How about engraving the home address of council staff onto the memory sticks so that helpful members of the public know where to deliver the misplaced item?
(And maybe deliver a good kicking too!)
Cambridgeshire County Council has had its wrist slapped for losing an unencrypted memory stick containing the details of vulnerable adults. The unencrypted memory stick contained the personal details of at least six individuals. The stick including case notes and minutes of meetings where staff discussed the care of the at-risk …
How about engraving the home address of council staff onto the memory sticks so that helpful members of the public know where to deliver the misplaced item?
(And maybe deliver a good kicking too!)
What happens when you are a bad guy. It goes from being "oh look a USB drive" to "oh look a USB drive from the council, I wonder what could be on it!"
I wonder how people manage to lose USB drives.
I was being sarcastic.
You mean she kept forgetting her password.
And the council went with the cheap option of issuing encrypted sticks (+2 points) and trusting users to make sure they used only those (-20 points).
The more expensive option would be to install software that prevents anything other than an encrypted stick from working. But it's still cheaper to pay the toothless ICO fine.
Until the ICO can mandate that the offenders take specific steps to remedy the situation, these data breaches will continue.
I don't understand why anything like that would be on a portable media to begin with. Data like that should never leave the office for any reason other than offsite backup.
It would appear from the story that they "went back to using unencrypted" USB. In that case discipline the prick for breaching the internal rules.
This is yet another nail in the coffin of all those idiot 'if you've nothing to hide you have nothing to fear' appologists for government snooping.
They can't be trusted with information - even obviously very sensitive information.
I bet some other things are true here as well...
a) The individual is still in a job
b) The individual is still handling sensitive data
c) The people affected have not been compensated to the tune of a couple of million pounds each to pay for a complete identity change
d) The council haven't reported this to the locals who pay there tax (I know this for a fact as I am one of the poor souls which this council fleeces for massive council tax payments).
I'll go one further and bet that the people affected have not even had an apology, will never have an apology, and are not even being treated with basic human dignity or respect.
You try getting an apology out of the council when they loose your data. You can't do it can you? It's not possible. Now imagine how much harder it would be to even try if you were a vulnerable adult.
Of course they will argue that you are not owed anything, that you are their servant (and lucky to be so) and they are beyond reproach.
It makes me literally sick.
Sack the monkey responsible. This will educate the staff quicker than anything else.
Paris because she wouldn't do anthing as dumb as this. Oh, and because we haven't seen much of her lately.
... that person should be disciplined for going against the policy that was established and subsequently explained to them. In fact, seeing as they deliberately ignored policy and subsequently caused the council serious problems when they did should have resulted in a sacking.
but in this case, if the published policy was to use encrypted sticks, the worker was given an encrypted stick, and was told to use the encrypted stick, but subsequently didn't merely 'because they had problems', and then did not get the problems addressed, this should be a serious disciplinary issue.
The employee should be reprimanded at the very least, and if the employment policies allow, held up in front to the rest of the work force to illustrate how important these things are. This is especially true if they are in any position of seniority.
If this is not done, the excuse will always be that 'it is an education issue', and we will see these things happening more and more.
Serious disciplinary issue? No.
Reprimanded at the very least? My arse!
It is gross misconduct and grounds for immediate dismissal.
No hearings, no appeal, do not pass go, do collect your P45 on the way out the door.
As someone living in Cambridgeshire, the home of the hundred-million-quid footpath that was supposed to have buses running on it, the only reason I'm surprised is that it's only 6 people. More muppets than Sesame Street, Cambridge city council.
Here's an idea so crazy that it might just work.
Every USB stick issued by the council should have a big heavy key-fob, the kind that some hotels have on their keys to remind you that it's in your pocket. The weight of it should ensure that you don't lose it.
(The weight might have to be on a chain, for desktop PCs where the USB port is some way off the ground. There should be no way to detach the weight - this thing would be soldered into the USB stick.)
As long as the ICO doesn't do anything more than grumble at people, stupid data losses will keep happening.
Yes, it's tedious when complex security mechanisms fail. It's still retarded for this to happen, not least in the context that the user who reverted to using unencrypted storage was aware enough of the reasons for needing encryption that they only went back to unencrypted storage after "having problems" with the encryption system - and yet then managed to be sloppy enough to lose the unencrypted storage!
FFS! If you've had training sessions saying things like "DON'T stick data on a USB drive without using TrueCrypt/SomeOtherCryptoSoftware, otherwise if you lose it the data gets out and we're all in the shit", it takes being a bit thick to then go "Aw, but I don't like/understand TrueCrypt/SomeOtherCryptoSoftware, I'll just go on doing the same thing I always did. Oh, bum - where's my USB stick?"
Is it too much to hope for organisations including mishandling of sensitive data as a disciplinary issue? (ie. do it once and you get a verbal warning, twice written warning etc). Seems like an approach that might actually stimulate a change in attitude.
Cambridgeshire County Council,
Kindly issue a memo that anyone handling sensitive data without using strong encryption will be hung, drawn then quartered.
PS my £100,000 consultancy fee is on its way.
Back when I was a student I used to get my beer tokens by working in a bookies. We were regularly briefed on 'compliance' issues, to the point of tedium so that I couldn't play the thick card if I didn't comply. Also, if I were to be caught serving a 'vulnerable' (under-age or self-excluded) punter then I was personally liable to the tune of several grand and possibly prosecution.
Dunno about you, but I think leaking the personal information of lots of people is far worse than accidentally serving a 17 year old that wanted to put a coupon on. Yet there doesn't seem to be any deterrent /to the employee/ for leaking data, aside from a potential sacking; if there is, it isn't enforced.
Someone should invent a system whereby data can be securely transferred from one computer to another via means of an electrical connection rather than getting a man to physically carry a physical storage medium.
They could call this fangled abstract invention 'networking' or something.
Imagine it! One building could access the data on another system securely over some kind of network connection with no one inbetween to steal it, and no important consequences if it gets lost en route. It would just need to be sent again. A really clever dick could even make the protocols automatically re-send lost bits of data when they fail to appear in real time.
Any dragons out there willing to buy into the idea?
They could also use this "net-work" thingy to store documents in a central place, too. They could call it "fog computing" or something like that
"...the loss wasn’t a failure on the part of security strategy"
Exactly what part of allowing an unencrypted stick to be used is not a failure on the part of security strategy? "The user finds it difficult" is not an excuse and the Council should be treated as if no security policy was in place.
"Exactly what part of allowing an unencrypted stick to be used is not a failure on the part of security strategy?"
There's nothing wrong with the policy, it's just not being enforced correctly...
Surely losing sensitive data, while going against established security protocols, is gross misconduct and the employee in question should be removed and shot (or I'll accept fired).
I think they should be registered as a "vulnerable adult" (appropriate if it's the euphemism I think it is), have their personal details recorded on an unencrypted USB stick, and the stick left in a pub somewhere.
AC because I live in Cambridgeshire.
with deciding who should go due to the cuts that are expected...
I work for a company providing clinical databases for the NHS. We need to handle patient data on a regular basis, as we are often converting it from one system to another.
We still get emails from NHS staff containing large quantities of patient data, completely unencrypted, and then have to put up with them shouting at us when we refuse to return the processed data by the same route.
We've even offered to help train them to use PGP (since we suspect that we'll be hung out to dry if anything goes wrong). Nope - ain't going to happen, since the IT departments will often refuse to install it.
I have no idea what's going through the heads of the people responsible for all this - there seems a complete disconnect at all levels about what's really happening with the data...
DfH had mandated nothing is to go via unencrypted email unless from and to nhs.net addresses, iirc.
one approved solution is to use winzip and encrypt the files using aes256.
(Also posted this on "Doctors warn on patient data", but it's totally applicable here too)
I work on support for one of the NHS data applications - just yesterday, received this revelatory problem report :
"We cannot log into [X], it is saying incorrect password on the system. This is for all users who use this password. "
So not only is a whole department sharing a login, but none of them understand why UsernameX/PasswordY does not work even when they try it on someone else's pc...
And you expect them to 'encrypt using aes256' ? Believe me, unless it happens automatically, it just ain't gonna happen.
Paris, cos at least when she makes me blow my top, I have a smile on my face.
The only problem with fools, is they can be so darned ingenious.
If the council wants it's security policy adhered to, they only need to do one or possibly two things now.
Issue a P45 to the offender, and make sure all current and future employees know what happened.
(some people are stupid, or think they are above the rules that apply to everybody else, so they may need to a 2nd P45 to the next fool.)
I forget who it was (and I can't even be bothered to find out, sorry) who said
"Nothing is foolproof to a sufficiently talented fool."
But they were spt on.
('cos I like pirates, m'kay?)
It's simple: harness people's inertia.
Sounds like bullshit wordflappery, you say? Well, that may be, but consider:
Given the choice between "learn how to use fiddly & complicated new encryption software for the Com-Puh-Tarr Majick Bocks that I use at work" and "ignore fiddly & complicated new software and continue using the Com-Puh-Tarr Majick Bocks in the same way I always have done because I can't be arsed learning new skills", the path of least resistance suggests the latter option.
However, given the choice between "learn how to use fiddly & complicated new encryption software for the Com-Puh-Tarr Majick Bocks that I use at work" and "ignore fiddly & complicated new software, get sacked for gross misconduct, and then have numerous adventures exploring the fun world that is The Current Jobs Market", the path of least resistance suggests the former option.
Being the public sector, it's not going to happen without the ICO also harnessing the inertia of those higher up the chain, by making them choose between "Enforce new standards with adequate disciplinary procedures" and "Get hit with massive punitive fines, including personal liability for those at the top of the management chain, for allowing non-compliance with new standards".
But, you know, I say all this as though I expect the people involved to actually give a shit, when the truth is they barely manage to pay lipservice to the ideas...
as you say they don't give a shit, what's the betting this will be forgotten (and possibly repeated) within six months.
Secondly.. it NEEDS to be personal fines. The management don't care about fines to the council as it's not their money they will just take it out of petty cash (the council tax) and carry on as normal. If they were personally liable and had to pay for indemnity insurance in case they got fined then MAYBE they will think about enforcing the security on the information they are entrusted with. Also if the could not get the insurance, due to claims or being found to be incompetent etc. They would then become unemployable so it would gradually clean out the system of these couldn't-care-less fucktards.
about private sector firms not wanting to hire ex-public sector employees.
I'm struggling to think of any of the companies I have worked with allowing someone who disobeyed a direct instruction (not to use unencrypted media) to continue in their role. It would be gross misconduct, and they would leave the building immediately.
It's in the culture.
But the member of staff "having problems" with the computer system is the same member of staff "having problems" keeping an eye on their shit.
Sound like an all-round winner don’t they?
I hope that they are currently "having problems" looking for a new job. In reality of course the tax payer is probably lavishing them with gifts. Anything to avoid giving the job to a properly adjusted person.
Really?! I've worked in a number of private companies where incidents of this nature have been common place. It's nothing to do with public/private sector and everything to do with the nature of the individual.
had resulted in a fine and bad publicity ?
Are you 'aving a bubble, matey?
I used to work for a *large security firm* that had a large *computer forensics division* and advised massive clients on *IT security issues*. All of this massively confidential market-/life-/career-sensitive data was sent around in unencrypted email, everyone was walking in and using their own USB sticks, laptop hard drives were unencrypted and had passwords... FFS we couldn't even get people to stop letting strangers through the security doors without their own electronic keycards!
It's not just underfunded, demoralised, overstretched social services workers that are crap at data security, it's the shiny corporate Big Smoke private sector workers too!
"I'm struggling to think of any of the companies I have worked with allowing someone who disobeyed a direct instruction (not to use unencrypted media) to continue in their role. It would be gross misconduct, and they would leave the building immediately."
I can think of 2 managers (relatively senior) in different companies who violated the security policy of the financial firms on a regular basis.
One used to walk away from his logged in computer, in his office, which could authorise payments of £10m+ (sat in his office waiting for him to return, on several occasions, I had to seriously resist the temption to give him a practical example of why the security policy was written that way)
The other gave his User Id and password to a senior supervisor, so that she could counter sign large life insurance payments (something he was suppose to do as part of an audit controls)
From personal observation, I would say the quota of security ignoring employees is about the same, it's just that private companies cover it up, where as public bodies HAVE to tell. The resolution to this would be to make private companies have to declare these on their annual report.
..they are pretty poor for the user in terms of actually enabling them to do their work.
I would not be surprised if said employee was having problems with her encrypted USB stick only to find little or no help from IT. Faced with the choice of no records or insecure ones, they went with their job instinct.
Its easy to point and blame but the real question is why was there problems.
My current client's security policy is that *all* USB memory devices are encrypted and Safend Protector runs on all machines and actively blocks all attempts to write to non-encrypted devices.
Why on earth are they not using something like this? Allow users to write to unencrypted devices and they will.
As an aside, the employee should be sacked for Gross Misconduct.
That given most councils need to shed staff to keep within budget, this employee would be one who was right at the top of the list.
I have actually briefly worked for Cambridge County Council (a very long time ago) and to be fair to them, their IT system was far better than most. They resourced it reasoably well and they had dedicated teams whose job it was to prevent muppets from screwing things up. It just goes to show that you can only do what you can, but you still need to deal with the idiots no matter how good the policy or the systems are. Idiots will find a way to break the rules no matter what you do, unless you lock the system down to the point of making it almost unusuable. I have worked with really restrictive systems that can still be abused if you know what you are doing, you cannot engineer for stupidity or willful negligence, unless you put a CCTV camera behind every chair!
When I was there, their mentality for getting rid of incompetent people was rather weak "It is too hard to get a replacement" was one excuse I heard. Whilst I sympathise to a degree, as recruiting social workers is a nighmare, I hope they have improved and are actually willing to properly punish people for gross misconduct. There is no excuse for not only breaking the rules, but also for breaking the first rule - don't get caught!
I must confess that when I saw the badly formed para closing tag - </p - I initially thought it was some kind of emoticon representing the mental shortcomings of the user who can't handle operating an encrypted USB stick - something like a dunce cap paired with a tongue sticking out in extreme concetration.
Really? Really, really?
1) Insert encrypted stick
2) Fire up TrueCrypt (or whatever)
3) Select encrypted disc/file and mount/open it
4) Bash in the passphrase/challenge-response
5) Get some work done.
If that really is beyond the employee, then they are not fit to fulfil their role and should either be given remedial training or be demoted. If they had some genuine problem (e.g. dodgy hardware) then they should been reported it and got a replacement.
For breaching the rules like this, they should face summary dismissal. If they were unaware of the rules, dismiss their direct line manager. Repeat until you reach the first person who (suddenly) gives a shit.
It's not hard to do, when we implemented our data protection policy we had a look at software that prevented the use of unencrypted USB drives and found it was a function of our existing AV package. If you plug in an unencrypted USB drive then it is mounted read only by Windows.
What gets me is that I'm sure this fool would be outraged if his/her payroll details, DOB, home address and NI number were being carted around on an unencrypted USB stick. Yet they seem to think it's OK for them to carry sensitive data about others in such a manner.
Personally I feel their details should be published in the press as it only seems fair. But I know the majority would disagree. But surely some form of disciplinary action is required when an employee clearly goes against policy?
the didn't do this to people who weren't already vulnerable.
In one place I worked, a breach of security was not only written into the contract as grounds for instant dismissal, you would be very publicly marched between two rather large gentlemen from the establishment to the main gate, without even time to pick up your coat.
OK, this was in the days of floppies, but you almost never heard of any 'lost' disks.
I see absolutely no reason why the same shouldn't apply here.
Does noone make memory sticks with finger print scanners on? If the data's inaccessible without the print i'd have thought they'd be reasonably secure and the odds of loosing all of your fingerprints seem low?
...those scanners with a photocopier and some spit. Even the "good" ones.
I kid you not.
No excuse could be plausable here. Its against the law and against the councils IT policies so as much as I dont like to see anyone lose their job its gross misconduct, with the only application sanction being immediate termination of employment. Can be no excuses here and organisations need to start sacking people that commit these sorts of acts. Then maybe people will do what they are told to do and use encrypted sticks or some other form of encryption like PGP or some of the corporate whole disk encryption packages like becrypt.
Although maybe its time the council itself looked at something like becrypt across the council where they can enforce an encrypted disk and stick policy.
“What is clear is that in Cambridge County Council’s case, the loss wasn’t a failure on the part of security strategy, but rather one of employee education"
The strategy STILL allowed unencrypted data to be removed from site. That's a pretty big failure in my book.
It can't be beyond the wit of man, even Homo Cantabrigensis, to arrange permissions so any data which is to be transferred to external media can only be transferred via an encryption application.
If some employees can't cope with this then get better employees.