The Information Commissioner's Office (ICO) has levied £2,032,000 in fines in the past 18 months, prompting at least one security researcher to call for an entirely new approach to categorizing data.
The public sector has experienced a security breakdown that the ICO said was easily preventable. "The monetary penalties we issue could have been prevented if adequate measures and safeguards had been in place," Simon Entwisle, director of operations at the ICO, told V3 magazine.
That total does not include the recent £120,000 penalty assessed for the Stoke-on-Trent City Council, which was hit with the fine after a second offense for not encrypting sensitive data. In this case, information about a child custody case was not only sent to the wrong person, but was emailed over an unencrypted, insecure network, in defiance of the council's own guidelines. That means it could have easily been intercepted – widening the privacy breach much further than sending mails to one wrong person. As such, the Council violated the UK's Data Protection Act under section 4 – prompting the fine.
The fact that it was a second offense and a known issue highlights the ICO’s overall data protection concerns. "Our concern isn't just about having the right policies and procedures in place, but around bringing about a culture among staff whereby everyone takes their responsibilities seriously and effective data handling becomes second nature,” Etwisle told V3.
2010 saw a number of high-profile mishandling of data in the UK, including by the Greater Manchester Police, which was hit with a full-blown Conficker worm infection after staff used infected USB sticks from home in their office PCs. The computer systems of Greater Manchester Police were effectively cut off from most of the police national computer for around three days. Also that year, a USB drive that contained the medical records of patients and personal information on NHS staff was apparently lost by a member of staff of a secure medical unit in Scotland, and turned up in a supermarket car park. The unencrypted device was found by a 12-year-old boy and reportedly contained names, addresses and medical records of patients, including details of some patients' criminal histories.
These were but two of the reported issues, so, in response, the ICO was given the go-ahead in April 2010 to slap maximum penalties of £500,000 on organizations for violations of the Data Protection Act. Since then it has toughened up its stance on data breaches, but clearly a lack of cyber-cultural awareness is an endemic issue, some say. For instance, even with the new fine structure in place as a deterrent, the Brighton and Sussex University Hospitals NHS Trust was hit with £325,000 monetary penalty in July, the biggest fine to date.
“The news that the Information Commissioner’s Office has fined public-sector organizations over £2 million in the last 18 months has shown how basic lessons on information security are not being learned,” said Ross Parsell, key account director for government and commercial at Thales UK, in an email. “A perimeter-based approach to security based around firewalls and defensive controls around the IT network is no longer sufficient. Organizations need to rethink their approach to information security and take care to classify and protect data itself according to the sensitivity of that information.”
Parsell advocates that the public sector needs to consider the status of different types of data in order to take the steps to adequately protect it, categorizing it appropriately.
Data at Rest, for instance, refers to the inactive data physically stored in databases, spreadsheets, data warehouses, USB sticks and mobile devices – which is the most easily lost or physically stolen.
“From a security standpoint, data at rest is vulnerable,” said Parsell. “It is imperative that public sector organizations protect sensitive data against brute force attacks with strong encryption for when authentication methods like usernames and passwords fail.”
Data in Transit meanwhile is data transferred between two nodes in a network. “In virtually all cases, the network cannot be trusted and the data must be protected with network encryption, supplemented by SSL certificates, Internet Protocol Security (IPSec) and other precautions where relevant,” Parsell said.
And Data in Use is data being used in an in-memory state. Sensitive data should be protected by application encryption and exposed on a need-to-know basis, encrypted as soon as possible and decrypted only when necessary. This selective approach can only be performed at the application level, Parsell noted.
“By classifying data rather than systems for different levels of protection, public sector organizations can protect themselves from the indignity and criticisms of security breaches, as well as the associated data breach financial penalties,” he added. “The threats to data theft, both internal and external and by either human error or malicious intent are costly and dangerous. Government has a duty to protect this information and the Public Services Network is a major step to fulfilling this duty.”