I’ve found a great website that lists the data breaches that
have been removed from the ICO’s enforcement pages.
I am greatly indebted to a chum who read yesterday’s blog
and kindly gave me the address of Breach Watch, a website site operated by John
Elliott.
Breach Watch lists all formal action in response to data
breaches taken by the Information Commissioners Office and the Financial
Services Authority (recently split into the Financial Conduct Authority and the
Prudential Regulation Authority).
Currently, visitors can browse over 260 reports of regulatory
action. Updates are usually posted on a weekly basis.
So, if you need to review any FSA enforcement action from
2007 to 2012, or any ICO Undertakings, Enforcement Notices or Monetary Penalty
Notices since 2007, you now know where to look.
As John explains, it’s a great site for people who want to
learn from other’s misfortune, understand what the regulators are concerned
about and get a better understanding of what constitutes appropriate technical
and organisational measures. It’s also a great resource for trainers who need
examples of real cases to spice up training sessions and internal reports.
And John also makes the following points:
"Over 40% of the undertakings and monetary penalties listed here were the result of the loss or theft of unencrypted data, typically on a memory stick or unencrypted laptop.
Over 50% were the result of insufficient training or education of staff, typically relating to insecure use of personal data, such as transferring it to an unencrypted storage device - notice the strong theme about unencrypted, portable data. Many of these principles also relate to the security of the physical documents.
A major point to appreciate is that in the majority of cases the insufficiently secure data was simply lost as a result of human error - it was the failure to prepare for such an event, rather than the loss of the item itself, that was the issue and the cause of the regulatory action.
In the case of theft it is extremely rare that the data was stolen for its own value, but rather was stolen alongside something else, such as a laptop or a bag containing physical records. Encryption of data in advance is important to prevent access to this data and minimise the danger posed by such unfortunate events.
Ensuring that staff are sufficiently trained in key data protection principles and that encryption policies are actually followed would protect against the primary danger of accidental loss, the most common cause of a breach threat."
"Over 40% of the undertakings and monetary penalties listed here were the result of the loss or theft of unencrypted data, typically on a memory stick or unencrypted laptop.
Over 50% were the result of insufficient training or education of staff, typically relating to insecure use of personal data, such as transferring it to an unencrypted storage device - notice the strong theme about unencrypted, portable data. Many of these principles also relate to the security of the physical documents.
A major point to appreciate is that in the majority of cases the insufficiently secure data was simply lost as a result of human error - it was the failure to prepare for such an event, rather than the loss of the item itself, that was the issue and the cause of the regulatory action.
In the case of theft it is extremely rare that the data was stolen for its own value, but rather was stolen alongside something else, such as a laptop or a bag containing physical records. Encryption of data in advance is important to prevent access to this data and minimise the danger posed by such unfortunate events.
Ensuring that staff are sufficiently trained in key data protection principles and that encryption policies are actually followed would protect against the primary danger of accidental loss, the most common cause of a breach threat."
This is seriously good stuff, and I commend this website to
all responsible data protection folk.
Source:
Posts
