The Information Commissioner’s Office (ICO) in the UK has issued a £150,000 monetary penalty to the Nursing and Midwifery Council (NMC) for a data breach involving one nurse and two children. In an age of smartphones and tablets, how the data was breached is almost anachronistic (three DVD discs were lost). The use of data security software like AlertBoot’s Mobile Security and full disk encryption can help in such instances, but only if people decide to use it.
DVDs Delivered by Courier
According to techworld.com:
The three DVDs of highly sensitive witness videos of children were supposed to be delivered [for a misconduct hearing], but when it arrived the package was found to be empty.
Despite there being no obvious sign of tampering, the DVDs were never found.
It wasn’t only the DVDs that couldn’t be found. Because of the data breach, the ICO did a follow up on the NMC’s security practices and found that there was nothing in place: not only were the DVDs in question not protected with encryption software, the council didn’t have any policies in place for securing sensitive data, whether at rest or in transit.
This is a big no-no since it’s the primary reason why a data breach takes place: because one wasn’t preparing for it. In this day and age, a data breach is a matter of “when” and not “if”. Thus, if you’re dealing with information on a daily basis, you’ve got to assume that you’ll be involved in a data breach at some point, especially if you are dealing with sensitive information. It’s only logical, then, that you have policies in place to ensure that you minimize the risk of such an event from happening, policies that not only involve conduct, but the right tools.
For example, a policy that states “don’t take sensitive data out of the office” doesn’t work because (a) people ignore such policies and (b) someone will run across a situation where that rule has to be ignored (one may have to send DVDs full of information to a misconduct hearing, e.g.). So, a technological solution or tool must also be in place, such as easy to use encryption software. At the same time, policy must insist that these tools be used, no ifs or buts.
(In NMC’s defense, they claim that they did have such policies. According to information-age.com, their policies require the use of encryption. The latest fiasco was an oversight, which happens, more often than you think).
One of the Largest Penalties to Date
The ICO’s fine represents one of the largest penalties I’ve run across to date. Only the £250,000 penalty levied on Sony, in January 2013, for its notorious 2011 hack, is larger, if I’m not wrong. The irony is that £250,000 looks like a pittance on a “per individual” basis since it affected over 100 million people across the world (cents on the dollar. Granted, the ICO has only jurisdiction over the UK so the “per individual” figure can only rise if we limit the people count to the UK), but the NMC’s represents a whopping £50,000 per person. In some ways, it feels like the ICO is stepping down on the “little guy” while a global Goliath is getting away with it.
That is, until you realize that the NMC has over 660,000 registered nurses, and there’s nothing “little” about it. Once your data count starts involving more than three zeroes, it behooves you to step up to the data security challenge.
Related Articles and Sites: