Monthly Archive September 2017
Client files on home computers must be encrypted
Barrister fined by ICO for data protection breach
A recent ruling by the Information Commissioner’s Office highlights the responsibility of professionals to safeguard client data held on their home computers. Because while work systems are usually well-protected, oversights on non-work systems can put clients’ data at risk. The ICO has just released details of a penalty imposed on a barrister who had created work documents on her home computer but had not encrypted these files.
The case for the prosecution: a lady barrister held sensitive client information on a desktop which was also used by her husband. Although the computer was password protected the files were unencrypted. This ignored the guidance issued in January 2013 by the Bar Council and her Chambers that a computer used by family members or others may in addition require encryption.
The barrister’s husband updated software on the shared desktop and to back up the files temporarily uploaded them to an online directory to back them up. He assumed the documents were safe.
However, the documents were visible to an internet search engine and 15 documents were cached and indexed. Six of the 15 documents contained ‘confidential and highly sensitive’ information relating to clients involved in proceedings. Although the husband immediately removed the files from the online directory and the internet service provider removed the cache the next day, the ICO found that the barrister contravened the provisions of the Data Protection Act.
The contravention was considered to have run from the date of the January 2013 Bar Council guidance to 5 January 2016 when remedial action was taken. The files contained confidential and highly sensitive information relating to between 200 and 250 individuals.
Due to the number of individuals affected and the sensitive nature of the information, the ICO consider the contravention sufficient to cause ‘distress’ to the clients and that there were justifiable concerns that the information would be further disseminated, ‘even though those concerns did not actually materialise’.
The Commissioner considered that, in her defence, she did not intend to contravene the DPA, and her actions were a ‘serious oversight’ rather than deliberate intent to ignore or bypass the DPA, she should have realised that there was a risk. Taking all this into account the Commissioner decided on a penalty of £1,000.
When the new Data Protection Bill and the EU General Data Protection Regulation (GDPR) come into effect in May 2018 the ICO will have the right to impose significantly larger fines. The scale will be much higher than under current legislation. At the moment the theoretical maximum the ICO can impose is £500,000 but under GDPR it will be 20 million Euros. This equates to a 79 times increase. Theoretically, therefore, the barrister could have been fined up to £79,000 if the contravention had occurred next year.
So while organisations are working toward the new compliance, it is important that individuals also realise that the same principles apply to home computers. Security protocols should be clearly outlined in every corporate strategy and be made known to all individuals working remotely.
SRM has operated in the information security environment since 2002 and our consultants are skilled at performing security assessments and managing strategic compliance projects. Our GDPR team is GCHQ trained and works with clients to achieve all types of ongoing compliance.
It’s not a question of if, but when
Why board level commitment is a vital part of cyber defence
It is difficult to defend against an attacker who only needs to succeed once. Security systems might defend an organisation 99 times out of 100 but faced with a relentless campaign which identifies and targets any cracks, it is almost inevitable that at some point, somewhere, the attacker will succeed.
Data and personal information are valuable commodities and their theft is the most common form of cyberattack. Recent high profile hacks have demonstrated the vulnerability of even very large organisations like TalkTalk and the NHS. These prompted the Government in November 2016 to announce a £1.9 billion investment to help UK businesses protect themselves.
Imminent new legislation is also in place to help provide organisations with a robust data protection framework in which to operate. If the hackers are the criminals, these are the laws that the relevant authorities (the Information Commissioner’s Office) enforce. Failure to comply with the new Data Protection Bill and General Data Protection Regulation (GDPR) from May 2018 will result in significantly higher levels of fines. And this has certainly focused the attention of many of the FTSE 350 boards surveyed in the recent Government Cyber Health Check.
The report found that awareness of GDPR is good, with 97 per cent of firms saying they are aware of the new regulation. But levels of readiness vary. 71 per cent said they are ‘somewhat prepared’ to meet the requirements of GDPR but only 6 per cent are confident that they are fully prepared.
This is perhaps not surprising given that only 13 per cent say that GDPR is regularly considered at board meetings. This is dangerous thinking. When it comes to data protection it is simply not reasonable or effective to make it the sole responsibility of the IT department. The same is true of cyber defence. These are board level issues and need to be embedded into the board’s approach.
It is no longer acceptable to simply be reactive; every board should be proactive and include an assessment of the current risk and review any potential security issues on its agenda on a regular basis. A security sub group can effectively manage this vital aspect of the business but it must have board level endorsement and input. The aim should be to implement a company-wide cyber security strategy which is constantly challenged and re-enforced.
Given the fact that the threat landscape is always changing, another essential element of every organisation’s cyber defence should include a strategic plan in the event of breach. To minimise its impact swift remedial action is vital. A strategic plan will help to ensure effective business continuity and protect from loss of income and reputation. This plan may include working with Retained Forensics (PFI) experts. Not only can they assist the board in the implementation of a robust and strategic defence, but if (or when) a breach occurs their detailed knowledge of a company’s systems will ensure business continuity and minimise the damage to finances and reputation.
How a retained PFI can mitigate risks
Government 2017 Cyber Security Health Check reveals many FTSE 350 companies are not prepared
Today: new UK Data Protection Bill published
The new UK Data Protection Bill, published today, will come into force next May. As part of the multi-million pound National Cyber Security Strategy, the new legislation will effectively bring the European Union’s General Data Protection Regulation (GDPR) into UK law, helping Britain to prepare for a successful Brexit. The new legislation will come into effect in May 2018, coinciding with the enactment of the GDPR in Europe.
Minister for Digital Matt Hancock says: ‘As the UK leaves the EU we will ensure we have one of the most robust systems for protection of intellectual property anywhere in the world, for all civilised societies are based on the fair and equal protection of property rights.’
He adds: ‘Our task is to strike the right balance between freedoms and responsibilities online, such that the solutions can be applied globally, and the whole free world can emulate our approach. That is our plan.’
The drive behind the bill is to protect the online data of people and businesses. According to Mr Hancock: ‘We must build an internet based on liberal and not libertarian values, where we cherish freedom yet prevent harm to others’.
The bill contains steps to clamp down on cyber-bullying and child protection as well as protecting individuals’ and companies’ data online.
The key provisions also include:
- Providing a simpler process for individuals to withdraw consent for their personal data to be used;
- Giving individuals the right to request that their personal data is deleted;
- Allowing for the re-identification of people from anonymised or pseudonymised data if a criminal offence is suspected.
The last point refers to one significant difference between the UK Data Protection Bill and the European legislation where some ‘vital’ exemptions have been made in cases where public interest is served. This includes areas relating to ‘freedom of expression’ where journalists access personal data to expose wrongdoing. They will also be allowed to preserve the anonymity of their sources and to access personal data without consent if it is deemed to be in the public interest.
In addition, the new Data Protection Bill allows anti-doping agencies to access personal data when pursuing suspected drug cheats or, in the case of financial services companies, where there are suspicions of terrorist financing or money laundering. But to safeguard the innocent, new criminal will be created to deter organisations form either intentionally or recklessly creating situations where someone could be identified from anonymised data.
While the Data Protection Bill will become law for all UK organisations, the GDPR will be a legal requirement of any organisation handling any data relating to EU citizens, which in today’s online world is almost everybody. Thankfully the overlap between the two is total in the areas relating to the handling of personal data in the business context. The financial penalties in the event of data breaches or non-compliance are equally severe, equating to fines of up to £17m or 4 per cent of global turnover.
The important fact to consider is that May 2018 is not far away so the process of integrating the new data protection laws should be well underway. If looking for strategic and practical input in developing up to date data protection policies, SRM’s team includes GCHQ approved GDPR practitioners who have the expertise to work with clients to build robust and cost-effective defences.
The Equifax breach and how it impacts the UK
Cyberattacks do not recognise national boundaries, as the latest breach concerning the US credit rating firm Equifax proves. So although the company has now reported the breach of 143 million customer records to US law enforcement agencies, albeit five weeks after the event, individuals in the UK and Canada are also affected. In these countries data regulations are different. Consequently UK and Canadian regulators are also becoming involved to manage the next steps in their respective countries.
Although Equifax’s core consumer and commercial credit databases were not accessed, it is apparent that the names, social security numbers, birth dates and addresses of over 143 million customers have been obtained. It is also believed that 209,000 customers had driving license numbers and credit card details illegally obtained by hackers. This is not simply an American problem because the breach is not limited to the company’s US operations. It affects British customers too, including those who have accounts with BT and British Gas. The exact number of British customers at risk has not been established but the Information Commissioner’s Office (ICO) is investigating and has requested that Equifax contacts all UK customers as soon as possible.
James Dipple-Johnstone, ICO Deputy Commissioner says: ‘Reports of a significant data loss at US-based Equifax and the potential impact on some UK citizens gives us cause for concern’. The ICO also states that,‘In cyberattack cases that cross borders the ICO is committed to working with relevant overseas authorities on behalf of UK citizens’.
Thought to have been accessed through a website application vulnerability, the Equifax breach is one of the largest ever reported in the United States. Another massive global data breach which originated in the US was the attack on Yahoo which exposed 1 billion records. This also affected its UK customers.
In a world where global brands are constantly under threat it is worth noting that the American data protection law is very different to our own. It is becoming more permissive, with President Trump signing a new law on 3rd April making more personal data legally available. Meanwhile in Europe organisations are facing even stricter data protection procedures under the forthcoming General Data Protection Regulation (GDPR) which comes into force on 25th May 2018.
GDPR requires UK companies to observe new procedures and take even greater responsibility for how they collect, share, use and store customers’ data. Embracing the stringent rules of GDPR need not be onerous. With the right advice and guidance they can be met in a way that actually enhances a business. GDPR may also present British companies with a competitive advantage because data held in countries adhering to the requirements of GDPR will inevitably be safer.
Data protection – the gap widens across the Atlantic
Time running out for GDPR compliance
The new Data Protection Bill and GDPR
University CISOs face tough challenges in the next academic year
University Chief Information Security Officers (CISOs) have had a tough time lately. According to information acquired under the Freedom of Information Act by The Times newspaper, some of the UK’s top universities have seen cyber security breaches double in the 2016-17 period, suffering a total of 1,100 cyber security breaches. These include instances of research data compromise. Given the value of data and research projects in particular, it is likely that this trend will continue into the next academic year.
With an institution’s reputation at stake, the CISO is often judged not on what he or she successfully does, but on what they don’t. But this is also true of any business which conducts its business online. Increasingly, the corporate world looks to specialist CISO support to enhance and support the resident CISO. Universities are also beginning to see the advantages of using additional professional CISO support.
In a similar way to their corporate counterparts, the university CISO’s role is not limited to managing a robust defence of the institution’s systems. To really be effective, their role needs to go beyond a thorough understanding of information technology and cyber defence. They also need to be business leaders, garnering support across all departments. They need to have influence at the highest level and the industry knowledge to anticipate future trends. Few individuals have the skills or resources to fulfil all these roles without additional resource.
Just as the finance department works with professional accountants and the legal department works with specialist lawyers, so the CISO benefits from a collaborative relationship with information security specialists whose role is to support, enhance and resource the CISO function within the university.
At SRM we have a professional team with a high level of expertise and experience in supporting the CISO function. We offer VirtualCISOTM which is a totally bespoke service, providing as much or as little as is required depending on the individual organisation. We are also able to provide a tailored package to support university CISO’s with their specific role, focusing on strategic guidance in the definition and maintenance of an effective security strategy and business continuity plan.
Because we are immersed in the information security industry we are also able to provide a proactive approach to keeping up-to-date with ever-changing threats including the latest social engineering threat vectors. We provide training of all relevant personnel in how to manage change to the broad spectrum of legal requirements such as data protection, emerging GDPR legislation and computer misuse.
In addition we are able to assist in the development and delivery of senior-level presentations detailing an organisation’s security posture to key stakeholders, while also providing a full range of other services including information security testing and incident response.