UK Data Protection: ICO Penalizes Telford and Wrekin Council £90,000 For Two Breaches In As Many Months.
The Information Commissioner’s Office (ICO) in the UK has announced it has penalized another UK body for lacking adequate controls when it comes to data security. The fine this time is a hefty £90,000 for two data breaches in two months. It’s one of those cases that show that data encryption software like AlertBoot can only go so far in protecting organizations from themselves.
That’s right, “from themselves.” You see, the problem in this case was that the council’s internal processes were defective.
Default Settings Cause Breaches
The ICO’s site has descriptions of the two data breaches:
The first occurred on 31 March 2011, when a member of staff working in Safeguarding Services sent the Social Care Core Assessment of one child to the child’s sibling instead of their mother, who lived at the same address. The assessment included sensitive details of the child’s behaviour. It also included the name and address, date of birth and ethnicity of a further young child who had made a serious allegation against one of the other children.
The second breach concerned the inclusion of the names and addresses of the foster care placements of two young children in their Placement Information Record (PIR). The PIR was printed out and shown to the children’s mother, who noticed the foster carers’ address. The Council then decided to move the children to alternative foster care placements to minimise the effect on the data subjects concerned. [ico.gov.uk]
An investigation into the matter found that, in the first case, individual details were set to be printed automatically. Ditto in the second case.
Who could have imagined that default settings that lead to data breaches included non-hardware items? After all, firewalls, routers, and software need a default setting because coordinating passwords for each individual piece of equipment would be nigh impossible (hundreds of thousands of such equipment are sold each year), or at least, an attempt to individualize the default settings would too frequently run into problems; but a program that asks you whether you should print information or not? If you work in a sensitive environment, the default should be set to “no” to everything — “opt-in printing,” if you will.
A Progression of Sorts
As I review the history of monetary penalties the ICO has handed out, it appears that there is an undergoing shift: more and more of these fines are for instances that involve something other than a laptop or other digital storage device going missing or being stolen.
Granted, there is the Brighton and Sussex University data breach that’s incurred the largest penalty to date (£3250,000) and involves stolen hard drives; however, all other penalties in 2012, as seen in this DPA breach penalty timeline, involve paperwork or errant emails.
In the cases where laptops were stolen or went missing, encryption software was used to secure the data, rendering a data breach a moot issue.
It kind of makes sense: about two years ago, the ICO starts going after laptop, external hard drive, and USB data breaches and everyone takes notice. Those who couldn’t have cared less begin encrypting their data storage devices. Consequently, I assume, the incidence rate of data breaches via “data at rest” start plummeting. However, other incidences start to rise. So, the ICO goes after those.
It’s classical Pareto principle at work: go after the top 80% of a problem; solve. Go after the next top 80%; solve. Repeat as needed.
Next Stop: BYOD and Mobile Security?
As the world starts embracing the BYOD trend and the “consumerization of IT,” no doubt the next looming target in the ICO’s crosshairs will be companies and organizations that begin to experience a rash of mobile device data breaches.
You might say, “well, that shouldn’t be. The technological solutions for preventing those breaches from happening are already here, today.” And you’re right. Even AlertBoot is getting into the mix with a mobile security solution.
But, this is my observation: the technological solutions for preventing today’s data breaches involving laptop and external hard drive and the like existed well over 10 years ago (in terms of robustness and ease of use. Disk encryption technology has been around for well over two decades, obviously).
It’s only in the past 2 or 3 years ago, though, that those who’ve always needed it have suddenly started exploring their options.
Related Articles and Sites: