ICO's new data breach penalties kick off amidst a melee of data losses

ICO's new data breach penalties kick off amidst a melee of public sector data losses and censure actions.

April 2010 - In a fortnight that has seen two councils leak data and the Information Commissioner's Office slamming further three councils for failing to protect their data - you could be forgiven for thinking that the public sector is leaking data like a sieve.

But, says Credant Technologies, this is all a sign that the ICO is ramping up its investigations and rulings, in preparation for this week's introduction of a 100-fold increase in the maximum penalty for a data breach.

According to Sean Glynn, product manager with the data security specialist, with penalties of up to half a million pounds, it's clear that the ICO's office is girding its loins for what could be a spring and summer of discontent amongst IT managers, as their data insecurities are made public.

"As last week's data breach involving the loss of data on 9,000 teenagers from Barnet Council (http://bit.ly/8Y0Hw0) being stolen from the home of an employee, shows, having a good set of security policies in place does not help if you do not use technology to firmly enforce those policies," he said.

"And as the case of Stoke-on-Trent's council social work department apparently losing an unencrypted USB stick in the mud (http://bit.ly/bMjcZv) also shows, security policies are for naught if the staff don't stick to the council's policies," he added.

And if you look closely at the three effective censures that the ICO's office made last week against three councils - Highland (http://bit.ly/ao5lrp),  St. Albans (http://bit.ly/9rwk9I)  and Warwickshire (http://bit.ly/aqiJB0) - you'll see a common thread running through them: a lack of effective implementation of security policies, the Credant product manager went on to say.

In the case of Highland Council, where personal data on one family was released to another, you can see that staff at the sharp end let the side down. And in the St. Albans incident, where a laptop was stolen last summer, it was a similar lack of engagement by the staff concerned, who left the notebook on a desk without security it, he explained.

The final censure against Warwickshire county council, says Glynn, was the result of two laptops and a USB stick in two unconnected incidents, that were stolen.

The common thread to all five - or six incidents, depending on your point of view - is that a conventional IT security approach has clearly failed, with security policy enforcement proving to be ineffectual in all cases.

But, he went on to say, if all the relevant data in the organisations had been encrypted - both at rest and on the move - then there is every strong chance that, whilst the hardware would have gone walkabout in most of the cases, the integrity of the data would have remained intact, which is what the ICO is now taking a keen interest in.

This isn't to say that enforcement of security policies and good program code security practices are not needed, but that encryption of private data - from whatever source - acts as an extra safety net for when things go wrong.

"With the new penalties kicking in this week onwards for breaches of the Data Protection Act in the UK and others being introduced recently in the US such as the Massachusetts State Data Breach Law - IT managers need to understand that, without a multi-layered approach to security - underpinned by effective encryption technologies - data leaks like those of the last week will go on taking place," he said.

And this is an issue that doesn't just affect public sector IT managers alone. Their counterparts in the private sector also need to wake up and smell the coffee as well," he added.

"It's now crystal clear that, if IT managers don't get their act together in short order, there could be some hefty fines and even more embarrassing public enforcement notices being dished out," he added.

For more on Credant Technologies: www.credant.com