because fining a public funded resource will REALLY make the problem go away.
The number of times Brits' sensitive data has been lost or leaked in the UK has risen 1,000 per cent over the past five years. Councils recorded the biggest increase in breaches of data protection law, according to figures obtained by a Freedom of Information Act request. The stats from the Information Commissioner’s Office (ICO …
because fining a public funded resource will REALLY make the problem go away.
Criminal prosecutions are the only real deterrent.
The fines make the budget holder, or more importantly his/her replacement, take the issue of compliance seriously.
Having seen this in action with a copyright liscense that was abused, the fine from the liscense holder not only made the fool's replacement more careful, but it made all the other managers more careful.
I suspect why the councils are reporting more now, is that the potential £500k has focussed minds, and people are looking more carefully, and thus discovering stuff that previously was missed.
Whilst I am personally not a fan of moving wooden dollars around, this is actually an exception that proves the rule.
Considering the article says that it's the number of "self-reported" breaches that has gone up, for all we know the number of breaches per year could have stayed the same (or actually decreased) but more of them have been reported.
Typical journalistic sensationalism.
Of course the number of losses may have increased even more than is suggested but the number of times the breach has been noticed... All sorts of speculation is possible (in the good old days a journalist might have dug in and found out, not now)
...whether there has been a 1000% increase in the number of times the ICO have actually taken the culprits to task for these losses/leaks... No...? Thought not.
Yep, 1st our personal data is lost, then we pay for the loss by having our services cut (due to the fines imposed) or the fines cause a raising of charges to pay for for them. We lose out both ways.
Why not penalise the individuals instead of the institutions ?
Yeah! Let's penalise the IT managers that can't protect their network because of across the board cuts to budgets meaning they can't afford to put in the correct Security Controls to protect the data.
Oh, hang on..........that might not be their fault????
If the IT managers highlight the risks and issues in writing to their superiors who control the purse strings, and the superiors ignore them, then I would guess that would be a pretty tight defence in court.
Rule #1 - if bad shit is going on, make sure Senior Management are crystal clear as to the potential consequences (in writing), and make sure you've got a copy of what you sent to them...
"Yeah! Let's penalise the IT managers that can't protect their network because of across the board cuts to budgets meaning they can't afford to put in the correct Security Controls to protect the data."
Actually a lot of these are related to stupidly using fax machines to send S2/DPA98 data to wrong numbers, delivery of paper documents to the wrong address, etc.
DPA98 is NOT an IT thing, it is a Business thing, with an IT component
Fines are fairly pointless: firing the supervisors of departments might have an imapct, or higher if you can get the "pay me lots for my responsibilites" crew to admit to having any responsibility once this shit hits the fan.
It wouldn't be that they don't bother reporting it would it?
Its worth noting that the NHS is highest because it is the only area of the public sector with a statutory duty to report breaches under its IG Toolkit returns to the DoH.
Other public sector bodies are encouraged to report breaches as 'best practice' but there seems little appetite to pursue the private sector, probably because they have more expensive lawyers!!
.....you do know "per cent" is actually one word right? A word generally known as "percent"; unless of course the news is that we are now getting 1000 more leaks per cent paid...which sounds like a bargain.
Per cent is Latin for "for every hundred". Percent is just a contraction of those two words.
So "100 per cent increase in reports since last year" would mean that for every hundred reports last time there are now 100 extra reports. Pretty simple, really.
The thing I simply cannot get my head around is that we have military-grade encryption available to us all, for free, cross-platform and easy to use.
All data that goes out of my house - whether it be USB memory stick, portable HDD or laptop - is encrypted, the latter with whole volume encryption. I use TrueCrypt but there are others too.
So why do we keep hearing of these serious data breaches again and again? It's like hearing that some companies keeps getting burgled again and again because they are in the habit of leaving their front door open every night and don't employ a security guard.
Until such time as board level people or business owners are made personally liable, possible with a couple of days in prison) it's not going to change. The top mentality is still that doing nothing is cheaper than picking up the usual slap on the wrist in the way of a charge that can be paid out of petty cash (look at Google and their FTC fine).
The root issue is that ethics are not perceived to contribute to profits, only a lack thereof.
if you lose an encrypted usb with user details on it, you have still lost user data and need to report, even though it can't be used. just sayin.
What about the complaints originating from outside the organisations concerned? And what, when this is taken into account, is the ratio of private organisations that get fined as opposed to publically funded ones?
It would seem that the casework system used by the ICO does not keep a track of the type of organisation when complaints are sent in from people outside of the organisation, yet they must have the capability of doing so if they're keeping this information for self reported incidents.
Of course they would prefer you didn't think about this. It might result in some awkward questions about why they seem to reluctant to take action against the private sector. People might start wondering what use an independent regulator is to us when all it seems to do is claw back funding for the benefit of the treasury.
Those large percentages would appear to be largely as a result of the small numbers (of losses/breaches if not necessarily individuals) involved. There has been an infinite percentage increase in reported lion sightings in Essex of late (zoo and circus visits notwithstanding). When you're looking for something (and know what you're looking for), you stand a far better chance of seeing it. That the data is since 2007 is not insignificant - that's when the big HMRC data loss happened.
Are these "constant increases" a linear or geometric progression? That would help one judge whether things might get better - linear would mean the trend is set for a (mere) doubling in the next 5 years while geometric is on for another 1000% rise...
When I worked for a Local Authority we had to source our own encrypted memory sticks out of a tiny budget. We struggled to find an affordable solution ( BTW Truecrypt isn't that simple for non techies and anyway wouldn't work on our machines) but we managed to make sure that no sensitive stuff went out of the building, as far as I can be sure.
I'll bet that there are a million departments in local authorities etc. that haven't resolved the problem.
You can't do much about the ijit that leaves his briefcase in the pub. But the first step in managing this is making sure that users ( not techies) find that sensible security doesn't penalise the day to day work of the staff, is available, intuitive and convenient.
Of course by far the simplest alternative is not to have the data in the first place. If the police didn't keep years of records of everywhere we drove, the councils didn't insist on a computerised record of who had used the gym, the BBC and others didn't 'require' names and addresses for you to 'log on' to the website to 'post a comment' (oh, yes, el reg is guilty as well).... and all the associated other pointless monitoring and storing then the organisations wouldn't have the data to lose in the first place.
"the councils didn't insist on a computerised record of who had used the gym"
Woo, I know the answer to this one, having just completed my CYQ Level 2 fitness instructor training (yes an IT geek that teaches fitness too).
The reason the councils keep that data, is because of the prevalence of these particular adverts you might recognise:-
"Been involved in an accident in the last 5 years? Had a trip or fall? Regardless of blame call 0800-blood-sucking-lawyers. No win, no fee".
The council owned centre I have been training at has 15000 members of varying degrees. It's impossible to track that many members, and whether they attended a particular class within the last 5 years, unless it is held on computer. If it wasn't stored, every tom dick and harry would be claiming their £3000 average no win no fee from the local council, for injuring themselves in a class they hadn't actually attended.
It's sad but true. There is an awful lot of people out there willing to lie to make a quick buck. I've had to maintain my own PARQ database for the private classes I take outside of the leisure center for the same reason.
Unfortunately, when stuff leaks out it's usually information that someone did need. Whether they should need to take it home is another matter.
Why not just say "ten times"?
I wonder how many of the gov/NHS breaches are actually committed by private companies running services on behalf of the public sector? I recall from some of the past 'fessing ups that government departments take it on the chin on behalf of contractors, but cite "commercial confidentiality" when it comes to naming names unless the thumbscrews are given a proper twisting.
One very large private sector firm I've dealt with (unsurprisingly) encrypts it's laptops, but then suggests to staff via its intranet that they back up those drives to vanilla USB sticks - no encryption etc specified. That's going to end well...
Probably quite a few but here's the thing. Current UK law only penalises the data controller and not the processor and most privatised services are done on the basis that the private firm is a "data processor". Of course, the PA could sue the company for the breach but the damage's been done in terms of reputation and media coverage. It's unlikely that any case would actually get to court so no chance of any media coverage of the redress. The new EU Regulations proposes to change this imbalance and make the processor equally liable for breaches. That may have the effect of focusing prevously ambivalent companies processing public data.
As for the encryption thing - perhaps the f%^kwit that wrote the advice that unencrypted stickscould be used to back up encrypted drives should write the letter to the lawyers when company data ends up in the hands of a competitor.
What the article doesn't really look at is many of the problems are nothing to do with IT.
Yes some big failings are IT related but equally there are significant problems with hard copy information. Several fines have been issued for sending faxes to the wrong recipient repeatedly. This is clearly a human failing and not a tech failing in any way, shape or form.
I have personal experience of a significant breach at a former employer (this related to a stolen piece of kit) and although the organisation was largely blameless as a criminal offence had been committed (a break in) there was a distinct reluctance by the organisation to report the breach due to the potential embarassment.
The PR angle is the primary reason why many organisations without a requirement to report breaches dont report them and until breach reporting becomes a statutory requirement this will continue.