News & Reviews

Tagged: ICO RSS

• 

  Origin Storage 09:14 on 10/05/2011 Permalink | Reply
  Tags: Andy Cordial ( 21 ), Data Breach ( 24 ), Data Encryption ( 43 ), Data Encyption ( 2 ), Data Protection ( 16 ), Data protection Act ( 15 ), Encryption ( 32 ), External Hard Drive ( 12 ), FIPS 140-2 ( 17 ), ICO, Information Protection ( 2 ), Internal Hard Drive ( 3 ), Laptop ( 3 ), Laptop Hard Drive ( 3 ), Laptop Hard Drives ( 2 ), Laptop Notebook ( 2 ), Laptop Protection ( 2 ), Laptops ( 3 ), Mobile ( 3 ), Mobile Devices ( 2 ), Mobile Workers ( 2 ), Notebook ( 3 ), Notebook Laptop ( 2 ), Notebooks ( 3 ), Origin Storage ( 62 ), Portable Hard Drive ( 15 ), Secure Information ( 2 ), Sensitive Data ( 3 ), Sensitive Information ( 3 ), Survey   

  41 Percent of IT Professionals Carrying Sensitive Information on Mobile Devices – Unprotected 

  Basingstoke (UK), 10 May 2011: A study by Origin Storage – the secure storage specialist, has revealed that 41 percent of what should be a security savvy audience are carrying sensitive information on mobile devices unprotected. In fact, 19 percent revealed that their organisation had suffered a data breach following the loss of a portable device (i.e. laptop, USB, CD) with 54 percent confessing the device had not been encrypted – an offence under the Data Protection Act and subject to regulatory action by the ICO, were it made aware!

  With 70 percent of organisations making data encryption mandatory, 11 percent of those respondents carrying sensitive information unprotected are actually breaching their organisation’s data protection efforts while the other 30 percent are simply following their organisations woefully inadequate example. When digging a little deeper the study, amongst IT security professionals at this years Infosecurity Europe show, uncovered a staggering 37 percent of respondents who confessed that between 81 and 100 percent of all sensitive data stored on their device(s) was actually left unprotected – so not just one or two documents transferred in a hurry.

  Andy Cordial, Origin’s managing director, explains, “When you consider the level of knowledge this audience is assumed to have, working in IT and having some form of security remit, yet the lax protection used for sensitive data, it’s hardly surprising data breaches are increasing in frequency and especially recently in size. I’m astounded that 30 percent of organisations are still oblivious to the Data Protection Act and the recommendation from the Information Commissioner that encryption be used to protect sensitive information.”

  The problem of sensitive data isn’t restricted to any particular device as 67 percent use laptops, 52 percent USBs, 33 percent still rely on CDs with 52 percent using another form of portable storage device.

  A final startling revelation is that just 36 percent of visitors felt that FIPS certification is ‘a must’ for encryption technology.

  Andy concludes, “The ICO recommends any solution should meet FIPS 140-2 yet 31 percent of our sample flippantly state that it ‘doesn’t matter’. Certification is the only ‘proof’ that the product actually does what the company ‘claim’ it does. It’s not just me saying this because our products have the certification as there have been incidences where products have fundamental design problems, or even companies that have made false claims. My advice – don’t leave security to chance. Lock it down with something that’s actually proven to work or there is a strong possibility you’ll be crying over spilled data.”

  To explore our solutions for Data Security, click here.

  Share/Bookmark
   

  Reply Cancel reply

  Required fields are marked *

  Name *

  Email *

  Website

  

• 

  Origin Storage 16:11 on 28/04/2011 Permalink | Reply
  Tags: Andy Cordial ( 21 ), ChannelWeb, Chris McIntosh, Computer Security ( 12 ), Cyber, Cyber Crime, Data Backup ( 14 ), Data Breach ( 24 ), Data Encryption ( 43 ), Data Loss ( 16 ), Data Protection ( 16 ), Data Security ( 32 ), Encryption ( 32 ), ICO, Origin Storage ( 62 ), OriginStorage, ViaSat UK   

  ICO hits out at data breach figures 

  Watchdog claims data loss figures released under the Freedom of Information Act have been misunderstood

  

  The Information Commissioner’s Office (ICO) has hit out at encryption vendor ViaSat over claims it has misinterpreted data supplied to the firm via a Freedom of Information (FoI) request

  The data watchdog came under fire last week after it emerged that it has issued a handful of financial penalties totalling £310,000 for Data Protection Act (DPA) breaches, despite acquiring powers to impose fines of up to £500,000 a year ago.

  The figures were obtained via a FoI request by ViaSat who said the ICO’s inaction was harming the deterrent value of the fines.

  The ICO has since released a statement claiming that one of the statistics, relating to the number of data breaches reported between 6 April 2010 and 22 March 2011, supplied to ViaSat, has been misinterpreted. This is a claim the firm staunchly denies.

  According to ViaSat, 2,565 potential data breaches were reported during that period, while the ICO claims the actual figure is far fewer.

  A representative from the ICO explained: “While it is true that the ICO has concluded that in 2,565 cases compliance with the DPA was unlikely, the figure for self-reported security breaches – where information has been disclosed or lost – is far lower.

  “The 2,565 [figure] cover all types of compliance including a company sending unwanted postal marketing, incorrect data being held or an organisation not handling a subject access request appropriately.”

  In total, the ICO said it received 603 self-reported data breaches, 37 of which resulted in action being taken.

  The representative continued: “These [self-reported security breaches] vary from minor administrative errors, where enforcement action would not be appropriate to serious data losses which led to the ICO imposing a monetary penalty.”

  In a statement to ChannelWeb, Chris McIntosh, chief executive of ViaSat UK, defended his firm’s use of the figures, claiming the fault lies in the way the ICO supplied its data.

  “The figure of 2,565 was given to us by the ICO in direct response to an FoI request on the number of data breaches reported since 6 April 2010,” he said. “Our request was clear in that we wanted information on the number of data breaches.

  “Even if you look at the revised figures the ICO has released, it is still clear that monetary penalties have been enforced in less than one per cent of the data losses it has dealt with.”

  Daniel Hamilton, director of public privacy campaigners Big Brother Watch, said the issue is not with the number of breaches reported, but the small number the ICO is clamping down on.

  “For the ICO to only take enforcement action in such a small number of cases, suggests he is little more than a paper tiger,” he said. “The ICO has tough and wide-ranging powers and it is time he used them to maximum effect.”

  This is a view shared by Andy Cordial, managing director of vendor Origin Storage. “We still see a number of high-profile data losses and very little action from the ICO,” he said.

  “The majority of the 603 cases could have be prevented with a small investment and until fines become more widespread, confidential data will continue to be compromised,” he added.

  Share/Bookmark
   
• 

  Origin Storage 12:41 on 15/04/2011 Permalink | Reply
  Tags: Data Breach ( 24 ), Data Encryption ( 43 ), Data Encyption ( 2 ), Data Protection ( 16 ), Data protection Act ( 15 ), Encryption ( 32 ), Enigma ( 14 ), Enigma SED ( 19 ), External Hard Drive ( 12 ), FIPS 140-2 ( 17 ), ICO, Information Protection ( 2 ), Internal Hard Drive ( 3 ), Laptop ( 3 ), Laptop Hard Drive ( 3 ), Laptop Hard Drives ( 2 ), Laptop Notebook ( 2 ), Laptop Protection ( 2 ), Laptops ( 3 ), Mobile ( 3 ), Mobile Devices ( 2 ), Mobile Workers ( 2 ), Notebook ( 3 ), Notebook Laptop ( 2 ), Notebooks ( 3 ), Origin Storage ( 62 ), Portable Hard Drive ( 15 ), Secure Information ( 2 ), Sensitive Data ( 3 ), Sensitive Information ( 3 ), Video ( 5 )   

  Enigma SED Video Podcast 

  For more information on the Enigma SED – click here.

  Share/Bookmark
   
• 

  Origin Storage 10:31 on 17/02/2011 Permalink | Reply
  Tags: Data Encryption ( 43 ), Data Security ( 32 ), ICO, Information Commissioner's Office ( 3 )   

  UK’s Information Commissioner’s Office Imposed Fine of £150,000 

  For unencrypted laptops theft containing personal information

  The Information Commissioner’s Office (ICO) served Ealing Council and Hounslow Council with monetary penalties for serious breaches of the Data Protection Act after the loss of two unencrypted laptops containing sensitive personal information.

  Ealing Council provides an out of hours service on behalf of both councils, which is operated by nine staff who work from home. The team receive contact from a variety of sources and rely on laptops to record information about individuals.

  Two laptops containing the details of around 1,700 individuals were stolen from an employee’s home. Almost 1,000 of the individuals were clients of Ealing Council and almost 700 were clients of Hounslow Council. Both laptops were password protected but unencrypted – despite this being in breach of both councils’ policies. There is no evidence to suggest that the data held on the computers has been accessed and no complaints from clients have been received by the data controllers to date but there was nevertheless a significant risk to the clients’ privacy.

  The ICO has served Ealing Council with a monetary penalty of £80,000, while ruling that £70,000 is appropriate for Hounslow Council. Ealing Council breached the Data Protection Act by issuing an unencrypted laptop to a member of staff in breach of its own policies. This method of working has been in place for several years and there were insufficient checks that relevant policies were being followed or understood by staff. Hounslow Council breached the Act by failing to have a written contract in place with Ealing Council. Hounslow also did not monitor Ealing Council’s procedures for operating the service securely.

  Deputy Commissioner, David Smith, said: “Of the four monetary penalties that we have served so far, three concern the loss of unencrypted laptops. Where personal information is involved, password protection for portable devices is simply not enough.

  “The penalty against Hounslow Council also makes clear that an organisation can’t simply hand over the handling of the personal information it is responsible for to somebody else unless they ensure that the information is properly protected.

  “Both councils have paid the price for lax data protection practices. I hope all organisations that handle personal information will make sure their houses are in order – otherwise they too may have to learn the hard way.”

  Following the incident, both councils contacted affected individuals. Both authorities have also put significantly improved policies in place for information security and have agreed to consider an audit by the ICO.

  Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

  Share/Bookmark
   
• 

  Origin Storage 11:25 on 12/01/2010 Permalink | Reply
  Tags: Data breaches ( 5 ), ICO, Information Commissioner's Office ( 3 )   

  Data breaches to incur up to £500,000 penalty 

  New powers, designed to deter personal data security breaches, are expected to come into force on 6 April 2010. The Information Commissioner’s Office (ICO) will be able to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act. The ICO has produced statutory guidance about how it proposes to use this new power, which has been approved by the Secretary of State for Justice, and has been laid before Parliament today.

  When serving monetary penalties, the Information Commissioner will carefully consider the circumstances, including the seriousness of the data breach; the likelihood of substantial damage and distress to individuals; whether the breach was deliberate or negligent and what reasonable steps the organisation has taken to prevent breaches.

  Information Commissioner, Christopher Graham, said: “Getting data protection right has never been more important than it is today. As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details. When things go wrong, a security breach can cause real harm and great distress to thousands of people. These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act. I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act. But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law.”

  The Information Commissioner will take a pragmatic and proportionate approach to issuing an organisation with a monetary penalty. Factors will be taken into account including an organisation’s financial resources, sector, size and the severity of the data breach, to ensure that undue financial hardship is not imposed on an organisation.

  The power to impose a monetary penalty notice is designed to deal with serious breaches of the Data Protection Act and is part of the ICO’s overall regulatory toolkit which includes the power to serve an enforcement notice and the power to prosecute those involved in the unlawful trade in confidential personal data.

  Share/Bookmark