Yesterday saw the second wave of fines from the Information Commissioner's Office (ICO) over breaches to the Data Protection Act.
After the landmark first cases in November where monetary penalties were issued to Hertfordshire County Council for ‘two serious incidents' regarding accidentally sent faxes, and to employment services company A4e for the loss of an unencrypted laptop, two more councils have also been fined for the loss of unencrypted laptops.
Ealing Council was fined £80,000, while Hounslow Council was fined £70,000. In the case of both councils, an out-of-hours service that works on behalf of both councils lost two laptops containing the details of around 1,700 individuals when they were stolen from an employee's home. Almost 1,000 of the individuals were clients of Ealing Council and almost 700 were clients of Hounslow Council.
While both laptops were password protected they were unencrypted, in breach of both councils' policies. There was no evidence to suggest that the data held on the computers was accessed and no complaints from clients have been received by the data controllers to date.
The ICO ruled that Ealing Council breached the Data Protection Act by issuing an unencrypted laptop to a member of staff in breach of its own policies. This method of working had been in place for several years and the ICO reported that there were insufficient checks that relevant policies were being followed or understood by staff.
It said that Hounslow Council breached the act by failing to have a written contract in place with Ealing Council. Hounslow also did not monitor Ealing Council's procedures for operating the service securely.
Deputy Commissioner, David Smith, said: “Of the four monetary penalties that we have served so far, three concern the loss of unencrypted laptops. Where personal information is involved, password protection for portable devices is simply not enough.
“The penalty against Hounslow Council also makes clear that an organisation can't simply hand over the handling of the personal information it is responsible for to somebody else unless they ensure that the information is properly protected.”
Jonathan Armstrong, lawyer at Duane Morris LLP, said: “This seems another case of Groundhog Day. Every organisation in the UK needs to get the message that the ICO is serious about security breaches. There are technical measures organisations can take to try and make laptops more secure when they are lost or stolen. Until organisations get the message these fines will continue.”
Mark Fullbrook, director UK and Ireland at Cyber-Ark, welcomed the ICO sticking to its word and continuing to fine those that breach the Data Protection Act. “What's particularly interesting in this case though is that Ealing Council actually had a policy in place requiring all data to be encrypted, something which they'd evidently failed to roll out organisation-wide,” he said.
“Given both councils chose to ignore the warning signs, it's quite clear that more needs to be done to ensure that organisations take data protection more seriously. Fines certainly act as a wake-up call to those involved, but education is absolutely essential if staff are to understand the pitfalls that can ensue from poor data protection policies.
“With four fines already under its belt, the ICO seems set to make its point. Unfortunately we are still seeing the fallout from organisations that are simply not succeeding in protecting valuable data, so it remains to be seen whether such warnings will be taken seriously. If not, and lessons are to be learned the hard way, at least we can be sure the ICO will not be turning a blind eye.”
Graeme Stewart, business development director for the UK public sector at Sophos, said: “These are pretty embarrassing mistakes for the two councils involved. However, £80k and £70k are hardly punitive damages. It seems that, given the maximum possible fine is £500k, the ICO is attempting to be proportionate and give himself wiggle-room for the future. So it's tough to blame the ICO, but it's not tough to blame those that gave him these powers.
“As these sums of money act more like a slap on the wrist, the real question has to be about disciplinary action, internal remedy and procedural changes within these authorities. Rather than just shuffling the sum of these fines back to the Ministry of Justice, wouldn't it be far more beneficial if this money was spent on finding a proper remedy: user education; remedial action for those whose privacy has been breached; or legal training for people who aren't lawyers within the authority to explain what the legislation says and means?
“I applaud the fine for it sentiments, it is not appropriate to treat client information in such a slapdash manner, but nor is it appropriate for the fine to be so pathetically small. Three councils fined in so many months for a sum total less than it costs to put a proportionately secure working environment in place is not a deterrent, it's a mild rebuke and if fines are not a deterrent, what's the point of them in the first place?”
Christian Toon, head of information risk at Iron Mountain, called the fines a wake-up call to local councils, as they need to ensure they have robust policies and processes in place for managing, storing and tracking information and that their staff are trained to use these processes.
Kevin Bocek, director of product marketing at IronKey, said: “The ICO continues to make a crystal clear statement: knowingly leaving citizens' data unprotected is an egregious act and dereliction of duty. The message time and time again is that you must take action to protect data and at all times understand that data is protected.
“On average the ICO is establishing an approximate £80 per record breached cost, so government and private enterprise now have a very clear business case to calculate the cost of inaction compared to inaction. Given these facts I believe now is a great time to be an IT manager looking to make the case for data protection.
“However there are signs that the ICO is actually having a positive impact, as we're seeing large parts of the government adopting encryption and make staff demonstrate a legitimate business reason for taking data outside the organisation. Sadly, these fines and actions by the ICO will continue until this practice becomes the norm and not the exception.”