Log in

Posts Tagged ‘ICO’

ICO wants to maintain location privacy so that data is not misused

December 13th, 2011

Most of our posts have been concentrating on data breach and laptop theft. This one talks in particular about strengthening data security laws which is the need of the hour, especially for private firms.

The recently held conference called ‘A fine balance 2011: location and cyber privacy in the digital age’ focused on maintaining data privacy just when smart phones, credit cards and other devices are tracking user locations.

Here is what Jonathan Bamford, the head of strategic liaison from the Information Commissioner’s Office (ICO), had to say”"We need to inspire public trust into the way information is issued. What do we do as a regulatory option?” “There is no doubt that human activities have a geographic component and some may be more sensitive than others. Your phone is with you all the time so anything that relates to a smartphone can be very powerful in terms of how I live my life.”

It si very important to manage location data carefully, especially those who develop operating systems and applications. Bamford further adds”"People who develop applications have a series of obligations as do those who create the operating systems. Everybody has a role to play.” “If location data is obtained how long do you retain it for? You can build up a picture of how I live my life if you retain it too long.”

Bamford also explained ICO’s role in data security, especially in terms of audit inspections of govt organizations. Currently the general public is under the impression that the information that they fill up on any website is completely secure. They need to carry this impression for long hence data security is of utmost importance. The people also need to know exactly what is being done about their data and where it is sent. This is where location based services come in. All advertisers want your zip code. A zip code allows a advertiser/provider to get more insight into your life. Companies are getting closer to you with technologies like iPhone.

It is time that the ICO keeps a tab over private sector as well. These private companies are using location based services and getting private data of customers. There is a very high chance of this data getting misused. Currently the ICO can only monitor govt bodies. Companies like Facebook, Google and Groupon are a potential threat to privacy. To add oil to the fire, the development of IPv6 networks could be even more threatening as it will be able to access more private data.

According to Richard Hollis, US group of Info systems audit and control association “As we match the physical world to the virtual world, by placing items such as fridges or even your car keys on the internet, firms could have even more access to your data, your location and your life”.

Use Alertsec

Organisations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Use Alertsec
Organisations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.
Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption

ICO wants to inspect private firms for data security issues

.

No comments »

Posted in Computer security, Lawsuits and settlements, computer security software, data breach

Tags: Check Point Credit card data breach data security disk encryption ICO Information Commissioner Information Commissioners Office Information privacy IPhone Operating system privacy Richard Hollis security

Powys County Council to pay £130,000 fine to ICO for data breach

December 9th, 2011

Powys County Council in deep waters over data breach

Last few posts mentioned about fines being imposed on councils who have breached the data protection act. But this post breaks all records. It talks about how Powys County council was asked to pay a fine of £130,000 to ICO for data breach. This is the biggest fine ever!

The ICO’s office was conferred powers to impose fine on data breaching organizations on April 2010. Assistant Commissioner for Wales Anne Jones says”There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK’s local government sector to discuss how we can support them in addressing these problems,”.

The strange part is that Powys County Council had earlier breached this act twice but had not gotten caught. But this time luck was against the organization and it is expected to pay a hefty fine. Here is the ICO’s statement regarding the earlier data breaches “Two separate reports about child protection cases were sent to the same shared printer. It is thought that two pages from one report were then mistakenly collected with the papers from another case and were sent out without being checked. The recipient mistakenly received the two pages of the report and knew the identities of the parent and child whose personal details were included in the papers. The recipient made a complaint to the council and a further complaint was also submitted by the recipient’s mother via her MP.”

The first incident was written off as an ‘once in a blue moon’ error but then a second one occured where a social worker sent data about another child to the same member of the public who was also familiar with the child.

Ann Jones further added”This is the third UK council in as many weeks to receive a monetary penalty for disclosing sensitive information about vulnerable people. It’s the most serious case yet and it has attracted a record fine. The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations.”

The ICO had given an warning to the council to revamp its security policies or be ready to face consequences. Not much has changed in terms of security, the latest breach makes that all too clear. Now the ICO has threatened to take the council to court if it does not get back on its feet and beef up its security measures. The ICO has further made it compulsory for the counil to train its staff on how to follow the council’s guidance on the handling of personal data by 31 March 2012, along with refresher training provided every three years.

Alertsec to the rescue

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organisations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

No comments »

Posted in Computer security, Data Protection, Identity and Information loss, Lawsuits and settlements, computer security software, data breach, data encryption, identity theft

Tags: Assistant Commissioner Check Point Child protection data breach Data Protection Act 1998 ICO Information Commissioners Office Information privacy Member of parliament Personal computer Powys Powys County Council

North Somerset Council and Worcestershire County Council pay penalties for data breach

November 29th, 2011

In the post dated Nov 27 we talked about local authorities under ICO’s radar. This is further to that post.

The Information Commissioner’s Office (ICO) has fined the North Somerset Council and Worcestershire County Council for ‘serious email errors’. According to the ICO in both the cases, the staff members sent highly sensitive personal data to the wrong email addresses. The first took place at North Somerset Council in November 2010 when a council employee sent five emails to the wrong NHS employee. Two of these emails had highly sensitive and confidential information related to a child’s serious case review.

Strangely enough, data was emailed to the same NHS employee three times again! And this was after the council employee was communicated about the error. The incidents took place in Nov and Dec last year.

The Worcestershire County Council – The Worcestershire County Council employee emailed highly sensitive personal data belonging to a large number of people to 23 wrong email addresses. The employee got in touch with the receipients immediately notifying them about deleting the email. These recipients worked for registered organisations and followed the council’s protocols about handling sensitive data.

Information Commissioner Christopher Graham, said: “Personal information in cases involving vulnerable people is about the most sensitive personal information imaginable.

“It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils.

“It was fortunate that in both cases at least the e-mail recipients worked in a similar sector and so were used to handling sensitive information.

“This mitigating factor has been taken into account in assessing the amount of the penalties.”

The Worcestershire County Council was fined £80,000 penalty for a March 2011 breach and the North Somerset Council was fined £60,000 fine for a serious breach of the Data Protection Act that took place in Dec 2010.

The ICO has the power to fine organisations up to £500,000 for serious data breaches. It is now following up with the Ministry of Justice for more powers that can audit local councils’ data protection compliance.

It is the local authorities responsibility to protect highly sensitive information related to patients, kids, etc. The common man must sleep well at night thinking its information is safe with the local authorities. But realities shows that is not the case. UK citizens are getting sleepless nights after reading data breach cases. In order to prevent such data thefts, every council must revamp its security policies and train its staff members.

These cases are a wake-up call to all public sector organisations. The ICO has started penalizing councils who have breached the data protection act. If local authorities want to avoid this penalty, they better get back on their toes and act fast. After all sensitive data of vulnerable people is at stake here and such incidents cannot be taken lightly.

Cyber-security with Alertsec

Alertsec Xpress is a very easy and convenient service which enables securing valuable information on laptops.

Alertsec Xpress is powered by Check Point, the market leader in the field of mobile data protection. The software was launched 16 years ago and is the most robust software on the market today.

Alertsec Xpress provides:

• Fully managed service for your convenience.

• Very cost effective service.

• Market leading laptop protection service.

• Quick and easy implementation.

• Easy to use protection.

• Transparent solution.

• Global 24/7 helpdesk.

• 100% secure and reliable encryption

Worcestershire County Council fined for data breach

No comments »

Posted in Computer security, Data Protection, computer security software, data breach, data encryption

Tags: AlertSec Xpress Check Point Christopher Graham Confidentiality data breach Data Protection Act 1998 ICO Information Commissioners Office National Health Service NHS North Somerset North Somerset Council Personally identifiable information Worcestershire Worcestershire County Council

Southwark Council faces heat from ICO for data breach

November 23rd, 2011

If you remember, last blog post talked about a laptop theft incident that occurred years ago but was reported only recently. This post is based on the same lines.

Details from the Information Commissioner’s Office (ICO)

The Southwark council failed to manage its paperwork and a computer that contained data of 7,200 individuals when it moved from its site at the Spa Road Complex in December 2009. When the new company moved in, it found this data that contained addresses, names and information relating to medical history, criminal convictions and ethnicity.

Sally Anne Poole, Acting Head of Enforcement at the ICO, said “The fact that thousands of residents’ personal details went missing for over two years clearly shows that Southwark Council’s policies for handling personal information are below standard. As this information was lost before the ICO received the power to issue financial penalties we are unable to consider taking more formal action in this case,”.

Investigation report

The investigation revealed that this data was unencrypted and that the protocol supposed to be followed while moving was not up to the mark. Had this incident taken place recently, Southwark would have been fined by the ICO. Thus Southwark Council had breached the Data Protection Act.

According to an Information Commissioner’s Office (ICO) spokesman”The computer was an old Apple iMac,”. “It had some security features, like password protection, but no encryption. The vast majority of details were on the computer.”

More details emerge

It appears that the unencrypted iMac and other papers were left in the vacant building for two years. The new tenants discovered these documents in June and threw them into a skip.

What is Southwark doing post incident?

The Council is in the process of revamping its data security procedures and ready to be audited in 2012. It plans to join the other 105 councils, schools, trusts and businesses that have signed undertakings with the Commission since January 2010. The ICO has in addition, issued three enforcement notices, conducted two prosecutions, and has issued fines to six organisations ranging from £1,000.

A Southwark Council spokesman said: “As soon as this incident was reported to us, we instantly launched an internal investigation and worked closely with all other relevant authorities to ascertain exactly what had happened.

“We treat any reporting of a possible breach of data very seriously indeed. Throughout this issue the council advised and co-operated with the Information Commissioner’s Office and has now put in place a number of measures to improve its handling and storage of personal data.”

Southwark council in trouble for data breach

Secure your Data with Alertsec

Following the essential guidelines is very necessary for data security in any organization. This news exemplifies the need for data protection applications. In an incident which highlights the need of Data encryption software and recovery software, the threat could have simply been reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.

No comments »

Posted in Computer security, Data Protection, computer security software, data breach, data encryption

Tags: Big Brother Watch Confidentiality Data Protection Act 1998 ICO iMac Information Commissioners Office Information sensitivity laptop Local government London Borough of Southwark Office Personally identifiable information Southwark Southwark council

Unencrypted laptop stolen from Ruth Crawford QC during Holiday

November 21st, 2011

We have mentioned before about laptop theft cases going unreported. In the following case laptop was stolen in 2009 but the incident came to light only now, after 2 years! To top it all, this laptop belonged to a Scottish lawyer who we expect should have been diligent enough to guard client’s data.

Ruth Crawford QC was on a holiday when her laptop went missing. The laptop contained personal information related to clients who were a part of Ms Crawford’s eight court cases. This data was specifically about the mental and physical health of the clients.

Ms Crawford was lucky that the incident took place in 2009. Had it taken place seven months later, she would have been fined for breaching the data protection Act as that was when the ICO was given new powers to impose fines of up to £500,000.

As of today Ms Crawford has signed an undertaking that says she is going to encrypt all her portable devices and secure them properly. These are the exact words of the undertaking ”The theft occurred while the data controller (Ms Crawford) was on holiday, having left plumbers to fit a new boiler at her home. The data controller provided the plumbers with keys and the code to her alarm. She highlighted the importance of keeping her front door locked and of activating the alarm when leaving the house.

“Upon returning from holiday on September 3 2009, the data controller discovered that the laptop and a purse were missing from her study. She subsequently reported the matter to the police. The commissioner has noted that physical security measures were in place at the time of the incident but that there was insufficient technical security employed on the laptop to protect the data.”

According to Ken Macdonald, Assistant Commissioner for Scotland: “The legal profession holds some of the most sensitive information available. It is therefore vital that adequate security measures are in place to keep information secure.”

“As this incident took place before the 6 April 2010, the ICO is unable to serve a financial penalty in this instance. But this case should act as a warning to other legal professionals that their failure to protect personal information is not just about potentially being served with a penalty of up to £500,000, it could affect their careers too. If confidential information is made public, it could also jeopardise the important work they do in court.

“The ICO would also like to assure the legal profession that any information reported to this office will not be disclosed unless there is specific legal authority for us to do so. Therefore all breaches should be reported to our office as soon as practically possible.”

Alertsec is a data encryption service company. Organisations, be it big or small, must have encryption in place. If you are an individual works independently or is not covered by the organisation can also use self-encrypted drives. Alertsec helps with the installation, the cost of this encryption service is negligible compared with the hassle, cost and embarrassment.