Earlier this year, there was news that Brighton and Sussex University Hospitals NHS Trust was facing the largest penalty the UK’s Information Commissioner’s Office (ICO) has ever handed out, when the NHS Trust experienced a data breach because its hard drives were sold on eBay. Generally, the use of drive encryption software like AlertBoot can prevent such data breaches
However, the situation was complicated by the fact that the hard drives were stolen and sale was unauthorized — essentially the result of an insider-attack, if you will: a worker at the Trust’s IT service provider had misappropriated and sold these disks (and with their data unwiped, it appears).
Intentions Declared in January 2012
At the time of the breach’s announcement, the ICO had declared its intention of fining the Trust £375,000. I noted my puzzlement over the fine.
The penalty is sets a precedent (the ICO has the power to penalize breaches of the Data Protection Act by up to £500,000, so the closer one gets to this figure, the more one’s supposed to pay attention), and yet the crime doesn’t quite fit the bill: an attack from “the inside” is one of the hardest to prevent, yet smaller, more idiotic, and infinitely more preventable breaches were fined much, much less. It appeared as if the ICO was coming down strong on victims of theft, whereas careless behavior was being deal with (relatively) leniently.
Today, the ICO has officially fined the Trust £325,000, an amount that is £50,000 less. I’m sure discussions must have taken place in the past five months, but the ICO doesn’t appear to have budged much.
For its part, Brighton and Sussex University Hospitals NHS Trust has stated that it will appeal the fine, noting that they cannot afford to pay such a large fine, and observing that when the Trust voluntarily reported the breach to the ICO, it was told “that this was not a case worthy of a fine.”
Maybe the Amount Makes Sense?
Maybe there’s a reason to the madness that is £325,000. First, there is the fact that over 250 hard drives were stolen. Second, the sheer sensitivity of the data is also cause for concern, and, thus, a hefty fine.
There is also this (techweekeurope.co.uk):
“They [the individual] are not believed to have known the key code needed to access the room where the drives were stored, and were usually supervised by staff working for HIS. However, the Trust has acknowledged that the individual would have left the building for breaks, and that the hospital is publicly accessible,” the ICO said in a statement.
Something broke somewhere along the line, despite good security being in place (or, at least, it appears to be good security). Perhaps the password to the room was written on a post-it note, or perhaps it was shared with the hard-drive finagler. Perhaps the door was propped open. Who knows?
The message appears to be: don’t rest on your laurels, especially if you’ve got thousands of hard drives to take care of.
(I can’t help thinking that had the Trust used hard drive encryption software from the onset, this would have never happened. Once you mark a drive for decommissioning, just pop it out of a computer without decrypting the memory device and stick it in the closet until someone destroys them. If a rogue contractor decides to play dirty, you’re still protected.)