Thursday, 27 June 2013

ICO enforcements – gone but not forgotten

I’ve found a great website that lists the data breaches that have been removed from the ICO’s enforcement pages. 

I am greatly indebted to a chum who read yesterday’s blog and kindly gave me the address of Breach Watch, a website site operated by John Elliott. 

Breach Watch lists all formal action in response to data breaches taken by the Information Commissioners Office and the Financial Services Authority (recently split into the Financial Conduct Authority and the Prudential Regulation Authority).

Currently, visitors can browse over 260 reports of regulatory action. Updates are usually posted on a weekly basis.

So, if you need to review any FSA enforcement action from 2007 to 2012, or any ICO Undertakings, Enforcement Notices or Monetary Penalty Notices since 2007, you now know where to look.

As John explains, it’s a great site for people who want to learn from other’s misfortune, understand what the regulators are concerned about and get a better understanding of what constitutes appropriate technical and organisational measures. It’s also a great resource for trainers who need examples of real cases to spice up training sessions and internal reports.

And John also makes the following points:

"Over 40% of the undertakings and monetary penalties listed here were the result of the loss or theft of unencrypted data, typically on a memory stick or unencrypted laptop.

Over 50% were the result of insufficient training or education of staff, typically relating to insecure use of personal data, such as transferring it to an unencrypted storage device - notice the strong theme about unencrypted, portable data. Many of these principles also relate to the security of the physical documents.

A major point to appreciate is that in the majority of cases the insufficiently secure data was simply lost as a result of human error - it was the failure to prepare for such an event, rather than the loss of the item itself, that was the issue and the cause of the regulatory action.

In the case of theft it is extremely rare that the data was stolen for its own value, but rather was stolen alongside something else, such as a laptop or a bag containing physical records. Encryption of data in advance is important to prevent access to this data and minimise the danger posed by such unfortunate events.

Ensuring that staff are sufficiently trained in key data protection principles and that encryption policies are actually followed would protect against the primary danger of accidental loss, the most common cause of a breach threat."

This is seriously good stuff, and I commend this website to all responsible data protection folk.