Stoke On Trent Council has received a "rebuke" for losing an unencrypted USB memory stick containing the personal details of children in care. Court reports and details of care proceedings against 40 kids were mislaid as a result of the blunder, which might have easily been avoided by the use of memory sticks that support …
Won't be the last time...
...and fining organisations for lost data is pointless since the ratepayers will be the one footing the bill. A hefty fine and/or jail time for the individuals involved would make a better deterrent.
Public bodies will continue to be negligent as long as the organisation is held responsible and not the person that lost the data. Simply because ultimately the tax payer pays the fine.
Punish the incompetent that lost the data and you might see a change in attitude to security.
fining the person who lost the data...
...results in some poor schmuck who doesn't know any better getting in trouble, while the manager who didn't implement proper procedures in the first place gets off scot free.
Fining public bodies
Could somebody tell me what the rationale is for ever fining a public body? Any such fines are paid for by the poor old tax payer and/or loss of services to cover the cost.
Any sanctions should surely be against the miscreants. Possibly the most sensible thing would be disciplinary procedures decided on by an independent body, but I don't see how one bit of the government paying fines into another bit helps the rest of us. In the case of a private company the shareholders are penalised, but then at least they've got some ways of inflicting pain on the board.
Re: Fining public bodies
>>Could somebody tell me what the rationale is for ever fining a public body?
Because, like any organisation they are run by people, people with budgets and the people who work for those with budgets are in fact real people, you might think that people who work in the public sector are sitting around, being paid above average to fill in the time between when the tea trolly woman comes round with a fresh supply of biscuits but the world has moved on since then, public sector workers are under the same constraints as private sector, the bosses really don't like finding a big hole made in thir budgets because an employee has done something they shouldn't have, and if they didn't tell the employee not to do it then they are vicariously liable, so if some tool loses an unencrypted mem stick and they were allowed to have then it's not their liability, if they lose an unencrypted mem stick that they were not allowed to have then they are liable for gross misconduct.
Put it this way, the money being moved by the fine will never directly help anyone, as you say it's just moving it from one part of the government to another, but inflicting bugetary pain really pisses off the directors and the potential (or actual) of this should make them put procedures in place to protect data (or punish the actual rules breakers themselves).
>>Any sanctions should surely be against the miscreants
Yes, but who are the miscreants? are they the people who lose the stick? well, not if you "allow" them to hold data in this way and the only people who can create an enforce the rules are the directors, this is all about vicarious liability, by default those liable are the directors unless they have done everything they can to prevent their employees doing something wrong.
It seems like the answer should be simple, but it aint.
the first miscreant is the idiot who lost the stick.
the second miscreant is the idiot who did not apply basic security protocols
the third miscreant is the manager who allowed this type of stupidity to take place.
There you are - 3 people directly accountable to the public for the loss of the un-encrypted usb stick; and that may just be the start; as others (eg the IT people and accounting people) may have prevented those three from complying with proper procedures.
Until people are made to be PERSONALLY responsible for their actions very few of them will be bothered by some big council cheese being a bit miffed about a 'triffling' amount of money being docked from their budget.
Fining organisations is pointless; a bit like un-targeted sanctions; all the wrong people suffer; and the ones who should suffer carry on as normal
Your argument is fair enough but I don't agree with your conclusion. I don't see why the punishment has to stop with just the one who physically lost the data, I would be quite happy to see the pain go right up the chain of involvement to the top, that way everyone has a vested interest in security.
don't agree with the logic
"public sector workers are under the same constraints as private sector, the bosses really don't like finding a big hole made in their budgets because an employee has done something they shouldn't have"
A whole doesn't get made in the budget because they have some form of revenue raising power which they then use to fill the shortfall.
Personal accountability is much more effective. In private sector you'd probably get the boot, does that ever happen in the public sector without a large "their-their petal" pay-off?
More tea, Mr Lennox-Brown?
"you might think that people who work in the public sector are sitting around, being paid above average to fill in the time between when the tea trolly woman comes round with a fresh supply of biscuits..."
My sister, who works in the "public sector" relates that there are many there to whom that description would apply very accurately, from "professionals" (like architects) who don't know how to search on Google to those promoted way beyond their ability because it was a convenient manoeuvre at the time.
"...the world has moved on since then, public sector workers are under the same constraints as private sector..."
This is simply nonsense. Most "public sector" workers and their departments have no exposure whatever to compeittion.
"disciplinary procedures decided on by an independent body"
You mean like the IPCC.
What could possibly go wrong with that idea children?
"care proceedings against 40 kids"
I thought it was about caring /for/ kids, not /against/ them?
What? The one with the USB sticks in the pocket... can't find it? Oh dear.
re care proceedings against kids
You obviously don't know Stoke on Trent.
Why was the data on a thumb drive?
I really don't understand why that sort of data needs to be stored on a thumb drive, or even on a portable computer. Sensitive data would be better kept in a data center accessed with VPN WAN/LAN.
Don't suggest fining just the person who lost the stick
but also consider the IT/management team responsible for allowing unencrypted devices to be used, especially if the use is codified in a documented procedure.
It must be drummed in at all levels that this type of information stored on portable storage has to be encrypted.
re: just the person who lost the stick
That person might be hardly blameworthy, if he hasn't been given proper training and guidance by the people higher up the organisation who really should know better about formulating and implementing data security policy.
"Undertaking to encrypt all data in future"
So that'll be a password on the Excel Spreadsheet then ?
A plea for partial leniency
The doofus who lost this stick and the one who put the information on it in the first place (possibly the same individual) may be entirely blameless. I'm willing to bet the usual jelly filled donut that they were never instructed not to put sensitive data on portable devices. Nor, for that matter, were they ever told what is "sensitive data" and what isn't.
If they were, the instruction was buried probably in the middle of a 2500 page policy and procedures manual that only management has copies of, or was couched in such thick bureaucratese and circumlocution that it obscured rather than communicated.
The person who deserves a fine painful enough to cause prolonged reflection on the error of her ways is the person in charge of IT security.
IT security may not be to blame either.
If the policy was not to allow handling in this way then the user is to blame for breach of policy (blaming IT security in that instance is like blaming the police if somebody breaks into your unsecured house).
Basically the blame could lie in one of 4 places (possibly more):
1. If IT security didn't identify and escalate the risks then they are at fault.
2. If senior management chose to ignore or accept the risks then they are at fault.
3. If policy and procedures were put in place on the correct handing but the user was not aware of them, then either Security Management or Line Management were at fault.
4. If the user was aware of any policy and procedures on the correct handling but chose to ignore them then the user is at fault.
We don't know which (well I don't anyway). Working in this area I would guess that the the most likely orders of blame would be either 2, 4, 3, 1 or 4, 2, 3, 1. IT security (whilst possible) are not the most likely area to blame - they constantly raise risks and issues, but are too often ignored until after the event (or incident!).
"reports and details of care proceedings ... were mislaid ... which might have easily been avoided by the use of memory sticks that support encryption."
Sorry, but how does encrypting a memory stick prevent it from being mislaid? Yes it'll stop the data from getting into the wrong hands, but, had this particular memory stick been encrypted, the data would have been lost forever because no one would have been able to plug it in and determine its origin from the data contained within, whether the individual who handed it in or the organisation s/he handed it to who determined this.
Not that I condone not encrypting the sticks, of course.
how does encrypting a memory stick prevent it from being mislaid?
Ummm...that's the whole point - it doesn't matter one jot if its mislaid if it has been encrypted, so the guy who lost it doesn't lose his job or career.
However, if the IT director or the management don't mandate the use of encryption and are therefore happy to ignore the law in this area, then they should be personally liable.
Stoke on Trent
says it all really, a town that cares f*ck all for it's kids
what was it the Govt said about CAFCASS?
Not fit for purpose?
not just the kids.
They don't care about its adults either, they're useless. I live here!
this info shouldnt be kept on mobile storage,nor should it be allowed into the hands of run of the mill social workers who probably dont understand encryption anyway,info should be stored securely, not allowed off the premises and password protected .
Stoke Council shows even more contempt for the people its supposed to be serving than the DVLA
No - no one could be that bad.