OPINION: For an interesting example of how to manage a data loss, have a look at what happened at the London Borough of Barnet.
This article was contributed to OUT-LAW.COM by Dr Chris Pounder of Amberhawk.
A loss of data involving 9,000 children followed a burglary of the home of a member of staff. The loss included the Council’s computer equipment (a laptop, CD-Roms and memory sticks) along with other items from the house.
Like most organisations, the Council had implemented procedures and policies to ensure that the personal data on the computer equipment and related portable media were encrypted. Unfortunately, in this case, there were unencrypted personal data stored on CDs and memory sticks which were stolen with the laptop.
As there had been a clear breach of Council policies, the member of staff concerned was suspended and data subjects (or in this case, the parents of data subjects) were contacted by a letter.
So what is new in this? Well, I think the new item is the public relations handling of data subjects (and parents). I think the Council formed the view that having reported the data loss to the parents (and presumably the Information Commissioner's Office), an Undertaking from the ICO would be a likely end-point of the process. Given this, it followed that the ICO’s publicity machine would be very likely to issue its usual press statement concerning details of the Council’s Undertaking (if there were to be one).
So instead of waiting for the inevitable, LB Barnet took the initiative. It published full details of the data loss on its website, invited data subjects to ask questions or exercise their right of access, gave details of what it was doing to remedy the situation and provided contact details for those who had questions. The letter to the parents of data subjects and the content of the website pages were either signed by the Chief Exec or approved by him.
In this way, the Council managed the bad news instead of the ICO managing it through his usual press release that accompanies an Undertaking. This means that if there were to be an Undertaking and if the ICO were to issue a press release then the subject is “old news”. In fact, is there a need for an Undertaking if the Chief Exec has publicly committed himself to do the things that the Undertaking would require of him?
Seizing the news agenda when there is a data loss is something that data controllers can consider. In addition, one can always follow the government’s example of identifying “a very good day to bury bad news”. Issuing press releases at 4:00pm on a Friday or the day before a bank holiday is usually a good time for a press release to be missed.
OUT-LAW News, 14/04/2010
Wednesday 14 April 2010
Friday 2 April 2010
Flood, fire at BT Paddington node causes widespread problems
A fire at a BT building in central London is causing widespread landline, internet and mobile network problems, according to reports.
A blaze at Burne House in North Paddington was reported this morning
According to Gradwell, a business ISP, 437 local exchanges and up to 37,500 Datastream circuits have been affected. It said the fire was having nationwide repercussions on communications.
Vodafone has told customers its network was also hit by the incident.
BT said in a statement: "Following a fire at a BT exchange in the Paddington area, customers in parts of North and West London may be experiencing a loss of broadband and/or telephone service. Customers in other parts of the country may also be affected."
The company was still assessing the impact of the damage, it said, "but will only know the full extent of the impact once the site has been declared safe and our engineers are able to enter the building. We will issue a further update once we have more information on the incident." ®
Update
Gradwell have posted an update, including a list of over 400 affected exchanges, here.
While fire was the problem earlier down in Paddington, flooding is the issue now apparently. Famine, pestilence, war and a plague of boils are surely not far behind.
Update
In a further statement, BT said:
“Following major flooding at a BT exchange in the Paddington area, tens of thousands of customers in parts of North and West London may be experiencing a loss of broadband and/or telephone service. Customers in other parts of the country may also be affected. We are currently working on restoring services to customers, however as this is a complex incident we cannot accurately predict when all services will be restored. We will issue further updates as the situation changes.
“Any customers needing to make calls to the emergency services who have a problem using their phones are advised to do so byusing their mobile phone, or alternatively by using a friend or neighbour's working phone.”
The firm also said that the Paddington fire and flood had affected no more than 30 exchanges.
Update
BT has clarified the chain of events. As it currently understands the incident, flooding caused an electrical fire. The fire brigade attended and "addressed" the fire, a spokeswoman said. The root cause of the major outage is thought to be the flooding
A blaze at Burne House in North Paddington was reported this morning
According to Gradwell, a business ISP, 437 local exchanges and up to 37,500 Datastream circuits have been affected. It said the fire was having nationwide repercussions on communications.
Vodafone has told customers its network was also hit by the incident.
BT said in a statement: "Following a fire at a BT exchange in the Paddington area, customers in parts of North and West London may be experiencing a loss of broadband and/or telephone service. Customers in other parts of the country may also be affected."
The company was still assessing the impact of the damage, it said, "but will only know the full extent of the impact once the site has been declared safe and our engineers are able to enter the building. We will issue a further update once we have more information on the incident." ®
Update
Gradwell have posted an update, including a list of over 400 affected exchanges, here.
While fire was the problem earlier down in Paddington, flooding is the issue now apparently. Famine, pestilence, war and a plague of boils are surely not far behind.
Update
In a further statement, BT said:
“Following major flooding at a BT exchange in the Paddington area, tens of thousands of customers in parts of North and West London may be experiencing a loss of broadband and/or telephone service. Customers in other parts of the country may also be affected. We are currently working on restoring services to customers, however as this is a complex incident we cannot accurately predict when all services will be restored. We will issue further updates as the situation changes.
“Any customers needing to make calls to the emergency services who have a problem using their phones are advised to do so byusing their mobile phone, or alternatively by using a friend or neighbour's working phone.”
The firm also said that the Paddington fire and flood had affected no more than 30 exchanges.
Update
BT has clarified the chain of events. As it currently understands the incident, flooding caused an electrical fire. The fire brigade attended and "addressed" the fire, a spokeswoman said. The root cause of the major outage is thought to be the flooding
London council loses thousands of kids' details
Barnet Council has lost records of 9,000 school children after a laptop and unencrypted USB stick were stolen.
Nick Walkley, chief executive of Barnet Council, has written to parents to apologise but said the risks associated with the data breach were minimal. Information held included children's names, educational attainment, entitlement to free meals and postcodes and phone numbers. Some records were more detailed and those parents received a separate letter.
Although the database of kids from year 11 in 2007, 2008 and 2009 was encrypted, the loss happened when a member of staff copied the unencrypted data onto CD Roms and USB sticks.
The laptop, CDs and USB sticks were then stolen during a burglary at the staff member's home. That person has been suspended for breaking council rules by saving the data onto memory sticks.
The council said it has now disabled external storage devices to stop staff making unauthorised copies of data and is setting up an independent review of what went wrong.
Nick Walkley, chief executive of Barnet Council, has written to parents to apologise but said the risks associated with the data breach were minimal. Information held included children's names, educational attainment, entitlement to free meals and postcodes and phone numbers. Some records were more detailed and those parents received a separate letter.
Although the database of kids from year 11 in 2007, 2008 and 2009 was encrypted, the loss happened when a member of staff copied the unencrypted data onto CD Roms and USB sticks.
The laptop, CDs and USB sticks were then stolen during a burglary at the staff member's home. That person has been suspended for breaking council rules by saving the data onto memory sticks.
The council said it has now disabled external storage devices to stop staff making unauthorised copies of data and is setting up an independent review of what went wrong.
Data hung out to dry as 4500 USB sticks left in dry cleaners
21 January 2010
Research just released suggests that as many as 4500 USB memory sticks may have been left in dry cleaners across the UK in the last year, as careless owners left the USB sticks in their clothing sent for cleaning.
The security research, carried out amongst 100 dry cleaners, was extrapolated to all the dry cleaners in the UK, with the sponsors of the survey – Credant Research – saying that each left data stick could cause the Information Commissioner's Office to levy a six figure fine if the USB drives contain any confidential company data.
Sean Glynn, Credant's vice president, said that, although this year's security study compares favourably with a similar survey a year ago – which found twice the number of lost USB sticks at dry cleaners – users still need to take more care as customer details are increasingly being stored on the USB drives.
"We would urge users to take more care than ever not to download unprotected customer details and other sensitive information that if lost could lead to a security breach, especially now there are harsh fines afoot", he said.
According to Glynn, the survey is just one illustration of the stark truth that device losses, such as USB sticks, are happening everywhere, everyday, worldwide.
Organisations, he explained, want to leverage the business benefits of mobile computing and provide their employees the flexibility to work wherever and whenever they want to.
"However, this must be balanced with the requirement of protecting the organisations data, especially to avoid penalties – such as that promised by the ICO, brand damage or even embarrassing press headlines", he said. "If sensitive or valuable data is being carried, then people should protect it with encryption to prevent unauthorised access at any point – as it could easily end up in the wrong hands", he added.
This article is featured in:
Data Loss • Encryption
Research just released suggests that as many as 4500 USB memory sticks may have been left in dry cleaners across the UK in the last year, as careless owners left the USB sticks in their clothing sent for cleaning.
The security research, carried out amongst 100 dry cleaners, was extrapolated to all the dry cleaners in the UK, with the sponsors of the survey – Credant Research – saying that each left data stick could cause the Information Commissioner's Office to levy a six figure fine if the USB drives contain any confidential company data.
Sean Glynn, Credant's vice president, said that, although this year's security study compares favourably with a similar survey a year ago – which found twice the number of lost USB sticks at dry cleaners – users still need to take more care as customer details are increasingly being stored on the USB drives.
"We would urge users to take more care than ever not to download unprotected customer details and other sensitive information that if lost could lead to a security breach, especially now there are harsh fines afoot", he said.
According to Glynn, the survey is just one illustration of the stark truth that device losses, such as USB sticks, are happening everywhere, everyday, worldwide.
Organisations, he explained, want to leverage the business benefits of mobile computing and provide their employees the flexibility to work wherever and whenever they want to.
"However, this must be balanced with the requirement of protecting the organisations data, especially to avoid penalties – such as that promised by the ICO, brand damage or even embarrassing press headlines", he said. "If sensitive or valuable data is being carried, then people should protect it with encryption to prevent unauthorised access at any point – as it could easily end up in the wrong hands", he added.
This article is featured in:
Data Loss • Encryption
Confidential social services data found on USB stick in Stoke-on-Trent
29 March 2010
Records from the city council's social services department have been found on an unencrypted USB stick in Hanley, Stoke-on-Trent. The stick was handed in by an IT consultant to the local newspaper, the Sentinel, on Friday, after he apparently found it lying on the pavement.
According to the Sentinel newspaper, the social services records of foster carers, family court proceedings, parenting assessments, child custody arrangements and even the psychological history of children in care were included in the files.
The paper appears to have reported the incident to the Information Commissioners' Office (ICO), as well as returning the USB stick to the council, which has launched an urgent investigation into the affair.
According to a weekend newswire report, the USB stick was in possession of a social worker, who appears to have broken several security rules, including one that data taken out of the office should be encrypted.
The Sentinel quoted a council spokesperson saying that the safety of children in our care is our priority. "We have procedures for ensuring that confidential and sensitive data is kept as secure as possible."
"We will conduct a thorough investigation to determine the circumstances in which the data was lost."
"We thank The Sentinel for returning the data, as situations such as this require immediate attention. The device has been put in a safe place."
The 53-year-old IT security consultant who found the USB stick told the paper that he picked the stick up as, whilst it was covered in mud, it was still worth about around £10.00.
On plugging the stick into a computer, however, he found around 40 files on the drive.
In its story on the incident, the Sentinel quoted an ICO spokesman as saying: "We may serve an enforcement notice if an organisation has failed to comply with any of the data protection principles.
"We have statutory power to impose a financial penalty if there has been a serious breach of data protection."
According to Nick Lowe, regional director with Check Point Software Technologies, the data was clearly not encrypted, which is against the council's own data protection policies.
"This highlights the fact that policies alone are not enough to protect sensitive data: the encryption has to be automated and 'always on' to stop these breaches happening and avoid penalties from the ICO", he said.
Check Point has developed its own secure USB stick, the Abra, which was developed in conjunction with Sandisk and allows users to carry their office computing environment – complete with data files – around in their pocket.
When plugged into a suitable host computer, the Abra allows users access to a secure working environment that also remains under control of the company's IT department.
This article is featured in:
Compliance and Policy • Data Loss
Records from the city council's social services department have been found on an unencrypted USB stick in Hanley, Stoke-on-Trent. The stick was handed in by an IT consultant to the local newspaper, the Sentinel, on Friday, after he apparently found it lying on the pavement.
According to the Sentinel newspaper, the social services records of foster carers, family court proceedings, parenting assessments, child custody arrangements and even the psychological history of children in care were included in the files.
The paper appears to have reported the incident to the Information Commissioners' Office (ICO), as well as returning the USB stick to the council, which has launched an urgent investigation into the affair.
According to a weekend newswire report, the USB stick was in possession of a social worker, who appears to have broken several security rules, including one that data taken out of the office should be encrypted.
The Sentinel quoted a council spokesperson saying that the safety of children in our care is our priority. "We have procedures for ensuring that confidential and sensitive data is kept as secure as possible."
"We will conduct a thorough investigation to determine the circumstances in which the data was lost."
"We thank The Sentinel for returning the data, as situations such as this require immediate attention. The device has been put in a safe place."
The 53-year-old IT security consultant who found the USB stick told the paper that he picked the stick up as, whilst it was covered in mud, it was still worth about around £10.00.
On plugging the stick into a computer, however, he found around 40 files on the drive.
In its story on the incident, the Sentinel quoted an ICO spokesman as saying: "We may serve an enforcement notice if an organisation has failed to comply with any of the data protection principles.
"We have statutory power to impose a financial penalty if there has been a serious breach of data protection."
According to Nick Lowe, regional director with Check Point Software Technologies, the data was clearly not encrypted, which is against the council's own data protection policies.
"This highlights the fact that policies alone are not enough to protect sensitive data: the encryption has to be automated and 'always on' to stop these breaches happening and avoid penalties from the ICO", he said.
Check Point has developed its own secure USB stick, the Abra, which was developed in conjunction with Sandisk and allows users to carry their office computing environment – complete with data files – around in their pocket.
When plugged into a suitable host computer, the Abra allows users access to a secure working environment that also remains under control of the company's IT department.
This article is featured in:
Compliance and Policy • Data Loss
Thursday 4 February 2010
Red faced employee
Macquarie Bank is said to have launched an investigation after a trader was seen on live TV opening up photos on his work PC monitor of a scantily-dressed Miranda Kerr, the Australian supermodel.
Australia's 7 News was interviewing a senior Macquarie private wealth professional on the subject of Oz interest rates Tuesday, when, in the background, a firm trader (clearly unaware that he was on live TV) opened some pics from Ms Kerr's recent GQ shoot. It looks as if the trader was tipped off by a colleague that he was being filmed, as the trader quickly closed down the pictures and turned somewhat guiltily to the camera.
http://news.hereisthecity.com/news/business_news/9897.cntns
Australia's 7 News was interviewing a senior Macquarie private wealth professional on the subject of Oz interest rates Tuesday, when, in the background, a firm trader (clearly unaware that he was on live TV) opened some pics from Ms Kerr's recent GQ shoot. It looks as if the trader was tipped off by a colleague that he was being filmed, as the trader quickly closed down the pictures and turned somewhat guiltily to the camera.
http://news.hereisthecity.com/news/business_news/9897.cntns
Friday 29 January 2010
Subscribe to:
Posts (Atom)
