Rochdale Metropolitan Borough Council has become the latest local authority to be named and shamed after it lost an unencrypted memory stick that contained the details of 18,000 residents. According to ComputerWeekly.com, the Information Commissioner’s Office (ICO) has found the council in breach of the Data Protection Act but is not enforcing a monetary penalty because the information held on the USB device was not enough to cause substantial distress to individuals in the community.
Although the information was mostly already publicly available, this breach is further proof that these security risks are genuine and that organisations everywhere need to take real steps to prevent this type of loss from reoccurring. The ICO found that like many other companies and organisations, Rochdale did not have adequate security, like encrypted memory sticks, or data protection training for its staff. And these measures are just the bare minimum of what should be done.
This time, Rochdale has been lucky. But as these breaches become more common and the ICO has more tools at its disposal, organisations should evaluate how they protect electronic personal information.
See the full story on www.ComputerWeekly.com
These days, it seems that we hear of a major privacy breach every day which relates to misplaced personal data. But it’s not just a recent problem. Back in 2006, a Canada Revenue Agency (CRA) auditor copied 6 years worth of confidential taxpayer information onto 16 unencrypted CDs and proceeded to let a friend download one onto his laptop. Although the agency has policies and procedures in place with regards to this type of download, but they were not followed.
The breach came to light in 2009 during a grievance hearing in which the employee produced the material so that the Public Service Labour Relations Board could read a key 2005 email. Although she won £6k for her pain and suffering, the larger problem of the 16 unencrypted CDs came to light. The employee was able to recover and return them to the agency, but the laptop that held the downloaded file, which contained nearly 2,700 instances of confidential taxpayer information, could not be recovered.
Putting so much personal data at risk is not ideal. But the problem was made even worse when the agency deemed the incident to be “low risk” and therefore did not report it to the privacy commissioner, who is now asking why no one alerted her of the breach when it was discovered 2 years ago. The CRA has also admitted that although there were policies and procedures in place for safe-guarding data, employees themselves were generally unfamiliar with them.
No doubt staff training will be high on the CRA’s list of priorities. But regardless of steps being taken by the agency, even informed employees misuse confidential data. Along with training, companies should consider tighter security controls and an insurance policy which covers employee misconduct in cases like this.
See the full story on www.theglobeandmail.com
Our CPM policy covers employee dishonesty and other key privacy exposures. Click here for info.
According to the UK’s Government Communications Headquarters (GCHQ), cyber attacks are now as big of a threat as international terrorism. The last year has seen a huge increase in the number of high-profile attacks and a greater diversification in who is targeted and why. It is thought that Russia and China are amongst the worst for involvement in cyber attacks.
Because of its international scope, the problem can be a tricky one to address. Cybercrime and cyberwarfare have no borders and require a co-ordinated response in order to effectively combat them. With this in mind, the UK government will host a 2-day international conference on the issue this week in London. Attendees expected include figures such as US Secretary of State Hillary Clinton and EU representatives plus several technology entrepreneurs and cyber security experts.
Although many of us are aware of the black market for credit card information stolen via the internet, the BBC reports that the problem is getting much bigger than that with everyone from technology companies and energy providers to engineering firms and defense contractors at risk of getting their ideas, contract details, and worse, stolen. Many of these attacks are coming from foreign intelligence services looking to capitalise on the success of companies in the West.
The UK government now says it ranks cybersecurity as a top priority. The conference in London this week is the first step in addressing the problem but because of the private status of many of the UK’s critical infrastructure firms, it is thought that the goverment may need to do more to ensure at-risk companies have the right protections in place.
See the full story on BBC.co.uk