The UK Information Commissioner Office is starting to ramp up its efforts to ensure organisations are taking the Data Protection Act seriously. In 2012 alone the ICO has issued over eighteen organisations or individuals penalties; with an average fine of over £125,000 and total fines of over £2,200,000.
A significant majority of the penalties were to government organisations but included a number of individuals. Most breaches came from data in transit, for example emailed data, faxed data or data left on portal devices such as laptops or memory sticks.
However instances of data not being correctly destroyed was an issue in a few cases, including hard drives ending up on internet auction sites with sensitive data still recoverable from them, and physical copies of records left in supermaket recycling bins.
Data Loss Prevention technology and encryption at rest and in transit would have protected the significant majority of the breaches.
As services move in to the cloud protecting customer data is going to become more critical, data will likely be stored on shared hard disks, the question of who else can access your disk volumes, or more importantly who else can access the disk volumes once it has been reassigned to another company will become a critical issue. At least one council found deleted data does not necessarily remain deleted; if you are using shared cloud storage and your data gets moved to a new volume, the question becomes who can access the old volume and disks, and possibly recover the deleted data?
Where in the world your data ends up also becomes an issue, for example, if you are using a global cloud provider, your virtual servers might start off in the European data centre, but as backups and failures occur, you could be seamlessly moved to a US data centre, and hence your data now resides in the US and falls under the US Patriot Act; which now allows the US government access to the sensitive information.
If you are talking to vendors about solutions you need to ensure they can provide you with the following:
• Encryption of data at rest on servers
• Protection for data moved to different jurisdiction when utilising cloud services
• Encryption of data on laptops, mobile devices and tablets
• Encryption of data on portable storage devices, such as, USB sticks, DVD’s and CD’s
• Email Encryption
• Data Lost Prevention
Below is a list of published fines issued by the Information Commissioner Officer in 2012 because of breaches to the Data Protection Act.
• Stoke-on-Trent City Council : Fine £120,000 : sensitive information about a child protection legal case being emailed to the wrong person in a non encrypted format.
• Greater Manchester Police : Fine £150,000 : discounted by 20% for quick payment, fined for failing to take appropriate measures against the loss of personal data.
• Social Care Charity : Fined £70,000 : after highly sensitive information about the care of four young children was lost after being left outside a London home.
• Two Individuals : Fined over £250,000 : for breaching the Privacy and Electronic Communications Regulations (PECR), which regulate electronic marketing.
• Scottish Borders Council : Fined £250,000 : former employees’ pension records were found in an over-filled paper recycle bank in a supermarket car park.
• Torbay Care Trust : Fined £175,000 : after the sensitive details of over 1,000 employees were accidentally published on the Trust’s website
• St George’s Healthcare NHS Trust : Fined £60,000 : vulnerable individual’s sensitive medical details were sent to the wrong address.
• Belfast Health and Social Care : Fined £225,000 : breach involved the sensitive personal data of thousands of patients and staff, and included medical records, X-rays, scans and lab results, and staff records including unopened payslips.
• Telford and Wrekin Council : Fined £90,000 : involving the disclosure of confidential and sensitive personal data relating to four vulnerable children.
• Brighton and Sussex University Hospitals NHS Trust : Fined £325,000 : highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine (GUM) patients – on hard drives sold on an Internet auction site
• Central London Community Healthcare : Fined £90,000 : after patient lists from the Pembridge Palliative Care Unit, intended for St John’s Hospice, were faxed to the wrong recipient.
• London Borough of Barnet : Fined £70,000 : for losing paper records containing highly sensitive and confidential information, including the names, addresses, dates of birth and details of the sexual activities of 15 vulnerable children or young people.
• Lancashire Constabulary : Fined £70,000 : papers containing sensitive information about a 15 year old girl were found on a street in Blackpool.
• Cheshire East Council : Fined £80,000 : failing to take appropriate measures to ensure the security and appropriateness of disclosure when emailing personal information.
• Croydon Council : Fined £100,000 : a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub.
• Norfolk County Council : Fined £80,000 : disclosing information about allegations against a parent and the welfare of their child to the wrong recipient.
• Midlothian Council : Fined £140,000 : disclosing sensitive personal data relating to children and their carers to the wrong recipients on five separate occasions.