When the Information Commissioner's Office (ICO) announced that serious data breaches would be punished with a fine of up to £500,000 in April 2010, there was a suspicion that the toothless tiger would become a beast.
And, despite waiting for the first fines to be issued, they eventually came in November 2010, with penalties of £60,000 issued to A4e and £100,000 to Hertfordshire County Council. Since then, the private sector has mostly escaped fines, while NHS trusts and local councils have felt the wrath of the regulator on multiple occasions.
I caught up with Tony Pepper, CEO of Egress Software, to discuss this. Egress has a number of deployments of its encryption and secure file transfer technology Switch in local councils.
He pointed out that the fines issued to councils in Powys, Midlothian, Basingstoke, Brighton & Hove and Norfolk were for sending to the wrong person.
He said: “It is not about information security, it is about information assurance. It is not good enough to encrypt every time as once you send to the wrong person or they send it to someone else who shouldn't have it, it is useless. If you are sharing information you need to know who has it and when and that they cannot forward it.
“It is a challenge as you have to share data with a third party so you cannot stop the flow of information, so email has to be used. We offer a ‘poison pill' function in Switch to delete an email.
“We believe that there is one constant theme with people emailing information, and email with information assurance can control this. However you share information, if you put information assurance around it and make sure the right people have access to it, you can pull it back. It is a training element, but technology too as encryption is difficult to use.”
Pepper also claimed that despite the fined councils using the Egress technology, he was delighted when a fine was issued "as it raises awareness that information security is not enough, you need information assurance with a simple product and remote management".
One notable user is Camden Council; its technical services manager Ian Lawrence told me that it had increased the training for staff, shifted manual processes into technological solutions and introduced a multi-layered security approach to eliminate the risks amid increased regulation.
Asked if he felt there was any particular reason for the breaches being more about human, rather than technical, error, he said: “I would assume that it could be for quite a few reasons, with government cost-cutting and savings having to be made across all councils; possibly staff are having to multi-task – I can only imagine that mistakes are happening.”
He also said he was surprised that it had been mostly councils hit by the recent problem of data loss, as opposed to the NHS or the private sector, as people in his position "are all under the same pressures and workloads".
Talking to Quentyn Taylor, director of EMEA information security at Canon, I asked if he felt that the council fines were down to any particular reason.
He said: “Yes, it is far easier to deploy technical solutions than to educate staff and keep them educated. In effect there needs to be a mindset change. Remember, though, that physical document leaks have often been the source of the issues.”
He added that councils handle all kinds of information on residents, so the chance of a data breach is much higher.
“I am surprised, however, that the publicly declared cases (involving the significant fines) have involved almost exclusively local councils. One can only presume that data breaches perpetuated by private companies are not being reported and therefore not being investigated,” he said.
He called on the ICO to broaden its regulatory view in order to regain industry confidence and not be seen as a local-council-specific regulator.
I doubt that it is a direct action against councils; there has just been an unfortunate succession of fines against one sector that suffered a number of human errors. And I doubt there is any vindictiveness from the regulator against councils, or that there is a culture of failure within councils overall.
Personal errors can occur very easily, from clicking ‘reply all' to sending a document to the wrong recipient. Failures where technology can play a part, such as by using a secure file transfer solution or encrypted USB, are easier solved but do cost, and that can be the challenge.
Another vendor who deployed its technology in councils is Absolute Software. Asked if he was surprised about the problems that councils had, its global vice-president, Stephen Midgley, said: “This might be simply coincidence as we have seen data breaches across all sectors. However, with budget cutbacks in the public sectors, councils are needing to identify ways to reduce operational expenditures.
“Will we see more data breaches as a result of budget cutbacks? There is that possibility. I do believe, however, we will see more data breaches in 2012 and beyond as a direct result of increasing mobility. As the ICO has shown, cutting back on security in the age of increasing mobility is not a wise financial decision.”
Asked if he felt that the factor of human error could be eliminated, Midgley said he felt it was a case of both human and technical error. “The human factor, always the weakest link, is often the cause of the problem, but the lack of proper technology compounds the issue,” he said.
“The reality for any organisation is that employees will always be a constant source of potential data exposure as they just don't think about security the way IT professionals do. IT can train them (and they should) on best practices when it comes to security, but human nature will always prevail.
“What was common among the councils which were recently fined by the ICO, and other organisations that have been fined, is they did not have the appropriate technology in place to securely manage mobile data. Proper technology would ensure that paper was in digital format in a secure container in a mobile device or ensure confidential data could not be forwarded to an outside email address.”
Large groups will be fined again, but I doubt there will be the consistency as demonstrated with the fines issued to the mentioned councils. Hopefully the lessons will be learned from them, and from those leading the pack in security and training, as experience can be inspiring.