Category Archives: Security Guardian

Nursing and Midwifery Council receives £150,000 penalty

Posted on by

The Information Commissioner’s Office has urged organisations to review their policies on how personal data is handled, after the Nursing and Midwifery Council was issued a £150,000 civil monetary penalty for breaching the Data Protection Act.

The council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. An ICO investigation found the information was not encrypted.

David Smith, Deputy Commissioner and Director of Data Protection, said:

“It would be nice to think that data breaches of this type are rare, but we’re seeing incidents of personal data being mishandled again and again. While many organisations are aware of the need to keep sensitive paper records secure, they forget that personal data comes in many forms, including audio and video images, all of which must be adequately protected.

“I would urge organisations to take the time today to check their policy on how personal information is handled. Is the policy robust? Does it cover audio and video files containing personal information? And is it being followed in every case?

“If the answer to any of those questions is no, then the organisation risks a data breach that damages public trust and a possible weighty monetary penalty.”

The council had been couriering evidence relating to a ‘fitness to practise’ case to the hearing venue. When the packages were received the discs were not present, though the packages showed no signs of tampering. Following the security breach the council carried out extensive searches to find the DVDs, but they’ve never been recovered.

David Smith continued:

“The Nursing and Midwifery Council’s underlying failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk. No policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered. Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty.”

 

UK Biggest Data Loss Disasters of 2012

Posted on by

The UK’s Biggest Data Loss Disasters of 2012
With the growth in the use of personal devices for work, it is no surprise that data loss increased in 2012. In fact, it is astounding to think that UK data loss in general has risen by an estimated 1,000 per cent in just under five years.

Here, we take a look back at some of the biggest data losses the UK faced in 2012.

NHS trust loses personal data of 600 maternity patients, and kids On at least two separate occasions in 2012, the NHS was forced to admit losing two unencrypted USB sticks containing highly sensitive personal patient data. In the first instance, the device in question contained data relating to around 600 maternity patients. A second USB stick containing the names and dates of birth of 30 children and full audiology reports of a further three was also lost. This caused great embarrassment to the NHS, and distress to the patients whose confidential information was compromised.

Lost data blunders costing  councils £1.9 million A series of blunders by various UK councils led to them being fined heavily for serious data breaches, including the disclosure of highly sensitive, personal information. The fines totalled an astonishing £1.9 million. The mistakes included information being sent to the wrong people, while one individual even left hard copies of highly confidential documents on the train.

Shopacheck loses data on 1.4 million customers In terms of the number of customers affected by any single data loss incident, Shopacheck experienced the biggest loss in 2012. The loan firm managed to lose sensitive financial information pertaining to 1.4 million of its customers after two back-up tapes went missing. The tapes contained highly confidential information including customer names, addresses, dates of birth, telephone numbers and email addresses.

Police force pays £120,000 penalty for data breach Greater Manchester Police was fined £120,000 after a memory stick, which had no password protection, was stolen from an officer’s home. This caused a serious breach of data security, not least because the device contained information about members of the public who had given statements as part of drug investigations. It also contained details of police operations, potential arrest targets and the names of officers.

USB stick with nuclear plant data lost by ONR official While on a business trip to India an Office for Nuclear Regulation (ONR) official lost an unencrypted USB memory stick containing data relating to one of the UK’s nuclear power stations in Hartlepool. What made it worse for this blundering individual was the ONR confirming that unencrypted USB sticks should not be used for transporting documents with a security classification. It seems this official should have thought a little more about effective ways to protect his organisation’s sensitive data.

As these examples demonstrate, data loss can largely be attributed to human error and ineffective backup and security solutions. Once again, we are reminded of the importance of implementing effective data protection policies. Many of these disasters could have been mitigated with the use of a solution such as EVault’s Endpoint Protection for mobile devices (laptops and tablets), or by using the cloud, to backup sensitive company data.
Let’s hope that businesses realise this in 2013!

Original article by By Jean-Jacques Maleval, Mon, January 21st, 2013

EU data protection law proposals include large fines

Posted on by

EU data protection law proposals include large fines

Firms face being fined up to 2% of their global annual turnover if they breach proposed EU data laws.

The European Commission has put forward the suggestion as part of a new directive and regulation.

The new rules include users’ “right to be forgotten” and an obligation on organisations to report data breaches “as soon as possible”.

The boss of one tech-focused organisation described the proposals as a “tax” on firms holding customer data.

The Justice Commissioner, Viviane Reding, said it was important for EU citizens – particularly teenagers – to be in control of their online identities.

“My proposals will help build trust in online services because people will be better informed about their rights and more in control of their information,” she said.

The commission says that key changes to the 1995 data protection rules include:

  • People will have easier access to their own data, and will find it easier to transfer it from one service provider to another.
  • Users will have the right to demand that data about them be deleted if there are no “legitimate grounds” for it to be kept.
  • Organisations must notify the authorities about data breaches as early as possible, “if feasible within 24 hours”.
  • In cases where consent is required organisations must explicitly ask for permission to process data, rather than assume it.
  • Companies with 250 or more employees will have to appoint a data protection officer.

The rules would apply to data handled outside the EU if the companies involved offered services to citizens living in the 27-nation zone.

USB stick and CD
Some firms are concerned that they would have to confirm data loss within 24 hours of being hacked.

The commissioner said that by simplifying the current “patchwork” of rules and cutting red tape, businesses could expect to save a total of 2.3bn euros ($3bn; £1.9bn) a year.

However, organisations which break the rules face penalties.

The commissioner suggested that companies that charged a user for a data request be fined up to 0.5% of their global turnover. She said that sum should double if a firm refused to hand over data or failed to correct bad information.

She added that companies responsible for more serious violations could be fined up to 2% of their turnover. The sum is capped at 1m euros for other bodies.

Cost worries

One lawyer told the BBC that the benefits would be outweighed by the new burdens placed on businesses.

“The one bit of a good news is that they result in harmonisation across Europe which is better than the existing situation with 27 different national laws, but the content of some these proposals is very onerous,” said Marc Dautlich, head of information law at Pinsent Masons.

“These are all going to involve costs and resource. And in a difficult economic climate.”

Adam Malik, organiser of the Digital London conference, said that he accepted that customers had a moral right to ask for data deletion, but the new rules – as he understood them – could place some enterprises in jeopardy.

“This is just an additional tax on all businesses which hold electronic customer records,” he said.

“Also we need clarity on what is personalised data. Lots of lawyers will be happy about this directive for years to come – meanwhile innovation is discouraged.”

Security company FireEye also expressed concern about the suggested data loss demands.

“Reporting within 24 hours of discovery is admirable but if the company wasn’t aware of the breach for 24 days then where do all involved stand?” asked its director of European operations, Paul Davis.

But others were more positive about the proposals.

“Businesses can either see it as a glass half-empty or a glass half-full,” said Alan Mitchell, strategy director of Ctrl-Shift, a technology consultancy whose clients include the UK government.

“This legislation will enable UK and EU business to lead this growing market and develop new technologies and businesses.”

The rules need to be approved by the EU’s member states and ratified by the European Parliament before they can come into effect.

That could take two or more years, during which time they may be amended or rejected outright.

Published by The BBC     25 January 2012

Government departments release data on missing IT equipment

Posted on by

Ministry of Defence lost 1,058 items of equipment in 2011-12

Government departments saw 2,070 pieces of IT equipment lost or stolen in 2011-12, according to written answers in the House of Commons.

With the exception of the Department for Education and the Cabinet Office, all central departments have now written formal responses to requests regarding how many pieces of IT equipment were lost or stolen during 2010-11 and 2011-12.

408 of the missing items for 2011-12 were computers and 499 were mobiles, of which 422 were BlackBerrys. 1,163 were categorised as ‘other’.

The requests were lodged by Gareth Thomas MP, Labour’s shadow minister for the Cabinet Office.

Over half of the missing pieces of IT equipment across government were accounted for by the Ministry of Defence (MoD), which lost 1,058 items in total, including 206 computers, 24 mobiles and 34 BlackBerrys. Unlike some other departments, these figures are raw data and do not include any recovered property.

794 pieces of equipment were categorised as ‘other’. This category refers to IT items such as CDs, DVDs, and removable memory such as USB sticks.

Explaining why the figures for the department were so high, an MoD spokesperson said, “The MOD employs more than 250,000 individuals operating all round the world, with frequent movement of forces and equipment between locations in support of operations.”

The spokesperson added, “The MoD takes the loss or theft of equipment very seriously and works hard to detect and deter theft. There are robust processes in place to raise awareness of the need for vigilance in all aspects of security and we actively encourage individuals to report loss or theft. This work has resulted in a rise in the number of reports over the last year.

“Where theft does occur and a suspect is identified, prosecution or internal disciplinary action will follow as appropriate.”

After the MoD, the departments that lost the most equipment include the Ministry of Justice (268) and the Department for Communities and Local Government (151).

However, the Department for Culture, Media and Sport and HM Treasury reported just 10 losses apiece for 2011-12.

In comparison, the Department for Transport and the Department for Business, Innovation and Skills lost 102 pieces of IT equipment each, while the Department for Work and Pensions (DWP) reported 97 items missing. The Department of Health mislaid 63 items, while the Home Office lost 49.

A direct comparison is not possible for the DWP and the Home Office, as they reported data covering each calendar year rather than the financial year. DWP reported 97 losses in 2011 and 48 for 2012. The Home Office mislaid 53 items in 2011; however four of these were recovered. They did not provide data for 2012.

The Northern Ireland Office reported no equipment losses at all for the period. The Wales Office said that there had been one such loss, and the Scotland Office reported four losses.

Shadow Cabinet Office Minister Gareth Thomas MP said, “It’s incredible that so many computers, blackberries and other pieces of IT equipment have been lost.
“With hundreds of pieces of IT equipment being lost across Whitehall, and over a thousand pieces missing at the MOD alone, Ministers should be doing all they can to make sure vital equipment and data are kept secure.”

Ultimate Mobile Data Security

Posted on by

Perfect for the forgetful secret agent… the memory stick that self-destructs by remote control

A data protection company has come up with the perfect piece of kit for the spy who’s more Johnny English than James Bond.

ExactTrak Ltd has developed a memory stick that can be tracked by GPS if it becomes separated from its owner – and can even be destroyed by remote control.

The memory stick, called Security Guardian, is slightly larger than your garden variety device and includes an encrypted memory chip and a SIM card, which means that it can be tracked by GPS and GSM triangulation.

Scroll down for video

Data protection: ExactTrak's Security Guardian includes a SIM card, so that the memory stick can be tracked if it becomes separated from its ownerData protection: ExactTrak’s Security Guardian includes a SIM card, so that the memory stick can be tracked if it becomes separated from its owner

If sensitive information is on board the stick when it is misplaced or stolen, the owner has a variety of ways of disabling or destroying information so that it cannot be viewed or shared.

Owners can sign in to their account and block files and information. Alternatively, they can text a specific code to the stick itself, which will disable the device or lock the files within.

And, if all else fails, users can send a high-voltage charge directly into the stick, melting the internal chip and erasing everything contained on it.

Tracking device: The memory stick can be located by GPS and GSM triangulation. But if that's not good enough, files can be blocked or deleted via remote controlTracking device: The memory stick can be located by GPS and GSM triangulation. But if that’s not good enough, files can be blocked or deleted via remote control

Killer blow: If all else fails, users can send a high-voltage charge directly to the memory stick, frying the internal chip and obliterating all information on it Killer blow: If all else fails, users can send a high-voltage charge directly to the memory stick, frying the internal chip and obliterating all information on it

This killer bolt can be delivered without an internet connection – regardless of whether the device is connected to a computer or not.

The growing interest in data protection follows a number of high-profile cases where sensitive Government information was left on public transport – including a case in 2009 when a Government contractor lost a memory stick containing the information of 84,000 prisoners.

A 2008 report found that more than 3,200 laptops and mobile phones containing sensitive information had been lost or stolen from government departments.

In their sales pitch, ExactTrak claims that 65 per cent of recorded data losses are due to laptops and USB memory devices that go missing

In their sales pitch, ExactTrak claims that 65 per cent of recorded data losses are due to laptops and USB memory devices that go missing.

In a survey by the Ponemon Institute for Intel, 56 per cent of IT managers admitted that they turned off or disable their encryption. A further 35 per cent admitted to sharing passwords with colleagues.

ExactTrak is currently working with Government and corporate clients, developing a range of products that provide mobile data security and asset recovery.

But it’s not reserved for security services, ExactTrak’s website says: ‘Location monitoring and data security services can be delivered either via secure access to our monitoring platform, hosted on the Fujitsu Global Cloud Platform, or can be located within your organisation behind your own firewall.