Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Personally identifiable information

ICO publishes it’s annual report

The Information Commissioner has released its annual report.

Christopher Graham points to the strengthening of his regulatory powers to show how the legislation continues to develop. In the past year, the ICO was given powers to compulsorily audit NHS bodies for their data handling, while forcing a potential employee to make a subject access request for, for example, their spent criminal record was also made an offence. A law change also made it easier to issue fines to companies behind nuisance calls and texts.

Information Commissioner Christopher Graham said:
“It’s thirty years since this office was established in Wilmslow. We’ve seen real developments in the laws we regulate during that time, particularly over the past year. Just look at the EU Court of Justice ruling on Google search results, a case that could never have been envisaged when the data protection law was established.

“Our role throughout has been to be the responsible regulator of these laws. More than that, we work to demystify some of this legislation, making clear that data protection isn’t to be seen as a hassle or a duck-out, but a fundamental right.

“A good example of that is our role in the new data protection package being developed in Brussels. We’ve been asked for our advice, based on our experience regulating the existing law, while we’ve also provided a sensible commentary on proceedings for interested observers.

“That role will continue this year, in what promises to be a crucial twelve months. The reform is overdue, but it is vital that we get the detail right on a piece of legislation that needs to work in practice and to last.”

“It is striking to see how decisions that were so hard fought in the early years have resulted in routine publication of information. Publication of safety standards of different models of cars, for example; or hygiene standards in pubs and restaurants; and surgical performance records of hospital consultants. Publication is now expected and unexceptionable.

“It’s been the ICO’s job to help public authorities to comply with requests,” Mr Graham will say. “The ICO’s role has led to information being released that time and time again has delivered real benefits for the UK.”

“Our Annual Report is our claim to be listened to in the debates around information rights. It shows the ICO knows what it is talking about.”

The ICO annual report reflects on the financial year 2014/15. Key stats include:

  • 14,268 – data protection concerns received
  • £1,078,500 – total CMPs issued, £386,000 of which were for companies behind nuisance calls or texts
  • 195,431 – helpline calls answered
  • 11.4% – rise in number of concerns raised about nuisance calls and texts (to 180,188)
  • 41 – audits conducted of data controllers (as well as 58 advisory visits to SMEs)
  • 1,177 – Information requests responded to
  • 4.9 million – number of visits to our website

The full report can be found here.

.

Most consumers do not trust anyone to protect their personal information

Fortinet surveys reveal growing cyber threat concerns as more consumers fear data breaches, while CISOs lack confidence in their ability to stop them.

Despite their concerns, third-party studies reveal consumer behaviours may present greater challenges for organizations that don’t have the right security protections in place.

Two industry surveys commissioned by Fortinet reveals

  • 71% of consumers across the U.S. are more nervous about their personal information being stolen through a data breach than they were just a year ago
  • 28% of IT security professionals are confident they have done enough to prevent a security incident

Despite this shift in consumer sentiment, the research revealed consumers are not taking necessary precautions to protect their personal information. When asked what measures they are implementing to better safeguard their information online:-

  • 76% of respondents said they had merely implemented stronger passwords – a step that is typically required when setting up an online account
  • 20% said they aren’t doing anything at all

It is no question the cyber threat environment remains dynamic and dangerous, and is gaining in severity. According to a recent report released by the Identity Theft Resource Center (IRK), companies in the U.S. experienced a record-breaking 783 data breaches in 2014.

Already in 2015 this trend has continued with the Anthem Health security breach – the largest in history, affecting more than 80 million of its customers, as well as Sony, TV Monde and others. Many of these attacks were initiated by sophisticated hackers looking for ways to circumvent perimeter defences through compromised devices, while others originated from within the network through unsuspecting employees or partners who, without malicious intent, let cyber criminals in.

The amount of entry points cyber criminals can use to infiltrate corporate networks and steal precious information is growing rapidly, as the number of devices connected to the network increase,” said Andrew Del Matte, chief financial officer at Fortinet. “If consumers aren’t taking precautions to protect their devices and proprietary data in their personal lives, it is unlikely they are doing so at work, increasing the possibility of a breach. It is more critical now than ever before for businesses to help safeguard the consumer and customer data for which they are responsible. They must take a multi-layered approach to security to protect against both malicious and non-malicious threats, from both inside and outside of the network

On a scale of 1 to 5 with 1 being “completely trust” and 5 being “don’t trust at all,” consumers were asked how much they trust various business providers and other institutions to protect their information. The survey found:

  • 31% of consumers completely trust their doctors
  • 18% completely trust their health insurance providers
  • 27% completely trust their personal banks
  • 14% completely trust their credit card companies
  • 19% completely trust their employers
  • 4% completely trust retailers

Are Organizations Doing Enough?

In a survey of 250 IT professionals with authority over the security decisions for their organizations,

  • 57% indicated they are most concerned about protecting customer data from cyber criminals.
  • 28% of those surveyed, are completely confident their organizations have done everything possible to prevent a security incident
  • 26% said they were only half-confident that they have taken the necessary measures to protect their organization from potential risk

Consumers are more concerned than ever about their personal information being compromised through a data breach, with good reason,” said Derek Manky, senior security strategist at Fortinet’s FortiGuard Labs. “The evolving threat landscape puts everyone at greater risk, particularly organizations that aren’t taking the time to rethink their approach to security. An old school approach won’t do. Businesses should seek out a best-of-breed security partner with scale, third-party validated solutions and access to the most up-to-date threat intelligence, to safeguard their networks from threats, no matter the type or where it is initiated, today and in the future

UK’s Information Commissioner believes 2013 will the year businesses handle data correctly…!

2013 is the year that commercial imperative of good data handling will be realised

Speaking at the launch of the ICO’s annual report today, Christopher Graham will highlight that consumers have a strong awareness of how their data should be handled, and how this affects their relationship with businesses.

An ICO study into public attitudes toward data protection found that 97% of those surveyed were concerned that organisations would pass or sell-on their personal details. The survey also found more than half (53%) considered details of the products they had bought to be personal information.

Yet in spite of these consumer concerns, only 10% of businesses were aware of the legal limitations of how they could use customer’s personal data.

Information Commissioner Christopher Graham said:

Education and empowerment have been two of the key areas we’ve focused on in the past twelve months. That work is having real benefits: consumers’ awareness of their rights remains strong, and that is empowering people to demand more in return for their data.

“The result is consumers expecting organisations to handle their personal data in a proper way, and in a legal way. Businesses that don’t meet that basic requirement are going to quickly find themselves losing customers.

I think 2013 is the year that organisations will realise the commercial imperative of properly handling customer data. The stats we’ve seen about public concern around personal data show that, as does a company the size of Microsoft choosing privacy as a theme of a national advertising campaign.

“The message to business is simple: consumers understand the value of their personal data, and they expect you to too.

Find the complete report here.

Top Tips from the ICO for when you are moving premises – do not forget to check the cabinets being one

After another NHS body * decides to ignore simple Data Protection guidelines the UK Information Commissioner has repeated his Top 5 Tips to help organisations improve their approach to Data Protection, especially those moving premises:

  1. Personal information is at particular risk when moving premises – make sure its security is a priority. All but one of our monetary penalties issued under the Data Protection Act in 2012/13 were for failing to keep information secure.
  2. Don’t assume anything. This breach happened because two departments each assumed that the other was conducting a final check that all records had been removed or transferred as required. Make sure it is clear who is responsible for what.
  3. Ensure records and equipment containing personal information are moved securely. Where personal information is being moved to other premises, make sure there is a secure means of moving the information and check that it has all been received safely.
  4. Dispose with care. If moving premises requires the disposal of files or computer hardware, make sure that this is done in a secure manner. Remember you are still responsible for what happens to personal data even after it has left through the back door.
  5. Learn from your mistakes. Stockport Primary Care Trust had suffered two similar incidents before this breach, but senior management hadn’t been informed. Put a policy in place to make sure that security incidents are reported and acted upon so that you learn from your mistakes.

* The NHS Commissioning Board was been fined £100,000 by the Information Commissioner’s Office (ICO) after the dissolved Stockport Primary Care Trust left around 1,000 documents including work diaries, letters, referral forms and patient records containing personal information. Some of the documents contained particularly sensitive data relating to 200 patients, including details of miscarriages, child protection issues and, in one case, a police report relating to the death of a child.

The size of the fine reflects the serious nature of the breach and the fact it was not the first time the organisation had “lost information”.

David Smith, Deputy Commissioner and Director of Data Protection, said about the Stockport fine:

It’s crucial that organisations don’t take their eye off the ball when moving premises. This NHS trust’s efforts to keep its patients’ confidential records secure were completely undermined by its failure to properly decommission the premises it was leaving.

The highly sensitive nature of the documents left behind makes this mistake inexcusable, and there can be no doubt that the penalty we’ve served is both necessary and appropriate.

In the last year we have served two six figure penalties on organisations that have left large volumes of personal information behind when leaving a site. These penalties highlight the need for organisations to have effective decommissioning procedures in place and to make absolutely sure that these procedures are followed in practice

Receptionist prosecuted for breaching the Data Protection Act

Another nosy parker faces the results of their snooping after she decided to spy on her ex-husband’s new wife.

The GP receptionist at a Southampton surgery was prosecuted by the UK’s Information Commissioner’s Office (ICO) for unlawfully obtaining sensitive medical records.

The ICO reported on the 12th March 2013 that Marcia Phillips was prosecuted under section 55 of the Data Protection Act and fined £750 and ordered to pay a £15 victim surcharge and £400 prosecution costs.

Ms Phillips was found to have accessed the information on 15 separate occasions over a 16-month period while working as a receptionist at the Bath Lodge Practice. The breach became apparent after Phillips left her job and sent a text message to her ex-husband’s partner referring to highly sensitive medical information taken from her medical record.

Deputy Commissioner and Director of Data Protection, David Smith, said:

This case clearly shows the distress that can be caused when an individual uses a position of responsibility to illegally access sensitive personal information. Ms Phillips knew she was breaking the law, but continued to do so in order to cause harm to her ex-husband’s new wife.

“The nature of her job meant that she will have been in no doubt as to the importance of patient confidentiality. Despite this she repeatedly accessed the victim’s file without a valid reason

Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of a fine of up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court. The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.

David Smith added:

We continue to urge the Government to press ahead with the introduction of tougher penalties to enforce the Data Protection Act. Without these unscrupulous individuals will continue to break the law. Action to replace the section 55 ‘fine only’ regime with an effective deterrent is long overdue. This change is not directed at the media and should not be held while Lord Justice Leveson‘s recommendations on data protection and the media are considered

.

Lack of guidance on BYOD raises data protection concerns

The UK Information Commissioner’s Office (ICO) has commissioned a survey into business attitudes towards Bring Your Own Device (BYOD).

The survey results shown many employers appear to have a ‘laissez faire’ attitude to allowing staff to use their personal laptop, tablets or smartphone for at work and for work business, which may be placing people’s personal information at risk.

The survey, carried out by YouGov, reveals that 47% of all UK adults now use their personal smartphone, laptop or tablet computer for work purposes. But less than 3 in 10 who do so are provided with guidance on how their devices should be used in this capacity, raising worrying concerns that people may not understand how to look after the personal information accessed and stored on these devices.

Simon Rice, Group Manager (Technology), said:

The rise of smartphones and tablet devices means that many of the common daily tasks we would have previously carried out on the office computer can now be worked on remotely. While these changes offer significant benefits to organisations, employers must have adequate controls in place to make sure this information is kept secure.

“The cost of introducing these controls can range from being relatively modest to quite significant, depending on the type of processing being considered, and might even be greater than the initial savings expected. Certainly the sum will pale into insignificance when you consider the reputational damage caused by a serious data breach. This is why organisations must act now.

“Our guidance aims to help organisations develop their own policies by highlighting the issues they must consider. For example, does the organisation know where personal data is being stored at any one time? Do they have measures in place to keep the information accurate and up-to-date? Is there a failsafe system so that the device can be wiped remotely if lost or stolen?

Today’s guidance from the ICO explains how organisations need to be clear on the types of personal data that can be processed on personal devices and have remote locate and wipe facilities in place so the confidentiality of the data can be maintained in the event of a loss or theft.

Key recommendations from the ICO’s guidance:

  • Be clear with staff about which types of personal data may be processed on personal devices and which may not
  • Use a strong password to secure your devices
  • Enable encryption to store data on the device securely
  • Ensure that access to the device is locked or data automaticaly deleted if an incorrect password is input too many times
  • Use public cloud-based sharing and public backup services, which you have not fully assessed, with extreme caution, if at all
  • Register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft

The survey results below shows that email is the most common work activity carried out on a personal device (55%) which consider what information can be in the body of an email or attached leaves an organisations open to many commercial, legislative and regulatory risks for example PCI DSS compliance.

All UK Adults online who use a smartphone, laptop or a tablet PC for work purposes access usage
Work email

55%

Accessing work files

35%

Storage   of work documents and work files

36%

Social networking (e.g. LinkedIn, Twitter, Facebook) for work

26%

Editing work documents

37%

Uploading   work information to a website

19%

Work video chat (e.g. skype etc.)

7%

Work related applications (Apps)

16%

Work related online banking

14%

Work related shopping

12%

Work related web browsing

35%

Other

22%

None of these

.

Nursing and Midwifery Council fined for breaching the Data Protection Act

The Information Commissioner’s Office has issued a £150,000 fine to the Nursing and Midwifery Council was for breaching the Data Protection Act. 

The Nursing and Midwifery Council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. 

In October 2011 the DVDs, containing confidential information, was sent to a misconduct hearing via a courier and when the package arrived at the hearing the DVDs were missing and have never found 

After an investigation by the ICO it was found the information was not encrypted. 

David Smith, Deputy Commissioner and Director of Data Protection, said:

It would be nice to think that data breaches of this type are rare, but we’re seeing incidents of personal data being mishandled again and again. While many organisations are aware of the need to keep sensitive paper records secure, they forget that personal data comes in many forms, including audio and video images, all of which must be adequately protected. 

I would urge organisations to take the time today to check their policy on how personal information is handled. Is the policy robust? Does it cover audio and video files containing personal information? And is it being followed in every case? 

If the answer to any of those questions is no, then the organisation risks a data breach that damages public trust and a possible weighty monetary penalty.

The council had been couriering evidence relating to a ‘fitness to practise’ case to the hearing venue. When the packages were received the discs were not present, though the packages showed no signs of tampering. Following the security breach the council carried out extensive searches to find the DVDs, but they’ve never been recovered. 

The Nursing and Midwifery Council’s underlying failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk. No policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered. Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty.

.

2013 looks like being a bigger year than 2012 as the ICO starts catching up with the backlog of breaches

2013 has started as 2012 finished off with UK Information Commissioner (ICO) coming down hard on those who breach the Data Protection Act.

So far this January 3 organisations have fallen foul of the ICO:

  1. Sony Computer Entertainment Europe Limited
  2. Mansfield District Council
  3. Prospect Trade Union

Sony Computer Entertainment Europe Limited

Sony Computer Entertainment Europe Limited fined £250,000 after the April 2011 hacking of the Sony PlayStation Network Platform (PSN). That breach resulted in millions of Sony customers having their data stolen including:

  • Names
  • Addresses
  • Email addresses
  • Dates of birth
  • Account passwords
  • Customers’ payment card details were also at risk.

David Smith, Deputy Commissioner and Director of Data Protection, said:

“If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough.

“There’s no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.

“The penalty we’ve issued today is clearly substantial, but we make no apologies for that. The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft.

“If there’s any bright side to this it’s that a PR Week poll shortly after the breach found the case had left 77 per cent of consumers more cautious about giving their personal details to other websites. Companies certainly need to get their act together but we all need to be careful about who we disclose our personal information to.”

Mansfield District Council. The council had several incidents of housing benefit claimants personal data being disclosed to the wrong landlord. The ICO has issued a formal undertaking to Mansfield District Council.

Prospect Trade Union. Prospect unfortunately sent two files containing personal details of approximately 19,000 members of the union to an unknown third party email address in error. The ICO has issued a formal undertaking to Prospect.

Both Prospect and Mansfield District Council have agreed “Formal Undertaking”. An undertaking is a detailed and document agreement between the ICO and the organisation that breached the Data Protection Act, specifically how those that have breached the Act will improve their Data Protection regime.

The Sony hack was widely reporting and was a result of an external attack whilst the other two, Prospect and Mansfield District Council were both the result of avoidable human error.

Want to know who was caught in 2012? Read my post 2012 was a big year for the Data Protection Act with record fines and breaches, see the full 2012 list here.

Information Commissioner publishes guidance on cloud computing

The UK’s Information Commissioner’s Office (ICO) has published guidelines to on how business treat personal information in the cloud whether that is a private or public cloud.

The data protection regulator ICO is concerned that many businesses do not realise they remain responsible for how the data is handled whilst it is in the cloud.

This has resulted in the ICO publishing a guide to cloud computing, to help businesses comply with the law.

The guide gives tips including:

  • Seek assurances on how your data will be kept safe. How secure is the cloud network, and what systems are in place to stop someone hacking in or disrupting your access to the data?
  • Think about the physical security of the cloud provider. Your data will be stored on a server in a data centre, which needs to have sufficient security in place.
  • Have a written contract in place with the cloud provider. This is a legal requirement, and means the cloud provider will not be able to change the terms of the service without your agreement.
  • Put a policy in place to make clear the expectations you have of the cloud provider. This is key where services are funded through adverts targeted at your customers: if they’re using personal data and you haven’t asked your customers’ permission, you’re breaking data protection law.
  • Don’t forget that transferring data internationally brings a number of obligations – that includes using cloud storage based abroad.

Speaking as the guide was launched, author Dr Simon Rice, ICO technology policy advisor, said:

“The law on outsourcing data is very clear. As a business, you are responsible for keeping your data safe. You can outsource some of the processing of that data, as happens with cloud computing, but how that data is used and protected remains your responsibility.

“It would be naïve for an organisation to take the attitude that these guidelines are too much effort to simply store some data in a different place. Where personal information is involved, the stakes are high and the ICO has already demonstrated it will act firmly against those who don’t meet data protection laws”

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: