Sensitive personal information should be encrypted when being stored and sent electronically, the data protection watchdog says. The Information Commissioner’s Office (ICO) is fining Stoke-on-Trent City Council £120,000 after what the ICo called a serious breach of the Data Protection Act. It led to sensitive information about a child protection legal case being emailed to the wrong person. Stephen Eckersley, Head of Enforcement at the ICO, said: “If this data had been encrypted then the information would have stayed secure. Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure. It is particularly worrying that a breach in 2010 highlighted similar concerns around encryption at the authority, but the issue was not properly resolved.
“The council has now introduced new measures to improve the security of information sent electronically, as well as signing a legal notice to improve the data protection training provided to their staff. This should limit the chances of further personal information being lost.”
The breach happened in December 2011 when 11 emails were sent by a solicitor at the authority to the wrong address. The emails included highly sensitive information relating to the care of a child and further information about the health of two adults and two other children. The emails should have been sent to Counsel instructed on a child protection case.
While the authority was able to establish that the email address used was valid, the recipient failed to respond when asked to delete the emails.
The ICO found the solicitor was in breach of the council’s own guidance which confirmed that sensitive data should be sent over a secure network or encrypted. However, the council had failed to provide the legal department with encryption software and knew that the team had to send emails to unsecure networks. The council also provided no relevant training.
When reaching a decision, the ICO also took account of the undertaking previously signed by the authority in early 2010. Then, sensitive data relating to a childcare case was lost after being stored on an unencrypted memory stick. At the time the council agreed to introduce improvements to keep people’s data secure, including the introduction of encryption for portable devices used to store personal data.
Comment
Christian Toon, Head of Information Risk for Iron Mountain, Europe said of the case: “The move by the ICO to fine Stoke Council £120,000 for sending child protection case information to the wrong person is commendable but sadly, this latest news is not an isolated incident. The long string of council data breaches only demonstrates how much public sector organisations are finding challenges in meeting compliance requirements. When it comes to the protection of sensitive information, public authorities have a fundamental responsibility to ensure that the data they hold is stored and kept in a secure manner, with no scope to get this wrong.
“Managing sensitive information securely is not just about relying on stretched IT investment, it is about instilling a culture and empowering your people, Organisations should commit to regular staff training on encryption and remote working and the creation of robust guidelines that everyone understands. Establishing a culture of responsibility can only be successful if it is taken on by everyone – anything less will simply not be sufficient.’
And Paul Hennin from Proofpoint believes that organisations have to provide a tiered approach to protecting data on a role by role basis, and provide automated precautions as a result.
Paul Hennin, Director, EMEA Marketing at the firm says: “There are significant risks both for reputation and in cash terms when organisations get email data protection wrong. Organisations need to be able to offer a tiered approach to protecting data on a role by role basis. There are some roles where enabling automated encryption for messages should be considered as the default, but others where more benefit would be gained by raising awareness though automatically prompting the employee to consider encrypting the message based on the content, for example if a file of a particular type is attached or certain strings of text are included.”
And an advisory has been published by an information security awareness consultancy which highlights the cost of data breaches in both fines and reputation. With the Information Commissioner’s Office (ICO) now empowered to issue fines of up to half a million pounds, one NHS Trust has already been penalised £325,000.
The Security Company advisory examines the SASIG’s agenda and the topics that need to be tackled to release a budget to address human error, negligence and a lack of integrity around data protection.
“The ICO has identified the human factor as being the biggest data breach risk,” says Ruth Pooley of The Security Company. “The C-Suite cannot afford to ignore the threats to the business but it is often difficult to get their attention.”
For further information – visit http://www.thesecurityco.com/news/expert-comment/building-a-case-for-investing-in-security-and-fraud-prevention/
