Log in

Posts Tagged ‘business’

ICO issues Midlothian Council record fine of £140,000 for disclosing sensitive personal data

February 4th, 2012

Midlothian Council pays hefty fine for data breach

ICO is leaving no stone un-turned to punish data breach culprits. It is levying fines to those who compromised private data, especially children’s sensitive data.

Recently the council fined the Midlothian Council a record fine of £140,000 for disclosing sensitive child data. And we are not talking here about just one breach. There were 5 breaches between Jan and June 2011.

The case in detail

Breach 1 – This happened when documents related to the status of a foster carer were sent to seven healthcare professionals, who had no reason to see this data.

This particular incident took place in January 2011 and details came to light only in March when the council started to investigate. In spite of the investigation similar incidents took place in May and June.

Breach 2 – Minutes of a child protection conference were sent by mistake to the former address of the mother’s partner, where they were opened and read by an unauthorized individual. The documents contained personal data about the mother, who made a complaint to her social worker about this case.

Assistant Commissioner for Scotland Ken Macdonald said “the serious upset that these breaches would have caused to the children’s families is obvious and it is extremely concerning that this happened five times in as many months.’

“I hope this penalty acts as a reminder to all organizations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure.”

He further added that information about children’s care, details about their health and wellbeing, is the most sensitive information that is held by local authorities. It goes without saying that this information has to be protected and that strict policies are to be chalked out and followed.

The ICO’s investigation

According to the ICO all five breaches could have been avoided if the council had been strict about protection policies, training and had put checks in place. It has further ordered the council to take action to keep the personal data secure.

Since the incidents the council has recovered all of the information that was sent to the wrong recipients and is updating its security policies.

What the the ICO chiefly wants is that the government should give itstronger powers to audit local councils’ data protection compliance, if necessary without consent.

NHS bodies across the UK want the same kind of powers in light of the recent data protection breaches.

Midlothian Council comments:

Colin Anderson, chief social work officer for Midlothian Council, commented: “As soon as the council discovered the problem, it investigated and found eight letters or documents had been sent to the wrong recipients, for which the council is sincerely sorry.

“The council immediately took steps to retrieve the information, or have it destroyed, and voluntarily reported ourselves to the information commissioner. I must emphasise that there is no evidence that anyone was put at risk.

Cyber-security with Alertsec

Alertsec Xpress is a very easy and convenient service which enables securing valuable information on laptops.

Alertsec Xpress is powered by Check Point, the market leader in the field of mobile data protection. The software was launched 16 years ago and is the most robust software on the market today.

Alertsec Xpress provides:

Fully managed service for your convenience.
Very cost effective service.
Market leading laptop protection service.
Quick and easy implementation.
Easy to use protection.
Transparent solution.
Global 24/7 helpdesk.
100% secure and reliable encryption

No comments »

Posted in Computer security, Data Protection, Encryption, Identity and Information loss, computer security software, data breach, data encryption, identity theft

Tags: AlertSec Xpress BigPond business Check Point data breach data security ICO Information privacy Ken Macdonald Midlothian Council Personally identifiable information Social Security number Telstra Theft

SEC wants companies to disclose their data breaches

October 15th, 2011

SEC orders companies to report data breaches

Corporate giants have been handling data breaches traditionally i.e. not revealing the breaches, not offering details. They always preferred keeping mum. It won’t be an exaggeration if we say that tens of billions of dollars worth of data is compromised every year from U.S. companies and very few of it gets reported !

But that is about to change. The Securities and Exchange Commission (SEC) has formally asked corporations to report data breaches and cyber crimes. The new guidelines issued by the SEC state that publicly traded companies must report cybertheft or attack and any risks associated with data.

These guidelines have been a result of Sen. John D. Rockefeller’s initiative. “This guidance changes everything. It will allow the market to evaluate companies in part based on their ability to keep their networks secure.”

“For years, cyber risks and incidents material to investors have gone unreported in spite of existing legal obligations to disclose them,” “Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark.”

The current regulations do not specifically talk about cyberattacks. They only expect companies to report if there is risk to their material wealth. But now companies will be forced to talk about cyberattacks, thanks to these guidelines. The guidelines might, in addition to the above, ask the companies to disclose data breaches that took place in the past.

Cyber security is being beefed up through these regulations as cyber crime is on the rise. The recent major breaches including Sony’s and Citigroup Inc have resulted into this action.

Melissa Hathaway, an ex-White House cyber coordinator said in her statement “It’ll force executives to really understand what’s going on within their corporations,”. “I think it will create the demand curve for cybersecurity.”

Which cyber-incidents will be included in the guidelines?

Cyber incidents that could materially affect products, services, relationships with customers or suppliers, or competitive conditions will be a part of these new regulations.

Here is the exact wording in the guidance:

Registrants should address cybersecurity risks and cyber incidents in their MD&A [management discussion and analysis] if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition

Alertsec comes to the rescue

80% of data loss is due to lost or stolen equipment. 50% of network breaches take place by using passwords from lost or stolen equipment. Laptop encryption is the solution to laptop theft problem. Small and big companies are now realizing the importance of tracking software. Alertsec offers laptop encryption service to secure your data.

Organisations are now made aware about their data security and are implementing data encryption techniques. Alertsec uses encryption software to protect data from breaches and theft.

Alertsec Xpress is backed up by Check Point Full Disk Encryption and is used by over 4 million users worldwide, with single deployments exceeding 150,000 laptops and PCs. This is the most deployed software of its kind and is seen as today’s market leader.

No comments »

Posted in Computer security, Data Protection, Lawsuits and settlements, Security Flaw, computer security software, data breach, data encryption

Tags: business Citigroup Computer crime Computer security data breach International Monetary Fund John D. Rockefeller Melissa Hathaway Public company SEC Securities and Exchange Commission Sony U.S. Securities and Exchange Commission US Securities and Exchange Commission

SCRA breaches data for the second time exposing children’s details

September 7th, 2011

Sensitive info papers lost from filing cabinet

Data breaches are online as well as physical

Data breaches are not restricted to online or soft copy data loss. They also include theft or loss of physical documents.

Here’s a look at a recent case of physical and digital data theft.

Scottish Children’s Reporter Administration (SCRA) breaches Data Protection Act for the second time

The Scottish Children’s Reporter Administration (SCRA) is in breach of data security related to children’s data twice in the last 6 months. The SCRA is an organization dedicated to protect children in the judicial system. The body investigates the care of Scotland’s most vulnerable children.

Details of the two breaches

In January 2011 the Scottish body sent documents containing a child’s personal data to the wrong email address. The documents carried sensitive information like child abuse related to the legal case which had the contact information of the child’s mother and witnesses.

Later, in September 2010, the body somehow lost 9 case files which contained personal data such as birth dates, names and social report. Apparently the files got lost when the filing cabinet which contained these files was moved and later sold to a second-hand furniture shop.

Mishandling of sensitive information

Ken Macdonald, assistant information commissioner for Scotland, is concerned that data had been breached twice by the same organization.

“On both occasions the personal data which was compromised related to young children and was caused by human errors that could easily have been avoided,” said Macdonald. He further added “I am pleased that the Scottish Children’s Reporter Administration has taken action to make sure that the personal information they handle is kept secure and would urge other organizations, particularly those handling sensitive information relating to young people, to follow suit,”. Fortunately both times the information was not circulated.

Information handling post breach

Neil Hunter, chief executive of the SCRA, is renewing the organization’s data protection policy and training employees about data security.

The ICO (Information Commissioner’s Office) is holding workshops related to raising awareness of data protection obligations among staff.

About ICO

The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

Security guaranteed with Alertsec Xpress

This incident highlights the need of a data security and data encryption software, the threat could have simply been reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.

Alertsec has offices in the US, UK, Sweden and operates in many other countries around the world through partners.

Its mission is to continuously improve its products and services in order to deliver the easiest and most cost-effective managed encryption service on the market

No comments »

Posted in Data Protection, Identity and Information loss, data breach, identity theft

Tags: business Crime data breach Data theft identity theft Information Commissioners Office security Theft

Cloud computing could be the answer to the recent hacking attacks

July 28th, 2011

Time to move to Cloud computing?

It is high time security standards for data are redefined. The recent hacking attacks stress this need and laws against hackers need more strengthening.

Is cloud computing the answer to the hacking question?

The Commission on the Leadership Opportunity in U.S. Deployment of the Cloud, or CLOUD2 — came up with a plan as to how the government should work with industry, academia, and other nations to use Cloud technology effectively.

The government will study viable cloud computing solutions for technology and make a decision about its implementation in federal IT.

The CLOUD2 commission body consists of 71 of the nation’s experts from the cloud computing industry who dedicate more than 2,000 hours of work in person and in the cloud. The Commission is headed by Salesforce.com Chairman and CEO Marc Benioff and VCE Chairman and CEO Michael Capellas.

The CLOUD2 commission is hoping to use cloud adoption to foray into the global IT world and create employment.

“The debate around cloud computing is over – everyone agrees the shift to the cloud is inevitable,” said Marc Benioff, chairman and CEO, salesforce.com and the Commission’s Co-chair. “The Cloud First Buyers Guide for Government provides the best practices for how agencies can evaluate and deploy cloud services, helping them make huge gains in productivity and efficiency.”

According to Michael Capellas, CEO of VCE, a cloud venture backed by Cisco and EMC “Today’s recommendations by the commission will help further accelerate adoption of cloud computing within the government infrastructure,” Capellas said in a statement. “Faster adoption of cloud computing will strengthen the United States’ leadership position in the global marketplace and ignite creation of jobs that will be in high demand over the next decade.”

The 14 recommendations include four important areas of cloud computing

Trust –organizations must trust that the cloud can help secure their data and provide protection against hacking

Transnational Data Flows – Cloud has no national borders. Its full potential will be realized only via data flow across international borders

Transparency- cloud providers will earn confidence from corporate America and government agencies by providing users meaningful ways to evaluate cloud implementations and for vendors to share relevant and reliable information about their capabilities to build trust in the system.

Transformation – For cloud’s implementation there must be a change in how the federal government acquires technology; thereby creating jobs

The Commission has also produced a Cloud Buyer’s Guide, it is available online at http://www.cloudbuyersguide.org/

Presentation of the above recommendations

The committee has presented its recommendations with federal CIO Kundra (outgoing), Commerce Secretary Gary Locke, and Pat Gallagher, director of NIST.

Concerns over cloud

Although companies can benefit from the cloud, they are still concerned about the security risks.

David LeDuc, SIIA’s senior director of public policy says ” “The reality is that most of the fear associated with security as it pertains to cloud computing, is that people think they’ll have less control over the systems and the information. They feel they’re relinquishing direct control of their data,”

Data stays safe with Alertsec

Alertsec Xpress offers a customizable data encryption software solution from Checkpoint, the industry leader in encryption software (former Pointsec). Alertsec has come up with a web based encryption service that helps in deployment and management of PC encryption.

No comments »

Posted in Computer security, Data Protection, computer security software, data breach, data encryption

Tags: business Check Point Chief executive officer Cloud computing disk encryption European Commission Federal government of the United States Information Technology Michael Capellas Software and Information Industry Association United States Victorian Certificate of Education

WellPoint fined $100,000 for breach

July 12th, 2011

Indiana State files lawsuit against data breach

Health insurer WellPoint (Indiana-based) has to settle a fine of $100,000 to for a data breach that involved the personal information like name, date of birth, address, Social Security number, telephone number, e-mail address, and health and financial information of 32,000 Indiana customers.

Why?

The reason for the fine is because it waited for long before informing Indiana officials of a security breach that involved personal information of 32,000 members. It has also been asked to reimburse affected parties up to $50,000 as part of the settlement reached with the Indiana Attorney General. In addition it has to provide up to two years of credit monitoring and identity theft protection services to affected customers.

“This case should be a teaching moment for all companies that handle consumers’ personal data: If you suffer a data breach and private information is inadvertently posted online, then you must notify the attorney general’s office and consumers promptly,” Zoeller, Indiana Attorney General, said. “Early warning helps minimize the risk that consumers will fall victim to identity theft.”

What happened?

Personal information was compromised at least 137 days between October 2009 and March 2010. According to the suit WellPoint learned of the problem Feb. 22, 2010, but didn’t inform the clients until June. The Indiana state law also required that the Attorney General’s office be immediately notified but Wellpoint failed to do so.

The lawsuit

The Indiana Attorney General lawsuit alleged that member information was accessible from Oct. 23, 2009 till March 8, 2010. It stated further that WellPoint received written notification from Sarah Groveunder, a consumer, about the breach but failed to contact her till Mar 4. WellPoint started informing affected consumers only from June 18 and did not finish notifications until July 30.

What is surprising is that warning letters to a total of 47 companies were sent since the 2009 law went into effect for being slow to notify authorities about breaches. “Many companies keep vast quantities of consumers’ personal data and they are required to handle it confidentially and not carelessly. That’s not just good business practice; that’s the law,” Zoeller said in a statement

Security

According to Legal Newsline the site was immediately secured. WellPoint issued the following statement soon after the settlement: “Anthem Blue Cross and Blue Shield is committed to protecting the privacy and security of our members’ and applicants’ personal information. We have implemented I.T. security changes to ensure that this situation will not happen again, and we have received no indication that any information that may have been accessed has been used inappropriately.

How can Alertsec help?

Thus in the absence of full disk encryption, privacy of consumers gets compromised. It is vital to use Data encryption software in order to keep our data safe from breaches. Data security and recovery software is the need of the hour. $13/month is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model.