Archive for the 'IT Security' Category

Niall Mclean blogs on Brodies PublicLawBlog about a recent ICO monetary penalty notice issued following the loss of sensitive personal data by the Nursing and Midwifery Council.

Brodies PublicLawBlog

Last month, the Information Commissioner’s Office (ICO) fined the Nursing and Midwifery Council (NMC) £150,000 after the loss of three unencrypted DVDs which contained sensitive personal data.   The DVDs related to a nurse’s misconduct hearing and contained evidence from two vulnerable children.   You can read the ICO’s Monetary Penalty Notice here.    A recent post on our TechBlog discussed the methodology the ICO uses for calculating penalties and the NMC’s breach falls into the “very serious” category.

The NMC has expressed disappointment at the decision which it says was down to “an isolated human error”.  The fine is a pointed reminder to regulatory bodies of the importance in keeping hearing information confidential and secure – particularly where it is held electronically and should be encrypted.

Niall Mclean

View original post

Information Commissioner publishes guidance on Bring Your Own Device

The UK’s Information Commssioner’s Office (ICO) has today published new guidance for employers on the use personal (employee owned) devices for work purposes.

Bring Your Own Device (or BYOD) is a hot topic for many organisations. Many employees are seeking to use their own smartphone or tablet for work purposes. If properly implemented, a BYOD scheme can actually reduce the information security risks by making it easier for employees to access corporate data on their own device, thereby discouraging them from trying to find workarounds (such as emailing confidential information to a personal email address, or using a personal email address to carry out work business).

However, there are risks.

In November, Computer weekly reported that the number of BYOD devices in use was set to double by 2014. However, Gartner predicts that through 2014 employee owned devices will be compromised by malware at more than double the rate of corporate owned devices.

A survey by the ICO, published alongside the new guidance, reveals that some 47% of those polled have used a personal device (whether a smartphone, tablet or laptop) for work purposes. However, only 27% of respondents said that their organisation had provided guidance on the use of personal devices for work purposes.

BYOD policy
This is worrying, as it opens up the employer and employee to a number of risks.

For example, if the employer turns a blind eye to BYOD (which would otherwise breach its information security policy), it will find itself in a very difficult position in the event of a data loss incident. Not just with the ICO and any potential fine for a breach of the Data Protection Act, but also in terms of the ability of the employer to take disciplinary action against the employee.

A lack of a BYOD policy means that the employer has no cogent BYOD strategy, setting out what is and isn’t acceptable. For example, the sorts of devices that are considered to have appropriate levels of security, password security, the employee’s responsibilities, and what happens if the device is lost or stolen.

The policy should also cover other issues such as who is responsible for voice and data costs, insurance, and what happens if the employee is unable to carry out his duties because the device has been lost or stolen.

The ICO’s guidance
The ICO’s guidance emphasises the importance of developing a BYOD policy contains the following key recommendations:

  • Be clear with staff about which types of personal data may be processed on personal devices and which may not.
  • Use a strong password to secure your devices.
  • Enable encryption to store data on the device securely.
  • Ensure that access to the device is locked or data automaticaly deleted if an incorrect password is input too many times.
  • Use public cloud-based sharing and public backup services, which you have not fully assessed, with extreme caution, if at all.
  • Register devices with a remote locate and wipe facility (mobile device management) to maintain confidentiality of the data in the event of a loss or theft.

The guidance also reminds organisations in the public sector that information held by employees on a personal device may be subject to disclosure under freedom of information legislation.

More information
To read our top tips for BYOD, follow this link.

To read the ICO’s new guidance, follow this link.

Brodies can help you develop a BYOD policy which suits your organisation. To discuss how we can assist please contact me or your usual Brodies contact.

Martin Sloan

Information Commissioner reveals methodology for calculating monetary penalty notices

Last month, the Information Commissioner’s Office (ICO) successfully defended the first appeal against a monetary penalty notice issued by the ICO for a breach of the Data Protection Act.

The appeal was by Central London Community Healthcare NHS Trust, which appealed against a fine of £90,000 issued for repeatedly faxing a list of pallaiative care in-patients to the wrong fax number.

The most interesting aspect of the appeal is that as part of the ICO’s defence of its decision, the Tribunal was presented with information on the ICO’s internal methodology for calculating monetary penalties.

The ICO’s methodology
The process comprises three stages.

Firstly, a decision is amade as to whether or not to issue a monetary penalty.

Secondly, the case is placed in one of three bands, depending upon the seriousness of the contravention:

  • Serious – in which case the fine will be between £40,000 and £100,000
  • Very serious – in which case the fine will be between £100,000 and £250,000
  • Most serious – in which case the fine will be between £250,000 and £500,000

Finally, the ICO selects the mid point of the applicable banding (so, for a “very serious” fine, £175,000) and then assesses the aggravating factors to see if the fine should be higher and the mitigating factors to see if it should be lower. The aggravating and mitigating factors create an overall weighting, which is then applied to the fine.

Applying this methodology to the Central London Community Healthcare NHS Trust decision, we can see that the ICO viewed this breach as being a “serious” breach with a number of aggravating circumstances (it was towards the top of the £40,000 to £100,000 banding for a “serious” breach).

Interestingly, in its decision the Tribunal queried whether the breach in this case should actually have been classified as a “very serious” breach, given the nature of the breach, the information involved and the fact that the Trust was also in breach of the well established Caldicott Principles.

Early payment discount
In its decision, the Tribunal also upheld the ICO’s decision to permit an early payment discount only if the organisation does not appeal.

Whilst the Tribunal’s decision is not binding on subsequent tribunal hearings, the guidance does provide organisations faced with a notice of intention to impose a monetary penalty notice with more information on how the ICO has calculated the proposed fine. This should in turn help organisations to ensure that any challenges to the size of a monetary penalty can be made by reference to the ICO’s own methodology.

Martin Sloan

Kim Dotcom and Mega: Legal FAQs

You’re probably familiar with Kim Dotcom, the German-Finnish internet entrepreneur who currently resides in New Zealand, and is being pursued by the US Department of Justice regarding accusations of a “Megaupload” business empire built on rampant infringement of US copyright laws and the Digital Millennium Copyright Act. 

Much of what is currently being written about Mr Dotcom simply churns trite facts without actually offering much in the way of explanation.  I thought a blog which answered some of the main questions would be helpful.

How does the US have jurisdiction over Megaupload?
Why would Megaupload Limited, with its registered office in Hong Kong, be subject to US copyright laws and to the Digital Millennium Copyright Act?  The answer is that Megaupload deliberately carried out business in the US and with US residents.  The site leased more than 1,000 servers in North America (525 were at Carpathia Hosting, which received $13 million from Megaupload).   

Wired provides great analysis here, but the general principal is that individuals and companies can’t gain the benefits of doing business in a jurisdiction without complying with its laws and being subject to its enforcement efforts – assuming that the jurisdiction can gets its hands on you in “terrifying real life”. Which brings us to extradition!

Will Dotcom be extradited?
Under New Zealand’s Extradition Act, any request for extradition from New Zealand must relate to an “extraditable offence” which is defined as an offence that:

  • Carries a maximum penalty of not less than one year’s imprisonment in the requesting country; and
  • Involves conduct that would be regarded as criminal had it occurred in New Zealand, and would have carried a similar penalty

Unfortunately for Kim Dotcom, breach of copyright is just as illegal in New Zealand as it is in the US. 

Part 3 of the Extradition Act also provides a mechanism by which the requirements to provide evidence establishing a prima facie case in support of the extradition request can be replaced by the simpler “record of the case” procedure. This mechanism is available to select countries, including the US.  (A guide to New Zealand extradition prepared by the New Zealand Ministry of Foreign Affairs and Trade can be read here.)

Nevertheless the US is struggling to extradite Dotcom and is also struggling to make its case against Megaupload and the “conspirators” (Dotcom and various associates).  Dotcom actually received an apology from the Prime Minister of New Zealand for illegal surveillance.  A helpful timeline of the various legal twists and turns can be read here.

What’s the new service that he’s offering?
Kim Dotcom has launched a new service, Mega, which he says is distinct from Megaupload, and which he also insists is legal.

Mega is offering all users 50GB of free cloud storage, making it a potentially compelling competitor to the likes of Dropbox (2GB free) and SkyDrive (7GB free) — if you’re not worried about the service getting shut down like its predecessor.

Mega offers client-side encryption, meaning that (arguably) even Mega doesn’t know what is on the files that clients upload.  The only way a client file can be decrypted is if the client makes both the encrypted file and also the private encryption key publicly available.  This would presumably breach acceptable use of Mega, and Mega also has in place a take down process similar to what other content sharing websites (such as YouTube) offer, and which is required under US law in order for the website operator to qualify for “safe harbor” protection from copyright infringement claims.

Of course, the predecessor site Megaupload had a take down process as well, so this leads us to the next obvious question.

Is Mega legal?
Dotcom still insists that Megaupload was legal, despite the US Department of Justice’s claims that Megaupload’s overall operating model was geared towards criminal intent, because:

  • the vast majority of users did not have any significant long term private storage capability;
  • continued storage was dependent upon regular downloads of files occurring;
  • files that were infrequently accessed were usually rapidly removed, whereas popular downloaded files were retained;
  • only a small portion of users paid for storage subscriptions, meaning that the business was dependent on advertising revenue, and displaying adverts to downloaders;
  • an incentive programme was adopted encouraging the upload of “popular” files in return for payments to successful uploaders; and
  • (potentially most damning of all) there was a comprehensive take down process in use for child pornography and terrorist propaganda, but this same take down process was not deployed to remove infringing content.

Initial impressions would suggest that Mega does not share these strategies.  Certainly Dotcom would have to be incredibly foolish to not apply the take down  process this time around.  In fact, it’s perhaps a credit to Dotcom’s slick advertising/media persona, and Mega’s attractive user interface, that initial bloggers thought Mega would “dismantle copyright forever”.

As Jonathan Bailey succinctly puts it (in by far the best analysis of Mega which I have read):

where Megaupload provided incentives and tools that encouraged users to upload (often illegal) files for mass download, Mega  does not and in fact has a structure and service that puts barriers up against mass downloading of files, legal or otherwise.

What is certain is that we can expect plenty of fun and games over the next few months. 

When Mega launched this week as “The Privacy Company” their claims of super-security were bound to come under the highest levels of scrutiny (some cloud providers definitely perform better than  others in the security stakes – see my colleague Leigh’s analysis).  Yesterday the story was that Mega’s encryption was substandard, today the story (which is emerging as I write) appears to be some form of encryption prize – Kim Dotcom himself has just Tweeted:

We welcome the ongoing #Mega security debate & will offer a cash prize encryption challenge soon. Let’s see what you got ;-)

Who knows what tomorrow will bring?


Brodies Autumn seminar programme

As part of Brodies’ autumn 2012 seminar programme, we are running a series of free seminars at our offices in Aberdeen, Edinburgh and Glasgow:

  • Your Intellectual Property, your views – what did the survey say? – Gill Grassie and Robert Buchan will highlight the key findings from our recent survey on how businesses protect and value their intellectual assets, and discuss what IP lessons and opportunities they reveal for businesses – could you be making more of your IP? Are you exposing yourself to unnecessary risk?
  • Bring Your Own Device – Managing business risks in the iPhone era – Grant Campbell, Martin Sloan and employment lawyer Andrew McConnell will look at the legal issues surrounding BYOD adoption, and provide some practical guidance on how organisations can manage the data security and employment law risks.

For more information and to find out how to register, please visit our Events page. If you’d like to see the whole seminar programme then head over to the Seminars page on the main Brodies website.

We look forward to seeing you there!

ICO investigation highlights importance of information security to brand reputation

The story earlier this week about the Information Commissioner’s (ICO) investigation into concerns over the security of user passwords for the website is a timely reminder that information security is an evolving area, and one that organisations need to keep under constant review.

The law
The Data Protection Act (DPA) states that:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

In determining what measures are appropriate, organisations have to ensure that the level of security is appropriate to the level of harm that might arise from unauthorised access or disclosure and the nature of the data in question.

So, the greater the potential damage to users, the greater the level of protection should be. Importantly, the organisation also has to have regard to technological development.

This means that information security measures need to be kept under constant review as technology (and the cost of that technology to the organisation) evolves. In this case, the question appears to be whether or not Tesco is following industry best practice, and whether its current approach to password security is sufficient, given the technological developments that allow for a more secure way of storing and providing access to passwords.

Brand reputation
However, the story also a reminder that information security is now about more than just legal compliance. It’s also about brand reputation.

Whether or not Tesco’s website falls short of the requirements of the DPA will be a matter for the ICO to come to a view on.

Yet, the very fact that the ICO is investigating the information security procedures of one of the UK’s largest retailers is enough to make front page news. There hasn’t actually been a security breach in relation to the Tesco website, but the possibility that Tesco’s site is may be more vulnerable than others is sufficient for it be reported by the media.

e-Commerce is a notoriously brand fickle industry, with websites being in fashion one minute and not the next. An information security leak can be highly damaging to the brand. For that reason, organisations that trade online should ensure that information security is kept constantly under review, and that they respond to technological developments that help to keep the data of their users secure.

Practical steps
So what should you be doing? In practice, this means ensuring that your internal policies are kept under review and that someone is responsible for information security compliance.

Where you rely upon external suppliers, it’s essential that information security is properly addressed in your software development and hosting contracts through reference to appropriate standards. It’s also important that you are able to audit and review the information security of your websites and systems and ensure that the measures in place continue to be fit for purpose, and mandate that changes can be made where vulnerabilities are identified.

ICO issues £225,000 fine following failure to adequately protect paper records on disused site

An NHS Trust in Northern Ireland has been fined £225,000 by the ICO, following unauthorised access by tresspassers to medical and staff records held in a disused building.

The fine is the second highest to date issued by the ICO, beaten only by that issued last month to Brighton and Sussex University Hospitals Trust.

The Trust was formed by an amalgamation of a number of acute and community NHS Trusts in April 2007, taking over responsibility for more than 50 disused sites. Patient and staff records were stored at one of the sites, which had been closed the previous year. The Trust did deploy manned security guards on the site, but within a number of months the existing CCTV system on the site was failing. Tresspassers gained access to the site and took photographs of the records, which were then posted on the internet. The Trust became aware of the issue in March 2010.

Upon becoming aware of the unauthorised access, the Trust arranged for an inspection of seven of the 40 or so buildings onsite, and discovered a large quantity of records. However, rather than remove the records, the Trust instead carried out some remedial work to the site, including the repair damaged doors and windows and increased foot patrols.

A year or so later media reportes that the security of the records had again been comprimises. A further inspection was carried out, which revealed the full extent of the problem, including that many records had been retained in breach of the Trust’s records retention policy. Records on site included 100,000 medical records, and 15,000 staff records, including unopened wage slips. The records were found stored in boxes, in cabinets, on shelves or on the floor.

Reasons for the fine
A number of factors counted against the Trust and led to the large fine:

  • The Trust did not carry out an inspection when it took over responsibility for the site – it simply didn’t appear to know about the records stored on the site;
  • The data involved was highly confidential and sensitive;
  • It took the Trust nearly four years to fully decommission the site (and it only became aware of the records as a result of a report from a third party);
  • The breaches arose because of the negligent behaviour of the Trust in failing to take appropriate technical and organisational measures against unauthorised loss of personal data;
  • The Trust did not report the breaches to the ICO.

It is no accident that the largest two fines to date have been issued to organsations in the NHS.

NHS bodies handle some of the most sensitive data relating to an individual, and the consequences of unauthorised access or disclosure can be particularly distressing and damaging for the data subjects.

As I have noted previously, the level of effort the Data Protection Act requires data controllers to take in relation to preventing unauthorised access or disclosure is directly linked to the harm that might be caused to data subjects from that unauthorised access or disclosure. It is not dependant upon the risk of an incident occurring, and the fact that the disclosure arose as a result of a deliberate act by a third party makes little difference.

The fine is another timely reminder for those organisations involved in processing highly sensitive personal data to ensure that they are fully aware of the data that they hold, and that they have in place (and have implemented) robust informations security and data retention policies to protect that personal data against unauthorised access or disclosure. It is not simply a case of assessing the likelihood of a breach occurring, but rather what damage might occur if the worst does happen.

New guidance on IT security for small businesses

The ICO has published a short guide for small businesses on IT security.

The guide is ideal for small organisations that are trying to get to grips with their obligations under the Data Protection Act, and are yet to develop an IT security policy (or wish to review their current policy). Helpfully, whilst the guide doesn’t provide a template policy, it does provide organisations with a checklist of issues to consider and some practical recommendations.

In particular, the guide provides more detailed advice in relation to problem issues such as securing data on the move, being alert to potential IT security issues, awareness within an organisation, minimising data collection and processing, and the use of third party IT contractors.

You can download the guide here.

New surveillance bill faces criticism

Last Thursday, the Government published its draft Communications Data Bill which, it is fair to say, has been met with wide criticism.

The Bill, which was trailed in the Queen’s Speech earlier this year and has been dubbed a ‘snoopers’ charter’, grants additional powers to law enforcement agencies to access communications data, updating and extending the current powers already granted under the Regulation of Investigatory Powers Act (RIPA).

What does the Bill cover?
When John first blogged on this (back in April), we had little detail on what the proposed bill might say. But as anticipated, the scope of the draft Bill has been widely drawn. Too widely drawn perhaps. Should the Bill be made law, businesses that ‘transmit communications’ will be required to hold records of all communications transmitted for a 1 year period. This will include the likes of telephone providers and internet service providers, but also other businesses involved in enabling and transmitting communications such as social media networks and webmail email systems.

The data that they will be required to store will include email addresses, telephone numbers, and websites visited – the headline information about the communication – but it will not extend to the content of the communication, so the law does not require that the content of a specific web pages visited or the content of an email are stored (although taking the “postcard” analogy, this may be the practical effect). These data records can then be released to law enforcement agencies and certain other public bodies.

Privacy concerns
In Theresa May’s introduction to the Bill she states that the Bill “strikes the right balance between protecting the public and safeguarding civil liberties”. This hasn’t been the public’s perception.

Privacy campaigners, human rights groups and the general public have all expressed concern that the Bill is too far-reaching in scope and intrusiveness, and threatens an individual’s right to freedom. In fact even the privacy impact assessment that was released with the Bill highlighted the risks to personal privacy that the suggested level of surveillance would pose.

In particular, critics cite the lack of independent judicial scrutiny of the authorisation process for public authorities gaining access to communications data, with authorisations instead approved by a senior officer within the authority.

Data security is also a key concern. If communication businesses are required to collect this data then it must be secured (and subsequently destroyed) in such a way that it complies with the Data Protection Act. In a statement issued in response to the Bill by the ICO (the organisation responsible for regulating data protection compliance) it implied that it does not have adequate powers or resources to monitor this increase in data retention requirements.

Cost of surveillance
Aside from the privacy implications of the Bill, there is also a considerable financial cost attached to the new Bill.

As with the current arrangements under RIPA and Data Retention Regulations, the Government is to reimburse the cost incurred by communications companies in storing and providing access to communications data. This has been estimated to cost a minimum of £1.8 billion over 10 years. This figure can be best described as conservative.

It doesn’t take into account inflation (both financial and in the volume of communications), the potential for an inevitable increase in the use of electronic communications nor the costs incurred in bolstering the ICO’s investigative and enforcement capabilities.

Recognising the need to strike the right balance between protecting the public and safeguarding civil liberties, the Government has submitted a draft bill for pre-legislative scrutiny by both Houses of Parliament, with a view to introducing the final bill to Parliament later this year. It will be interesting to see how much this Bill changes as it is debated in the public and parliamentary arenas before it becomes law.

Leigh Kirktpatrick

ICO issues largest fine to date

The Information Commissioner’s Office (ICO) has served Brighton and Sussex University Hospitals NHS Trust with a £325,000 fine following a breach of the Data Protection Act (DPA).

This is the largest fine the ICO has issued to date. The ICO was granted the power to fine public and private organisations for breaches of DPA in April 2010 to a maximum of £500,000. Since then, it has issued a total of 18 monetary penalties – but until now the penalties issued have been decidedly lower the cap – averaging at £82,000.


The fine follows the discovery of highly sensitive personal data belonging to thousands of staff and patients of the Trust on hard drives which, destined for secure destruction, somehow ended up for sale on an internet auction site. Out of 1000 hard drives earmarked for destruction, at least 252 were removed by an employee of the Trust’s IT services provider.

The personal data that was on the hard drives ranged from contact details and criminal convictions of members of staff to highly sensitive medical data about patients being treated in the Trust’s HIV and Genito Urinary Medicine units.

Why such a high fine?

As Martin has blogged previously, the more sensitive the data (and the more harm and distress that might arise in the event of its loss or unauthorised disclosure), the more the ICO expects data controllers to do to guard against such loss or unauthorised access. In this case, the data disclosed was highly sensitive and the breach considerable.

The ICO’s Deputy Commissioner and Director of Data Protection David Smith said:

“The amount of the [fine] issued in this case reflects the gravity and scale of the data breach. It sets an example for all organisations – both public and private – of the importance of keeping personal information secure. That said, patients of the NHS in particular rely on the service to keep their sensitive personal details secure. In this case, the Trust failed significantly in its duty to its patients, and also to its staff.”

When the ICO confirmed its intention to issue this fine back in January Grant blogged on how well the monetary penalty regime works as a deterrent – you can read this here.

Leigh Kirktpatrick

Twitter: @BrodiesTechBlog feed

December 2017
« May    

%d bloggers like this: