Friday 25 November 2011

The BBW data breach report – a tsunami of trivia


There’s an interesting report out from the folk at Big Brother Watch. It highlights research revealing more than 1035 data breaches across 132 local authorities, including at least 35 councils who have lost information about children and those in care. At least 244 laptops and portable computers were lost, while 98 memory sticks and more than 93 mobile devices went missing.

Only 55 breaches were reported to the Information Commissioner’s Office. And, only 9 incidents resulted in termination of employment. BBW were very concerned that “highly confidential information has been treated without the proper care and respect it deserves”.

Is this report really as shocking as it appears? Let’s unpack it a little.

First, the time frame over which the breaches occurred – the report covers breaches over a 3 year period, from July 2008 to July 2011.

Second, the breaches report include losses of encrypted as well as unencrypted information. So its really hard to unpack the reports to work out how many breached related to unencrypted sensitive information – of the sort that really could cause harm or embarrassment to those whose information was compromised.

Third, and as we can expect from a report of local authority data breaches, a small proportion (less than 10%) of breaches related to information about some 3100 children, young people or students.

Fourth, the incidents included cases where council staff had lost information which had been downloaded onto personal laptops and computers. It highlights the risks involved when data is moved around by staff to enable them to work on a different machine: “Where council information has been transferred to a personal machine, there is no guarantee that personal devices contain the same security and encryption protection. Indeed, several incidents have been highlighted where malware has been discovered on machines, a risk of using personal machines where virus and anti-malware is often not at the same level as a corporate machine.

And, of course, the report repeats the advice on the use of portable memory storage and mobile devices that all security professionals know off by heart, yet can’t quite get their businesses to fully implement: “Policies and procedures should reflect not only how information is stored, but the grounds for which it should be moved in the first place. As soon as information is held on a portable device, the risk for that information to be compromised significantly increases and so much more needs to be done to restrict the transfer of data occurring in the first place.”

So where does this leave us? Well, the report does offer some fine (or tongue in cheek) examples of the lengths to which a local authority will (apparently) go to contain a data breach. For example, in Bolton, a smartphone containing internal contact details of council employees slid off a car bonnet and fell into a shaft. The phone was assessed to be irretrievable without dismantling the car park. Instead, it was sent a remote wipe command within one hour and the owner of the car park subsequently sealed the cavity with concrete. My, they take the security of their staff seriously in Bolton!

Sometimes when paper documents were mislaid or wrongly addressed, the breach was reported to the ICO. Mostly, they were not.

And does it really matter that the ICO was not formally advised of all security breaches?

Frankly, I think it supports the case that reports of all data breaches would have served no useful purpose, as so many of them were trivial in nature or they occurred despite the usual steps being taken to safeguard against loss. For example, Bromley council reported that 2 USB sticks were stolen from a Council-run youth centre. The USB sticks were inside a security safe which was itself stolen.

Buckinghamshire council reported that a disk containing data on vulnerable children was left in the hard drive when a personal computer was taken away to be replaced – but the repairers were immediately contacted and the data was retrieved. In another breach, it reported that a social worker lost client notes in their office – but access to that site is controlled and no outsiders are permitted to visit that area.

In other cases, global emails were sent, without blind copying. Simple mistakes – we’ve all done that. Oh yes. Yes, even (unnamed) experienced and award winning data protection solicitors have done that.

Actually, what I would have loved to have read about was not the data beaches, but a frank assessment of whether anyone was actually harmed as a result of the breaches. The report’s authors did not address this point, and I think that’s a lost opportunity.

What we have is evidence of system failures, but not evidence of system failures that caused harm.

So we should be careful not to scare the readers of these reports by suggesting that, in light of these incidents, that data handling standards are necessarily unacceptably low. Of course there’s always room for improvement, but until real harm can be seen to have been caused, I would expect many council officials to be wary at spending a greater proportion of their diminishing budgets on enhanced security measures.

Perhaps, of the 1035 incidents, there really were only 55 that merited the attention of the ICO. In that case, they have been saved reading through an awful lot of reports of trivial breaches.

Let’s hope that the new data protection directive also contains proposals that require data controllers to report the serious breaches to the regulator, rather than get them to wade through a tsunami of trivia.


Sources:
http://www.bigbrotherwatch.org.uk/home/2011/11/local-authority-data-loss-exposed.html#.Tsy-109jUjw
http://bigbrotherwatch.org.uk/la-data-loss.pdf

.