Sensitive council data sent to hundreds via PERSONAL EMAIL Cheshire East council has been fined £80,000 by the Information Commissioner's Office (ICO) for failing to have adequate security measures in place when emailing personal information. The ICO said the serious breach of the Data Protection Act occurred in May 2011, when a council employee was asked to contact the local …
To quote from the first paragraph of the Microsoft page on the Outlook 'Recall' feature:
"The recipient of the mail you want to recall must also be using an Exchange server e-mail account. For example, you cannot recall a message sent to someone's personal Internet service provider (ISP) POP3 e-mail account."
Given the article says the email was sent via a personal account, it's pretty unlikely the Exchange recall was used, probably more a case of sending another email asking all the recipients to delete the previous one.
Still don't let that prevent you from posting a snarky comment, preferably using 'M$', which makes you look a really cool dude.
rather than fine a council - who after all don't care because it's not their money - the people who are actually responsible should be penalized (from the top down, don't just sacrifice peons). Penalties could include everything from a reduction in salary (for individuals or teams) through to outright dismissal
actually give these watchdogs some teeth when it comes to making sure civil servants (or as a friend of mine's child calls them "snivel serpents") actually live up to their name
That would be the same first thought I had. I mean, I can see the man accused in the email messages wanting some money via civil court if he hasn't actually been convicted of anything, but fines as penalties just doesn't make sense. I don't think I stop at dismissal either. I think there ought to be some framework whereby depending on how egregious the violation was, the snivel serpent could be brought up on criminal charges and sent to jail.
And that goes double for my side of the pond.
Who actually pays these types of fines? The tax-payer of course who also happens to be the victim of this cock-up. When they start fining the senior managers responsible 80k each *personally* then we might see some improvement. The same should also apply in the private sector. When a company screws up any fines involved should also include *personal* fines levied on the board of directors with it being totally illegal for the company to in any way compensate them - to make sure that in those cases the customers (the victims again) do not end up paying the transgressor's fines for them indirectly. It is a total nonsense that holding the "managerati" to account whether in the public or the private sector in practice ends up with the *victims* do the paying.
Is it déjà vu or have I already read this story about 3 times THIS WEEK alone? And these are the ones that go public so you can bet your ass it's happening a lot more often and is quietly swept under the rug.
The fines don't work, signing bits of paper saying 'sorry, won't happen again' doesn't work, maybe we should look into some other form of incentive for not COCKING THIS UP time and time again?
Yes - AGAIN ... because there are no real penalties for it ... Oh sure - you can fine someone, somewhere but that's about it - they've no real incentive to not do it again and the cow orkers just shrug - no lessons learned and really why should they bother?
On the other hand, hack the system and send out the same email and you're looking at personal fines on the individual and jail time.
Either it's mostly public bodies that leak data, or private companies are only fined when we are looking.
Take a look at:
http://www.ico.gov.uk/what_we_cover/taking_action/dp_pecr.aspx#monetarypenalties
Only 2 non-public entities have been fined in the last 18 months. One of those was ACS:Law, which they really could not ignore. The other was some poor solicitor who got his laptop burgled from his house.
Then look at:
http://www.ico.gov.uk/what_we_cover/taking_action/dp_pecr.aspx#undertakings
Oh look, lots of companies have to sign the meaningless bits of paper. I suspect that:
DSG: Credit card details in a skip.
Yorkshire Building Society: Stolen laptop
Healthcare Locums Plc: Laptop sold without being wiped
Rainforest Alliance Ltd: Theft of laptop
- -would have merited fines had they been councils.
Are brown envelopes involved, old school ties, or funny handshakes?
> Are brown envelopes involved, old school ties, or funny handshakes?
I doubt it. I just don't think the ICO is very interested in investigating data breaches.
I once asked them to get involved when I saw a company director deliberately handing out private information in a hamfisted attempt to smear a rival. The ICO did best part of bugger all - they simply accepted said director's assurance that the data was already in the public domain as gospel. The poor guy on the receiving end disputed that assurance, as did a number of third parties - including me.
But the ICO didn't care. It declared the case to be closed.
Vic.
Every organisation in HMG processing personal information has a mandatory requirement to nominate a Senior Information Risk Owner (SIRO) and a Information Asset Owner (IAO) who are responsible for ensuring personal data is registered and managed securely. Rather than the ICO fining organisations for data breaches which comes out of the public purse anyway and doesn't help the people cocking up learn their lesson why not make the people responsible for protecting our data responsible. - https://update.cabinetoffice.gov.uk/sites/default/files/resources/iao-role.pdf
Fining any sort of corporate body only punishes the customers/users of that body.
This sort of up-foul will continue until the the most senior executive officer risks an automatic prison sentence for it. No "if's", no "buts", no "maybe's", when a corporate body loses or incorrectly publishes personal information the most senior executive officer gets a turn inside.
That, and only that, will concentrate the corporate mind.
Also speed is the essence here, the sentence needs to be handed down before the responsible officer can resign/retire. It will also probably require legislation the ensure the up-fouls get reported
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
