
Educational background 18
Credit card or bank payment information  45
Credit or payment history 41
Password/PIN 48
Social Security number (SSN) 33
Driver’s license number 29
Other (please   specify) 9
Don’t know 11

Insiders and third parties are most often the cause of the data breach

What was   the main cause of the data breach?  %
Negligent insider 34
Malicious insider 16
Outsourcing data to a third party 19
Systems glitch 11
Cyber attack 7
Data lost in physical delivery 5
Failure to shred confidential documents 6
Other 2

Data breaches reduce an organization’s productivity

50% of respondents say the most negative consequence of the breach was the loss of productivity. In the aftermath of a data breach, key employees may be diverted from their usual responsibilities to help the organization respond to and resolve the data breach.

This is followed by

  • 41% a loss of customer loyalty
  • 34% legal action

Data breach response strategies need improvement

  • 50% believe the organization made the best possible effort following the data breach
  • 30% say that it was successful in preventing any negative consequences from the data breach
  • 27% believe their data breach notification efforts increased customer and consumer trust in their organization
  • 63% believe their senior leadership views privacy and data protection as a greater priority than before the breach

Prompt notification and assessment of harm to victims are the steps most often taken in response to a data breach

The study reveals that the top three data breach response activities

  1. prompt notification to regulators as required by law
  2. prompt notification to victims by letter
  3. careful assessment of the harm to victims

New steps are taken to reduce negative consequences

Prompt notification to victims is no longer considered most helpful in reducing the negative consequences of the data breach.

The respondents indicated that the most helpful steps are:

  • retaining outside legal counsel
  • carefully assessing the harm to victims
  • hiring forensic experts

Credit monitoring and identity protection services are not often offered to victims

Despite the fact that many organizations lose the loyalty of their customers following a data breach services that might maintain or even strengthen the customer’s relationship with organization are not offered as frequently on a voluntary basis.

  • 30% say they offer credit monitoring services
  • 19% say they offer identity protection services such as credit monitoring and other identity theft protection measures, including fraud resolution, scans and alerts.

If services are offered, they are provided for one year or less

Company’s data will be used to commit other types of identity fraud

While many of the respondents are confident about protecting their customers’ personal information, 64% say they are concerned that now that the data may be in the hands of criminals it will be used to commit other types of identity fraud.

Impact of a breach on privacy & data protection practices in the aftermath of a breach, senior leadership believes the organization is more vulnerable to a breach

  • 49% of respondents say senior leadership believes the organization is more vulnerable to future data breaches
  • 27% of the IT respondents say the organization is more vulnerable, indicating their confidence in preventing future breaches
  • 28% believe their customers’ personal information is at greater risk since the data breach occurred

Lessons learned may improve privacy and data protection practices

Responding to the breach improved organizations’ understanding about how to investigate a future breach.

  • 66% say that the experience of investigating the causes of the breach will help them in determining the root causes of future breaches
  • 61% believe employees are more aware of the need to protect sensitive and confidential information. Training and awareness is the most often cited activity put in place to prevent future data breaches

Privacy and data protection became more of a priority and IT security resources increased following the data breach

  • 61% of respondents say their organizations increased the security budget
  • 28% hired additional IT security staff
  • 9% say they increased the budget for the compliance staff
  • 4% say they hired additional privacy office staff

Organizations are now minimizing the amount of personal data collected, shared and stored

  • 31% say the data breach had no affect on how the organization uses personal data yet
  • 49% now say they limit the amount of personal data collected
  • 48% now limit the sharing of this data with third parties
  • 42% say the organization limits the amount of personal data stored
  • 27% say the organization now limits the amount of personal information used for marketing purposes

Ponemon’s Conclusion

We conducted this study to better understand how a data breach affects organizations over the long term. It is interesting to note that it took a serious data breach that had both financial and reputational consequences to make privacy and data protection a greater priority and allocate additional resources to the IT security function. While many respondents were unable to determine the root cause of the data breach, there is a consensus among respondents that insider negligence is making their organizations vulnerable to a data breach. As a result, organizations are investing in training and awareness and technologies that minimize the human factor risk.

The findings also show the concern organizations have about losing the loyalty of their customers. Of the IT practitioners surveyed, few felt that prompt notification to victims is helpful in reducing the negative consequences of the data breach. This suggests that compliance with data breach notifications laws is not sufficient if an organization is concerned about customer loyalty and reputation.

For a full copy of the Ponemon / Experian study click here (registration is required).


Websites failing cookie regulations

Earlier this year the UK government tried to implement Privacy and Electronic Communications Regulations after an EU Directive. The regulations were to have taken effect on the 25th may 2011 but after a series of lobbies and petitions the regulations were put back to the 26th May 2012.

As part of the process the Information Commissioner implemented a 12 month lead-in process and 6 months into the process has released a statement.

“The guidance we’ve issued today builds on the advice we’ve already set out, and now includes specific practical examples of what compliance might look like. We’re half way through the lead-in to formal enforcement of the rules.

But, come 26 May next year, when our 12 month grace period ends, there will not be a wave of knee-jerk formal enforcement actions taken against those who are not yet compliant but are trying to get there.”

“Our mid-term report can be summed up by the schoolteacher’s favourite clichés “could do better” and “must try harder.” Many people running websites will still be thinking that implementing the law is an impossible task. But they now need to get to work. Over the last few months we’ve been speaking to and working with businesses and organisations that are getting on with it and setting the standard. My message to others is – if they can do it, why can’t you?

“Some people seem to want us to issue prescriptive check lists detailing exactly what they need to do to comply. But this would only get in the way and would be too restrictive for many businesses and organisations. Those actually running websites are far better placed to know what will work for them and their customers.”

Key points set out in the amended cookies advice include:

  • More detail on what is meant by consent. The advice says ‘consent must involve some form of communication where an individual knowingly indicates their acceptance.’
  • The guidance explains that cookies used for online shopping baskets and ones that help keep user data safe are likely to be exempt from complying with the rules.
  • However, cookies used for most other purposes including analytical, first and third party advertising, and ones that recognise when a user has returned to a website, will need to comply with the new rules.
  • Achieving compliance in relation to third party cookies is one of the most challenging areas. The ICO is working with other European data protection authorities and the industry to assist in addressing the complexities and finding the right answers.
  • The ICO will focus its regulatory efforts on the most intrusive cookies or where there is a clear privacy impact on individuals.

ICO claims he wants:

  • We will allow for a greater focus on wilful non-compliance by letting those who are making genuine attempts to comply get on with the job without unnecessary interference from the regulator.
  • We will further reduce the burden on those trying to comply by ensuring that our response to complaints recognises ongoing work
  • We will give realistic and practical advice to those who ask for it
  • We will be clear about how this work fits in with our strategy on regulatory action
  • We will apply the rules consistently

What the ICO expects from website owner

There is no silver bullet and we are not expecting you to invent one. If we approach your organisation about this topic, perhaps because we have received complaints, we expect you to be able to tell us what you have done so far, how you expect to be compliant and how long it will take. Exactly what you tell us will depend on who you are, the sophistication and complexity of your website and who your users are but we will expect that you can tell us something.

Two general questions that might help in this regard might be, “is my website doing anything that my users don’t know about?” and “am I confident that I am giving them appropriate options?” Your confidence might stem from the fact that you have switched all your cookies off until users tell you to switch them on again. It might stem from the fact that many of your users are registered with you and as part of the registration process they have indicated to you that they are happy for your site to work in a certain way. Or it might stem from the fact that your users will know that some things are more likely than not going to happen when they arrive at your site and that if they want to make choices about those things they know where to go and what to do.

The first option is the safest one. The second is just as safe provided that you are honest and upfront with registered users and that you can rely on the fact that they have made an informed decision to click that “Agree” button. It also, of course, only applies to some of your users – how will you ensure that the one-off or casual user is not left with a browser full of persistent and unwanted cookies?

The third option relies on a lot of factors that might be out of your control such as the general level of user awareness. You can and should, though, do whatever you can to demonstrate your compliance. Three things will help: following the ICO advice, looking for and implementing the ‘quick wins’ and keeping an eye out for industry or sectoral standards and codes. After all, if everyone else in your area of business has done a cookie audit, is changing the way they explain things to users and has engaged with industry peers to come up with consistent messages, the ICO might reasonably ask “if they can do it, why can’t you?”


Reputation damage could cost more than PCI Compliance or Data Protection Act fines

Experian HQ in Nottingham
Image via Wikipedia

A Ponemon Institute and Experian survey of almost 850 executives reveals that on average it can take up to a year for an organisation to restores its reputation.

Reputations have always been difficult to value as they change with market demands, styles and presentation. This research is interesting as it does place a value on reputation and on the possible impacts of damage.

There is advice on what to do and whilst it is at a high level it is useful for those who only have a few seconds to think about the possible impact before they more on to their next meeting.

The survey reveals that the average loss in brand value ranges from $184 million to more than $330 million.

The minimum brand damage was a 12%, increasing to nearly a ¼ loss of their brand value in some instances.

“A solid reputation is a company’s greatest asset, and it is therefore imperative that business leaders take precautionary steps to protect themselves, their customers, their employees and their intellectual property against data breaches,” said Ozzie Fonseca, director at Experian Data Breach Resolution

“The way business protocols worked five years ago, even two years ago, has drastically changed, and we must prepare ourselves for the new threats to data and privacy. Data breaches are happening to all businesses, small, medium and large, and no industry is immune.”

43% of the companies surveyed had not instituted a data breach incident response plan prior to having a breach.

“The loss or theft of sensitive customer data, as our study quantifies, can have a serious impact on the economic value of a company’s reputation,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute

“We believe this study makes a powerful point about the importance of taking steps to reduce the likelihood of a data breach.”

Experian offers the following advice:

Create an incident plan so your organization is prepared to readily respond to a breach should it happen. Outline exactly what steps you will take if or when a breach occurs. Build your company’s response team in advance, including members with expertise in legal, public relations, compliance and risk management. Communication to consumers and government officials should be done simultaneously, so make sure to dedicate adequate resources in your company plan. Conduct data breach simulations and hold regular security training sessions with employees to review the company’s policies about data protection.

Be proactive instead of reactive. Start with prevention and assume that at some point you will experience a breach and not one that you are likely to discover until the damage has been done.

Here is what can be done now to help secure and protect the information your company is responsible for:

  • Segment sensitive data and restrict access
  • Wipe physical media and shred paper documents
  • Demagnetize external media and overwrite hard-drive data

If you do not have the internal resources or know-how to cover the likely aspects of fallout from a potential breach, call in a third-party specialist to partner with your company through the breach resolution process. Having an expert on hand can help expedite the resolution, limit legal liabilities and increase customer satisfaction. Being prepared before a security breach occurs can mean a big difference to both your company’s bottom line and its reputation.

For more information on Experian and their survey, click here. Survey conducted in October 2011 by the Ponemon Institute.

Businesses should always think about IT Security as an integral part of their business risk management processes because the odds are that a “cyber” incident will happen and are statistically more likely to happen that most other incidents.


Council breaches the Data Protection Act by losing a memory stick

The Municipal Offices of the Metropolitan Boro...

Rochdale Metropolitan Borough Council has breached the Data Protection Act after losing an unencrypted memory stick containing the details of over 18,000 residents.

The memory stick, lost in May,  included, in some cases, residents’ names and addresses, along with details of payments to and by the council.

The device did not include any bank account details. The information had been put on a memory stick to compile the council’s financial accounts.

The memory stick has not been recovered

The ICO’s investigation found that the council’s data protection practices were insufficient. The Council specifically failed to make sure that memory sticks provided to its staff were encrypted.

The council also failed to provide employees with adequate data protection training. As well as requiring the council to put all of the changes in place by 31 March 2012, the ICO will follow up with the council to ensure that the agreed actions have been implemented.

Acting Head of Enforcement, Sally Anne Poole said:

“Storing the details of over 18,000 constituents on an unencrypted device is clearly unacceptable. This incident could have been easily avoided if adequate security measures had been in place. Luckily, the information stored on the device was not sensitive and much of it is publicly available. Therefore, the incident is unlikely to have caused substantial distress to local people. 

“Our investigation uncovered a number of failings at Rochdale Metropolitan Borough Council – that’s why we will follow up with the council, to ensure they’re doing everything they can to prevent this type of incident happening again.”


Who fell foul of the Information Commissioner in October?

A week after Calls for tougher penalties for breaches of the Data Protection Act (read my post here) I thought it would be good time to have a look at who the Information Commissioner’s Office (ICO) has taken action against during the month of October 2011.

To add some consistency I have also included actions taken since the 7th September because a previous posting “Who has the Information Commissioner caught in the last 3 months?”, read it here.

28 October 2011
An undertaking to comply with the seventh data protection principle has been signed by Newcastle Youth Offending Team. This follows the theft of an unencrypted laptop containing sensitive personal data. Read my post on this incident here.

27 October 2011
An Undertaking to comply with the seventh data protection principle has been signed by University Hospitals Coventry & Warwickshire NHS Trust. This follows two separate incidents involving the loss of personal data by the Trust.

19 October 2011
An undertaking to comply with the seventh data protection principle has been signed by Spectrum Housing Group. This follows a non-secure e-mail with an excel attachment containing personal data relating to employees of the data controller, being sent in error to an unintended recipient outside of the organisation. It was also discovered that data within ‘hidden’ pivot cells forming part of the spreadsheet could be revealed.

17 October 2011
An undertaking to comply with the seventh data protection principle has been signed by Dumfries and Galloway Council. This follows the accidental online disclosure of current and former employee’s personal data in response to a Freedom of Information (Scotland) Act request.

5 October 2011
An undertaking to comply with the seventh data protection principle has been signed by the General Secretary of the Association of School and College Leaders (ASCL). This follows theft of a laptop containing sensitive personal data from the home of an employee.

An undertaking to comply with the seventh data protection principle has been signed by Holly Park School. This follows the theft of an unencrypted laptop containing personal data relating to nine pupils.

See my blog on these two incidents Education, education, when will people learn, encrypt your data as two more education establishments lose data here.

4 October 2011
An undertaking has been signed by Dartford and Gravesham NHS Trust following the accidental destruction of 10,000 archived records. The records – which should have been kept in a dedicated storage area –were put in a disposal room due to lack of space. See my post, Hospital Destroys 10,000 Archived Records here.

An undertaking has also been signed by Poole Hospital NHS Foundation Trust after two diaries – containing information relating to the care of 240 midwifery patients – were stolen from a nurse’s car. The diaries included patients’ names, addresses and details of previous visits and were used by the nurse during out of hours duty.

20 September 2011
An undertaking to comply with the third and seventh data protection principles has been signed by Eastleigh Borough Council. This follows the potential disclosure of a document containing sensitive personal data.

15 September 2011
An undertaking to comply with the seventh data protection principle has been signed by the Child Exploitation Online Protection Centre (CEOP) and its parent organisation the Serious Organised Crime Agency (SOCA). This follows the discovery that CEOP’s website reporting forms were being transmitted insecurely. See my post on this here ICO takes action against the Child Exploitation and Online Protection Centre and the Serious Organised Crime Agency here.

An undertaking to comply with the seventh data protection principle has been signed by Royal Liverpool & Broadgreen University Hospitals NHS Trust. This follows two separate incidents involving the loss of personal data by the Trust.

14 September 2011
An Undertaking to comply with the seventh data protection principle has been signed by Eastern and Coastal Kent Primary Care Trust. This follows the loss of a CD containing personal data during a move of office premises.

9 September 2011
An undertaking to comply with the seventh data protection principle has been signed by Walsall Council. This follows the accidental disposal of postal vote statements in a skip by the council’s data processor. The council did not have a written agreement with the data processor selected to store this personal data.

see other posts related to the Information Commissioner


Information Commissioner calls for powers to conduct compulsory Data Protection Audits

Christopher Graham, the UK Information Commiss...
Image via Wikipedia

The Information Commissioner has called for powers to conduct compulsory data protection audits in local government, the health service and the private sector are needed to ensure compliance with the law, the Information Commissioner said today at the 10th annual data protection compliance conference in London.

Christopher Graham’s call came as figures showed that the ICO is being blocked from auditing organisations in sectors that are causing concern over their handling of personal information.

The only compulsory data protections audit powers the ICO currently has are for central government departments.  For all other organisations the ICO has to win consent before an audit can take place.

Data breaches in the NHS continue to be a major problem. Of the 47 undertakings the ICO has agreed with organisations that have breached the Data Protection Act since April, over 40% (19) were in the healthcare sector.

In addition, the most serious personal data breaches that have resulted in a civil monetary penalty occurred in the local government sector. Four of the six penalties served so far involved local authorities.

Businesses remain the sector generating the most data protection complaints. Despite this, as reported in July, just 19% of companies contacted by the ICO accepted the offer of undergoing an audit.

The ICO has written to 29 banks and building societies and so far only six (20%) have agreed to undergo an audit. The insurance sector has also shown reluctance in this area. Of the 19 companies contacted this year by the ICO, only two agreed to an audit.

Information Commissioner, Christopher Graham said:

“Something is clearly wrong when the regulator has to ask permission from the organisations causing us concern before we can audit their data protection practices. Helping the healthcare sector, local government and businesses to handle personal data better are top priorities, and yet we are powerless to get in there and find out what is really going on.”

“With more data being collected about all of us than ever before, greater audit powers are urgently needed to ensure that the people handling our data are doing a proper job. I am preparing the business case for the extension of the ICO’s Assessment Notice powers under the Coroners and Justice Act 2009 to these problematic sectors.”  

The Information Commissioner also used his speech at the conference to give a six month update on the ICO’s complaints handling performance.

Complaints about marketing texts, some of which are known as spam texts, have trebled in volume since 2008/9, and now account for approximately 13% of all data protection complaints to the ICO. Over 1,000 complaints have been received since April.

The overall number of new Data Protection (DP) complaints is up by 2% compared to the same period last year.

The number of Freedom Of Information (FOI) complaints has also risen by around 5%. The ICO has increased its output to match the increase and has closed a record number of FOI cases during the first half of the year. Closures on DP cases are also up.


Information Commissioner’s Office issues third and fourth fines to Ealing and Hounslow Councils over loss of unencrypted laptops

Yesterday saw the second wave of fines from the Information Commissioner’s Office (ICO) over breaches to the Data Protection Act.

After the landmark first cases in November where monetary penalties were issued to Hertfordshire County Council for ‘two serious incidents’ regarding accidentally sent faxes, and to employment services company A4e for the loss of an unencrypted laptop, two more councils have also been fined for the loss of unencrypted laptops.

When talking to customers I often find they deal with legislation and compliance in silos e.g. PCI DSS. The reality is there are common security elements across almost all pieces of legislation and compliance.

A simple way of dealing with the above issue is to ask “how important is the data”. E.g. because of PCI DSS, card holder is important and with the Data Protection Act so is customer data, so why not apply the same levels of protection and controls to both?

Blog at

Up ↑

%d bloggers like this: