Archive
Surrey County Council, ACS:Law, an NHS laptop and a question: does anyone really care about our privacy?
Interesting times indeed. At least for the Information Commissioner’s Office (ICO). Let’s have a look at three incidents: ACS:Law (adjudicated last month), Surrey County Council (adjudicated this month); and the loss of an NHS laptop with personal and perhaps even intimate details of 8000 patients (reported yesterday).
Ed Rowley, Senior Product Manager at M86 Security
The Information Commissioner’s Office has fined Surrey County Council £120,000 for three successive breaches to the Data Protection Act. Ed Rowley, Senior Product Manager at M86 Security, quite reasonably commented at the time: “There really is no reason for privacy to be breached in this way and the fact that this same mistake occurred on three separate occasions shows that either staff have not been educated on email security, or that the duty of care to personal information has not been taken to heart by the Council’s management.” Or, I would add, that the ICO as enforcer of the Data Protection Act isn’t working.
It was a serious breach, and the ICO clearly agreed.
The Commissioner considers that the contravention of section 4(4) of the Act is serious and that the imposition of a monetary penalty is appropriate. Further that a monetary penalty in the sum of £120,000 (One hundred and twenty thousand pounds) is reasonable and proportionate given the particular facts of the case and the underlying objective in imposing the penalty.
(Subject to a nice little 20% early payment discount.) You can read the ICO’s penalty notice here.
But compare this penalty to last month’s adjudication against Andrew Crossley, ‘data controller’ at ACS:Law, which had earlier failed “to keep sensitive personal information relating to around 6,000 people secure.”
This case proves that a company’s failure to keep information secure can have disastrous consequences. Sensitive personal details relating to thousands of people were made available for download to a worldwide audience and will have caused them embarrassment and considerable distress. The security measures ACS Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details.
The fine? Not the £120,000 levied on Surrey County Council, but a mere £1000 – Which is presumably equally reasonable and proportionate given the particular facts of the case and the underlying objective in imposing the penalty. The ICO explains
As Mr Crossley was a sole trader it falls on the individual to pay the fine. Were it not for the fact that ACS Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach.
ICO fines former ACS Law boss for lax IT security; Fine could have been £200,000 if firm was still trading
Needless to say, this judgement and this reason caused a slight commotion, with the Daily Telegraph quoting Simon Davies of Privacy International thus:
“This is yet another monumental error of judgement by the ICO [Information Commissioner’s Office]. What the ICO has failed to understand is that [this ruling means] the basis of corporate immunity is closure of a company,” Davies said. – “The ICO seems entirely unaware of the loophole it has just promoted. This signals to directors of all companies that they can act unlawfully under the Data Protection Act, and all they have to do is make the company dormant and escape any serious punishment.”
So, for the ACS:Law case we have two questions. Was the ICO right to fine Crossley a mere £1000? And is Simon Davies correct in saying a legal loophole is being promoted? I asked Dr. Brian Bandey, one of the United Kingdom’s leading experts on Computer and Internet Law and principal of the Patronus law practice, for his opinion. He has some sympathy for the ICO’s approach:
Dr Brian Bandey, principal of the Patronus law service
In the ACS:Law case, Mr. Crossley was ACS:Law and the ICO took the view that fining him more significantly would inevitably decrease the benefits his creditors would receive from the disposition of his assets under his bankruptcy. From a legal perspective, I find that a reasonable approach.
(Personally, I’m not so sure this is right. Would HMRC be so ‘reasonable’? I doubt it. Why not defer judgement until after the bankruptcy proceedings and then fine him the full amount? That wouldn’t affect other creditors.)
Dr Bandey also disagrees with the view put forward by Simon Davies. “It is wrong in law. ACS:Law was not, as far as I can tell, a ‘Corporation’.” Since ACS:Law was the trading name of Andrew Crossley, the ICO’s actions cannot be taken as promoting a legal loophole for company directors. Furthermore, the legislature seems to have been aware of this possibility when drafting the Data Protection Act itself. Dr Bandey again:
The Data Protection Act permits corporate persons to be and to register as “Data Controllers”. So Parliament anticipated that the usual advantages of Shareholders vs. the Wrongdoing of the Company should apply. That is a matter of policy.
But Parliament also created criminal offences under the Data Protection Act and s. 61 ensures that individual members, officers or directors can be criminally prosecuted. The Act says:
“If a company or other corporation commits a criminal offence under the Act, any director, manager, secretary or similar officer or someone purporting to act in any such capacity is personally guilty of the offence in addition to the corporate body if:- the offence was committed with his/her consent or connivance; or the offence is attributable to any neglect on his/her part.
Where the affairs of a corporate body are managed by its members, any member who exercises the functions of management as if he were a director can also be guilty of the offence that results from any of his/her acts or omissions.”
The winding-up of a Company will not extinguish the criminal liability created by this Act.
In short, even if ACS:Law was a limited company, Andrew Crossley, as the data controller, would have remained liable even after the dissolution of the company. We have, then, a situation where the ICO has done nothing wrong in law, but perhaps not so much right in morality. Think back to the Surrey County Council fine: £120,000 of our (the taxpayers’) money. This fine hurts no-one but us. If Surrey can afford to pay it, then they are taxing us too much. If Surrey cannot afford to pay, then we, the taxpayer, will pay in either increased taxes or decreased services. But a private person gets fined just £1000. Justice?
And now for the last incident: the reported loss of an NHS laptop. Yesterday El Reg reported that “A London health authority has admitted losing a laptop which contains 8.6 million health records.” It “asked North Central London health board why it needed to store 8.63 million health records on an unsecure laptop in the first place,” and received the following:
NHS North Central London is investigating the loss of a number of laptops. One of the machines was used for analysing health needs requiring access to elements of unnamed patient data. All the laptops were password protected and our policy is to manually delete the data from laptops after the records have been processed. NHS North Central London operates under strict data protection guidance and is taking the matter extremely seriously. We have started an investigation into the issues raised by the loss. We are liaising with the office of the Information Commissioner.
8m health records go walkabout
Clearly the ICO hasn’t yet adjudicated on this breach: so our interest is in predicting what it will do. Will it fine the NHS in the way it fined Surrey; that is, lots and lots of our money that hurts no-one in the NHS but costs us more tax? Or will it discover, like it did with ACS:Law, some reason to fine it very little? I would just add this: to my mind, this is the most disturbing of all three breaches. And I have three questions:
The NHS says that the laptop was password protected, but not that the data was encrypted – which means that it was not encrypted (password protection will delay breaking in by just as long as it takes you to remove the hard drive and attach it to a different machine). So, question one: why was the data not encrypted?
Question 2: why did London Health Programmes have this data in the first place? Its website talks about engaging with patients in order to develop health programmes – it says nothing about analysing the health records of thousands of patients, almost certainly without their knowledge or approval.
And question 3: why was this data left on a laptop in a storeroom full of other laptops?
These are rhetorical questions, for there can be no satisfactory answers. But I await the ICO’s decision on this with considerable interest, and with one comment to offer: these privacy breaches just keep on happening; so whatever you’re doing, it ain’t working.
The Data Protection Act: the ICO demonstrates that the cost of compliance is greater than the cost of non-compliance
The Information Commissioner, Christopher Graham, is being decidedly unfair to the security industry. Consider this: fear sells. Government does it all the time. It keeps us in constant fear of terrorists, pedophiles, drug runners, gun runners, Katie Price, identity thieves and the Russian Mafia so that we will buy its lies about the need to curtail our liberty to keep us safe on the street. Security vendors do the same – they keep us in constant fear of cyber terrorists, online purveyors of child abuse, money mules, Katie Price, identity thieves and the Russian Mafia so that we will buy their products to keep ourselves safe online.
But we have to be afraid, or none of it works.
Enter the Information Commissioner. Last April he gained the power to enforce his responsibility for the Data Protection Act by levying fines of up to £500,000. What music to the ears of the security industry – something else for us to be afraid of! Another reason to buy security products; this time to help us comply with the Data Protection Act.
But what a let down Mr Graham has been!
Of the 2,565 data leaks reported to the watchdog in the past year, the ICO has only taken action in 36 cases and handed out only four fines, according to data revealed by ViaSat UK under the Freedom of Information Act.
ICO acts on only 1% of reported data breaches
I’m not sure of the maths here, but nevermind. The point is very clear – if you breach the Data Protection Act you are overwhelmingly likely to get away with it. So what does that do? It tells us that the cost of compliance is considerably greater than the cost of non-compliance. In other words, don’t bother about the Data Protection Act. And don’t bother buying any security products to help with compliance.
He’s so unfair!
The ICO imposes its first fines for personal data loss
The UK’s Information Commissioner has finally used his new powers and imposed financial sanctions on wrongdoers.
The first penalty, of £100,000, was issued to Hertfordshire County Council for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients. The first case, involving child sexual abuse, was before the courts, and the second involved details of care proceedings.
The second monetary penalty, of £60,000, was issued to employment services company A4e for the loss of an unencrypted laptop which contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester.
ICO
This has provoked a range of different reactions. “It’s good to see the ICO showing its mettle for the first time, sending a clear message that it is completely unacceptable to be cavalier with private and confidential sensitive information,” said Graeme Stewart, public sector business development director at Sophos.
Ed Macnair, CEO, Overtis
Ed Macnair, CEO of Overtis, is slightly more critical, “At first glance this looks like the ICO has real teeth. However, in the case of the stolen laptop, the penalty is less than £3 for each lost record. When you consider the fact that A4e is a £145 million company, the breach has had a higher impact on the 24,000 individuals whose confidential information has been lost.
“Similarly, this council had clearly not learned from the first devastating security breach and continued to use the same insecure channel for sharing highly sensitive information. The technology is there to prevent information from being stored in unencrypted format and to tightly control the faxing, sending and printing of confidential information. Let’s hope that the ICO’s action encourages other organizations to urgently review their policies and procedures.”
This is closer to my own views. £60,000 to a large company is nothing – it will be less than the cost of some decent security software and staff awareness training. So in fact the ICO is saying it’s cheaper to lose the data than to protect it.
And in the case of the council, as I’ve said before, it’s the public what pays. It’s silly to fine a public body because public bodies don’t have any money: only the body public has money, and it’s the body public, you and me, that has to foot the bill. My view is that people who lose personal data should also lose their job: and that should apply as much to the CEO as the clerk. I asked Ed Macnair, whose company develops user activity management and monitoring software that can prevent such leaks, if the ICO is worth its cost.
“Absolutely,” he replied. “While you make a good point that a government office imposing fines on public sector bodies is ultimately penalising the tax payer, there are many hundreds of private sector organisations that are also storing personally identifiable information on UK citizens. Many of them are doing so in a sloppy manner, using systems that are highly vulnerable to accidental data loss or deliberate theft.
“Loss of personal information that has been entrusted to an organisation is a breach of trust and causes a great deal of distress to the people affected. I think the imposition of fines is a step in the right direction. While a £100k fine may seem disproportionate to the damage caused by organizations breaching the Data Protection Act, it sends a strong signal that the Information Commissioner is ready to wield his power.
“I think that since the ICO gained its increased powers in April, the UK has held its breath to see whether Christopher Graham would act. He has acted. This should serve as a strong warning to any other organisation, in the public or private sector, that still hasn’t put the policies, processes and technology in place to safeguard UK citizens’ data.”
I repeated my view that fines don’t really hurt anyone (unless they are personal fines), and that really, heads should roll.
“When it comes to culpability,” he replied, “I do believe that fining the organisation is the right approach. I don’t believe it is fair to fine individual employees because often they are simply trying to get on with their jobs and the data breach is caused by them doing something in a rush, without following policy. The organisation has a responsibility to set policies; educate staff on safe data handling; and to set up systems, processes and technology to prevent these policies from being breached. Pinning the blame on individuals would negate the responsibility of company directors who should be putting the policies, procedures and technology in place to prevent breaches occurring. That said, where an employee has maliciously flouted policy and succeeded in damaging their organisation’s reputation by leaking personal identifiable information, then this should be dealt with in the same way as any act of serious professional misconduct.”
Potential exposure of ALL Birmingham NHS patients’ private data
Hardly a week seems to pass without me saying that the ICO is a waste of time – and therefore money. Our money. It needn’t be, but it is.
Last month I discussed The ICO: a guard dog that won’t bite and hardly barks; and I concluded on a story about the NHS losing personal and private patient information:
Obviously there’s no point in fining the NHS; so, hard as it may seem, doctors who lose their patients’ medical records need to be sacked. And that applies to anybody who loses the personal data of others. It’s the only way.
It is the only way; because the ICO’s slapped wrist and don’t do it again approach clearly is not working. Today, the Birmingham Post is reporting an absolutely horrific data breach story:
All patient data along with staff pay and personal details up to chief executive level are believed to have been left accessible to more than 6,000 NHS workers who normally would not be allowed access to such private material…
A NHS source, who feared being named, claimed members of the public using computers at some health sites, like Moseley Hall Hospital, would also have been able to access the insecure confidential records.
Security alert over NHS data breach
Words fail me. We need to wait for more information to emerge, but what if it’s true? Fining the NHS the maximum fine of £500,000 is just a way of levying a £500,000 additional tax on us; because we are the ones who will have to pay it. Somebody has got to go. My bet is that the managers are already looking for a sacrificial lamb amongst their staff. Wrong. It is the top levels of management that need to take responsibility for their failure: resign or be sacked.
Google, Street View and the heavy hand of the ICO
Street View again.
On 29 July 2010, the UK Information Commissioner’s Office stated:
The information we saw does not include meaningful personal details that could be linked to an identifiable person… The Information Commissioner is taking a responsible and proportionate approach to this case…
Basically, the ICO asked Google if it had been naughty, accepted Google’s word that it had only been a little bit inadvertently naughty, and decided to do nothing.
But other data protection jurisdictions are not so compliant. And in particular, the Canadian Privacy Commissioner, Jennifer Stoddart, seems to take her title seriously. She looked a little closer; and on October 22, Google’s senior VP Alan Eustace blogged
I would like to take this opportunity to update one point in my May blog post. When I wrote it, no one inside Google had analyzed in detail the data we had mistakenly collected, so we did not know for sure what the disks contained. Since then a number of external regulators have inspected the data as part of their investigations (seven of which have now been concluded). It’s clear from those inspections that while most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords.
Let me repeat that. Entire emails, URLs and passwords. Obviously this leaves the UK ICO with serious egg on its face. It is supposed to protect our personal data. It didn’t. It didn’t even look very hard to find our whether our data had been compromised at all. And it only found out that probably it had been compromised because of someone else doing her job more professionally. Nevertheless, the ICO now leapt into action, declaring on 1 November:
…we understand that Google has accepted that in some instances entire URLs and emails and passwords have been captured. We have already made enquiries to see whether this admission relates to the data inadvertently captured in the UK, and we are now deciding on the necessary course of action, including a consideration of the need to use our enforcement powers.
But warning that
…we will not be panicked into a knee jerk response to an alarmist agenda.
Ooh, that doesn’t sound right to me. Concerned public, demanding that their privacy guardian should guard their privacy being dismissed as some sort of hysterical mob? Never mind. The ICO has said it will be considering enforcement against Google. And, wait for it, yes er no er well Google is being forced to say it won’t do it again.
Three days later, 3 November, the ICO delivers this
…has instructed Google UK to sign an undertaking in which the company commits to take action to ensure that breaches of this kind cannot happen again… The Commissioner has rejected calls for a monetary penalty to be imposed…
Doncha feel safe with these people looking after our privacy?
The ICO: a guard dog that won’t bite and hardly barks
Readers of this blog will know that I am not the greatest fan of the Information Commissioner’s Office. It’s not entirely the staffers’ fault – if you create a guard dog without teeth it cannot bite; and what use is a guard dog that cannot or will not bite?
Here’s yet another point in question:
A doctor at North West London Hospitals NHS Trust breached the Data Protection Act by leaving medical information about 56 patients on the tube, the Information Commissioner’s Office (ICO) said today.
Is there much that is more personal, more sensitive and more private than your medical information? I think not. So the ICO has come down hard on the culprit:
Fiona Wise, Chief Executive of The North West London Hospitals NHS Trust, has signal [sic – signed?] a formal undertaking outlining that the organisation will ensure that personal data is processed in accordance with the Data Protection Act.
Ollie Hart, head of public sector, Sophos
Now that’s gonna hurt. But what else can the ICO do? If it fines the NHS, we pay. If it sacks the doctor, we pay for a new one. But nothing the ICO has done to other data protection cowboys has had much effect – it certainly didn’t protect these 56 patients. Ollie Hart, head of public sector, Sophos, thinks the solution is at least partly in user education:
It is of paramount importance to educate users within the NHS of the risks of moving around patient and organisational information and how to protect such data. Having the right data protection software is vital but it also requires much more than just putting software in place. Alongside this, it is key to establish the right procedures and processes to protect the data, as well as educating users, across the organisation.
Well, Hart is of course absolutely right that this should be done; and if it were done… ’twere well it were done quickly. But why wasn’t it already being done? And will being told to do it now (when, potentially, the horse has already bolted) protect the personal data of those 56 patients? It will not. My opinion, then, mirrors that of Hugo Harber, Star’s Director of Convergence and Network Strategy: “If you don’t fine these companies that lose sensitive data, if you don’t make it very painful, then the IT director will not get budget next year to put in DLP or encryption or some similar system to fulfill the company’s duty of care.” (See here)
Obviously there’s no point in fining the NHS; so, hard as it may seem, doctors who lose their patients’ medical records need to be sacked. And that applies to anybody who loses the personal data of others. It’s the only way.
Our security awareness is poor – but there may be a simple solution for the majority of security breaches…
“I think,” said Hugo Harber, Star’s Director of Convergence and Network Strategy, “that what surprised me most was the sheer number of security breaches that were directly caused by internal staff. 41% of the respondents admitted to lost notebooks, data sticks and disks. And 50% admitted to breaches caused by staff either not using passwords, or writing them down and allowing them to be compromised. I had thought that the average security consciousness was higher than that.” But it isn’t, is it? And we really do need to do something about it.
Hugo Harber, Star's Director of Convergence and Network Strategy
Well, the technology is there. “Mobile devices get lost and stolen. That’s one of the reasons we very strongly recommend that companies only use mobile devices that have a remote wipe capability, and proper encryption capabilities to encrypt all data on the device. That will protect data outside of the firewall, while data loss prevention techniques can prevent sensitive data leaking out from the servers.”
But the fact remains, even though we have this technology, we’re simply not using it. So what is the solution? In reality, it may not be in the hands of the security professionals (who have always struggled to make a business case for security investment) but rather it lies in the hands of our business regulators: bodies like the FSA and the ICO.
“The FSA and other authorities,” says Harber, “need to come down very hard on data protection lapses.” The FSA has indeed made a start, just last month fining “Zurich Insurance Plc (Zurich UK) £2,275,000 for failing to have adequate systems and controls in place to prevent the loss of customers’ confidential information.” It’s a start, but it’s not enough.
“I think the ICO also needs to take a harder line,” Harber continued. “The reality is that every business that pays its staff electronically is going to have very sensitive personal information, including names and addresses, national insurance numbers and bank details. It’s instant ID theft if you lose your HR records – and that applies to almost every business in the country. The FSA is absolutely right to be harsh on the banks, but the ICO needs to take every business that loses personal data to task; starting with the big ones, but including some small ones as well.
“If you don’t fine these companies that lose sensitive data, if you don’t make it very painful, then the IT director will not get budget next year to put in DLP or encryption or some similar system to fulfill the company’s duty of care,” he concluded. It could be as simple as that: the most effective security device currently available is a big stick wielded by the regulators.
We had been talking about the survey details contained in the whitepaper sponsored by Star: Data security: a way forward in the cloud
Kevin Townsend 