The WSJ reports that Motorola was caught selling pre-owned (technically, refurbished) Xoom tablets with the prior owner's data on it. I've often noted that the use of data encryption like AlertBoot is a precautionary measure because you never know what might happen. This is not quite what I had in mind.
According to wsj.com, 100 of 6,200 Xooms sold via woot.com may have contained personal data such as email and social media passwords. I guess Motorola failed to erase the devices properly. Not that the previous (temporary) owners of the devices ought to be blamed, but if they had turned on the encryption software setting for their Xoom tablets, they wouldn't have this problem. From the Motorola site (my emphasis): Motorola XOOM - Data EncryptionDoes the Motorola XOOM support data encryption?====================Yes, the Motorola XOOM does support data encryption. You can encrypt your accounts, settings, downloaded applications and their data, media, and other files. Once you encrypt your tablet, you can't unencrypt it except by performing a factory data reset, erasing all the data on your tablet. Encryption takes up to an hour. You must start with charged battery and keep your tablet plugged in until encryption is complete. If you interrupt the encryption process, you will lose some or all your data. Since Motorola was reselling these, they had to make sure that it looked and operated as close to brand new as possible. I'm an iPad user myself, but I assume that with encryption turned on, a password is always required to access the device. Otherwise, what's the use, no? It'd be like taking an extremely expensive personal safe and using it as an open bookcase. Anyhow, consider Motorola's position: here's a device that's about to be sold as a refurbished item and nobody can get in the device because of the password. What do they do? Reset the encryption (i.e., blow away the encryption key), erasing all the previous data in the process. In fact, I'd probably do it the lazy way: 10 wrong password entries and Bob's your uncle.
According to wsj.com, 100 of 6,200 Xooms sold via woot.com may have contained personal data such as email and social media passwords. I guess Motorola failed to erase the devices properly. Not that the previous (temporary) owners of the devices ought to be blamed, but if they had turned on the encryption software setting for their Xoom tablets, they wouldn't have this problem. From the Motorola site (my emphasis):
Motorola XOOM - Data EncryptionDoes the Motorola XOOM support data encryption?====================Yes, the Motorola XOOM does support data encryption. You can encrypt your accounts, settings, downloaded applications and their data, media, and other files. Once you encrypt your tablet, you can't unencrypt it except by performing a factory data reset, erasing all the data on your tablet. Encryption takes up to an hour. You must start with charged battery and keep your tablet plugged in until encryption is complete. If you interrupt the encryption process, you will lose some or all your data.
Motorola XOOM - Data EncryptionDoes the Motorola XOOM support data encryption?====================Yes, the Motorola XOOM does support data encryption.
You can encrypt your accounts, settings, downloaded applications and their data, media, and other files. Once you encrypt your tablet, you can't unencrypt it except by performing a factory data reset, erasing all the data on your tablet.
Encryption takes up to an hour. You must start with charged battery and keep your tablet plugged in until encryption is complete. If you interrupt the encryption process, you will lose some or all your data.
Since Motorola was reselling these, they had to make sure that it looked and operated as close to brand new as possible. I'm an iPad user myself, but I assume that with encryption turned on, a password is always required to access the device. Otherwise, what's the use, no? It'd be like taking an extremely expensive personal safe and using it as an open bookcase.
Anyhow, consider Motorola's position: here's a device that's about to be sold as a refurbished item and nobody can get in the device because of the password. What do they do? Reset the encryption (i.e., blow away the encryption key), erasing all the previous data in the process. In fact, I'd probably do it the lazy way: 10 wrong password entries and Bob's your uncle.
Regardless of what the device happens to be, if you carry sensitive data on a digital device, you're best off using full disk encryption on it. What is full disk encryption? As the name implies, it's when the entire hard disk is encrypted so that the contents are protected no matter what. This way, there are no loose ends when it comes to your data security. For example, you won't be left wondering whether that last file you received via email was actually encrypted or not. As you can see from Motorola's explanation, disk encryption takes a little time to complete. In fact, it's directly proportional to the capacity of the storage media: generally, the bigger it is, the longer it takes. The speed of the CPU, the amount of RAM, and other factors do play a factor, but the biggest by far is the capacity. After all, we're talking about encrypting every single bit, every single byte, every single sector on the disk. But, it's worth the wait. You only need to encrypt it once -- unlike file encryption, which requires one to go through the encryption process each time you create a new file -- and after that your only worry is trying to not forget your password. (Of course, managed encryption service providers like AlertBoot have ways to reset your password after confirming your identity, as well as providing reports for monitoring and audit purposes. That's the beauty of having a third party manage stuff for you.)
Regardless of what the device happens to be, if you carry sensitive data on a digital device, you're best off using full disk encryption on it. What is full disk encryption? As the name implies, it's when the entire hard disk is encrypted so that the contents are protected no matter what. This way, there are no loose ends when it comes to your data security. For example, you won't be left wondering whether that last file you received via email was actually encrypted or not.
As you can see from Motorola's explanation, disk encryption takes a little time to complete. In fact, it's directly proportional to the capacity of the storage media: generally, the bigger it is, the longer it takes. The speed of the CPU, the amount of RAM, and other factors do play a factor, but the biggest by far is the capacity. After all, we're talking about encrypting every single bit, every single byte, every single sector on the disk.
But, it's worth the wait. You only need to encrypt it once -- unlike file encryption, which requires one to go through the encryption process each time you create a new file -- and after that your only worry is trying to not forget your password.
(Of course, managed encryption service providers like AlertBoot have ways to reset your password after confirming your identity, as well as providing reports for monitoring and audit purposes. That's the beauty of having a third party manage stuff for you.)
Related Articles and Sites:http://blogs.wsj.com/digits/2012/02/03/oops-motorola-resells-uncleared-xoom-tablets/https://motorola-global-portal.custhelp.com/app/answers/detail/a_id/62464/~/motorola-xoom---data-encryptionhttp://androidcommunity.com/refurbished-xoom-units-from-woot-contain-old-user-data-20120203/
Oldendorf Medical Services, in Albany, New York, has announced data breach. According to a short piece at timesunion.com, two laptops were stolen during a break-in on January 18. The laptops contained "minimal clinical information." Whether this information was protected with hard disk encryption was not mentioned. But, seeing in what capacity the computers were being used, I'd say it's safe to say that the equivalent of AlertBoot endpoint security was not used.
Oldendorf Medical Services, in Albany, New York, has announced data breach. According to a short piece at timesunion.com, two laptops were stolen during a break-in on January 18. The laptops contained "minimal clinical information." Whether this information was protected with hard disk encryption was not mentioned.
But, seeing in what capacity the computers were being used, I'd say it's safe to say that the equivalent of AlertBoot endpoint security was not used.
The computers did include SSNs and other information for some. A suspect is in custody for picking the locks to Oldendorf Medical Services's offices and stealing two laptop computers that were being used with cardiac test machines. One of the computers was "a pulse volume recording 'PVR' and the other was an endothelial peripheral arterial tone, or 'endopat.'" Both are used to detect coronary atherosclerosis, according to timesunion.com. Computers that are part of medical equipment are generally not encrypted. While I'm not familiar with the reason why, I've always imagined it was due to compatibility issues. What these issues could be, I have no idea. However, it's the only explanation that makes sense, since medical equipment by definition collect patient data -- data that is considered protected health information (PHI) and requires protection under federal and state law.
The computers did include SSNs and other information for some.
A suspect is in custody for picking the locks to Oldendorf Medical Services's offices and stealing two laptop computers that were being used with cardiac test machines. One of the computers was "a pulse volume recording 'PVR' and the other was an endothelial peripheral arterial tone, or 'endopat.'" Both are used to detect coronary atherosclerosis, according to timesunion.com.
Computers that are part of medical equipment are generally not encrypted. While I'm not familiar with the reason why, I've always imagined it was due to compatibility issues. What these issues could be, I have no idea. However, it's the only explanation that makes sense, since medical equipment by definition collect patient data -- data that is considered protected health information (PHI) and requires protection under federal and state law.
That's not to say that it's impossible to protect PHI with encryption software when computers and medical equipment meet. I've had a chance to review medical equipment catalogs last year, and many of them mention how their such-and-such equipment now features AES-256 encryption and what not. So what gives? Why now? I'd opine that it's based on a confluence of different forces. First, progress in the technical arena. It's only within the past 10 years or so that computers have grown so powerful that the impact of full disk encryption software has become imperceptible. Also, backing up and storing data has also progressed to the point where it can be called "automated." Nothing worse than finding that your patient data is in an encrypted computer that just died...and you don't have copies! Management of keys and such has also only recently become something other than overbearing. Second, updated regulations and laws. Even today, the use of encryption is not mandatory in medical settings. However, HITECH, HIPAA amendments, and other federal and state laws make it almost impossible not to use encryption when it comes to PHI protection. While I won't go as far as saying that encryption is a selling point, the lack of it could very well be grounds for choosing someone else. Such laws and regulations have only been passed in the past 5 years or so. Third, better public understanding. Let's get something straight: the odds of a patient coming into a clinic or other medical organization and inquiring whether their medical information is encrypted before subjecting themselves to a surgery, checkup, examination, etc. is close to nil. But, in the event of a data breach, you'll see that for the most part, it's the covered entities that didn't use encryption that pay dearly, be it in the courts or elsewhere.
That's not to say that it's impossible to protect PHI with encryption software when computers and medical equipment meet. I've had a chance to review medical equipment catalogs last year, and many of them mention how their such-and-such equipment now features AES-256 encryption and what not.
So what gives? Why now? I'd opine that it's based on a confluence of different forces.
First, progress in the technical arena. It's only within the past 10 years or so that computers have grown so powerful that the impact of full disk encryption software has become imperceptible. Also, backing up and storing data has also progressed to the point where it can be called "automated." Nothing worse than finding that your patient data is in an encrypted computer that just died...and you don't have copies! Management of keys and such has also only recently become something other than overbearing.
Second, updated regulations and laws. Even today, the use of encryption is not mandatory in medical settings. However, HITECH, HIPAA amendments, and other federal and state laws make it almost impossible not to use encryption when it comes to PHI protection. While I won't go as far as saying that encryption is a selling point, the lack of it could very well be grounds for choosing someone else. Such laws and regulations have only been passed in the past 5 years or so.
Third, better public understanding. Let's get something straight: the odds of a patient coming into a clinic or other medical organization and inquiring whether their medical information is encrypted before subjecting themselves to a surgery, checkup, examination, etc. is close to nil. But, in the event of a data breach, you'll see that for the most part, it's the covered entities that didn't use encryption that pay dearly, be it in the courts or elsewhere.
Related Articles and Sites:http://www.phiprivacy.net/?p=8866http://www.timesunion.com/local/article/Laptops-stolen-from-Albany-doctor-s-office-2753512.php
It looks like I won't be stopping coverage of Stratfor any time soon. According to statesman.com, Stratfor -- the international geopolitical analysis company that was hacked by Anonymous about one month ago -- has been presented with a lawsuit for more than $50 million. This is independent of whatever fines Startfor will pay for violating PCI-DSS requirements, if any. Is it possible that just a dab of data encryption and common sense could have prevented all of this?
From the statesman.com: The New York lawsuit, filed by David Sterling of Woodbury, N.Y., accuses Stratfor and its management of negligence, breach of contract and violation of the federal Stored Communications Act in allowing its customers' information to be stolen and in not notifying customers about the theft for more than two weeks after it occurred. The suit says Stratfor failed "to take reasonable steps to secure" its computer systems from outside attack. It also says Stratfor kept information about the hacking attack secret from its customers. I've covered the Stratfor situation here, here, and here. In summary: Starfor didn't encrypt client information, and it turns out that passwords were not salted. Is this enough for a charge of negligence? I'm not a judge, so what I think doesn't matter, but here are my two cents: it's not negligence. But it comes pretty close. You see, that encryption software protects data is not a big secret. Likewise when it comes to protecting credit card information: there are industry rules -- and I mean rules, not guidelines -- that require credit card info to be encrypted if stored. Another not-so-big secret. Plus, the entire hash-salting fiasco: salting passwords before hashing them is established practice, and has been for decades. This is an intelligence firm, dealing with defense personnel all over the world. Are we to believe that they had no idea that encrypting information was important? Of course, the use of cryptographic solutions does not guarantee 100% that Anonymous wouldn't have laid their mitts on the information that was breached. But let me tell you, accusations of negligence are less likely to hold sway if encryption was used.
From the statesman.com:
The New York lawsuit, filed by David Sterling of Woodbury, N.Y., accuses Stratfor and its management of negligence, breach of contract and violation of the federal Stored Communications Act in allowing its customers' information to be stolen and in not notifying customers about the theft for more than two weeks after it occurred. The suit says Stratfor failed "to take reasonable steps to secure" its computer systems from outside attack. It also says Stratfor kept information about the hacking attack secret from its customers.
The New York lawsuit, filed by David Sterling of Woodbury, N.Y., accuses Stratfor and its management of negligence, breach of contract and violation of the federal Stored Communications Act in allowing its customers' information to be stolen and in not notifying customers about the theft for more than two weeks after it occurred.
The suit says Stratfor failed "to take reasonable steps to secure" its computer systems from outside attack. It also says Stratfor kept information about the hacking attack secret from its customers.
I've covered the Stratfor situation here, here, and here. In summary: Starfor didn't encrypt client information, and it turns out that passwords were not salted.
Is this enough for a charge of negligence? I'm not a judge, so what I think doesn't matter, but here are my two cents: it's not negligence. But it comes pretty close.
You see, that encryption software protects data is not a big secret. Likewise when it comes to protecting credit card information: there are industry rules -- and I mean rules, not guidelines -- that require credit card info to be encrypted if stored. Another not-so-big secret. Plus, the entire hash-salting fiasco: salting passwords before hashing them is established practice, and has been for decades.
This is an intelligence firm, dealing with defense personnel all over the world. Are we to believe that they had no idea that encrypting information was important?
Of course, the use of cryptographic solutions does not guarantee 100% that Anonymous wouldn't have laid their mitts on the information that was breached. But let me tell you, accusations of negligence are less likely to hold sway if encryption was used.
Related Articles and Sites:http://www.statesman.com/business/technology/austin-based-stratfor-faces-lawsuit-over-data-breach-2139417.html
A laptop computer was stolen from Lexington Clinic's Neurology Department, "despite stringent security protocols." What these protocols refer to is not specified. However, seeing how Lexington Clinic is "following all requirements of the American Recovery and Reinvestment Act of 2009 and the Health Information Technology for Economic and Clinical Health Act by notifying patients of the breach," I'd say it's quite safe to note that drive encryption software like AlertBoot was not used in this particular case.
The laptop was stolen on December 7, 2011 from the neurology department at St. Joseph Office Park at 1401 Harrodsburg Road, in Lexington, Kentucky. According to kentucky.com, it took weeks to figure out what information was on the laptop, which was used with the clinic's electromyography machine. However, in keeping with HITECH, the clinic had to make a disclosure before 60 business days had passed since the discovery of the breach. Seeing how the theft occurred on December 7 and was discovered on December 8, the notification comes towards the latter end of the 60-day rule: January 30 marks the 53rd day. The computer contained names, contact information, and diagnoses for a number of patients that sought the neurology department's services, some going as far back as 5 years. It did not include SSNs, credit card numbers, bank account numbers, and other financial information. Regardless, Lexington Clinic is asking any affected patients to "stay alert for signs of identity theft": Accounts you didn't open and debts on your accounts that you can't explain. Fraudulent or inaccurate information on your credit reports, including accounts and personal information, such as your Social Security number, address(es), name or initials and employers. Failing to receive bills or other mail. Follow up with creditors if your bills don't arrive on time. Receiving credit cards that you didn't apply for. Being denied credit, or being offered less favorable credit terms, like a high interest rate, for no apparent reason. Getting calls or letters from debt collectors or businesses about merchandise or services you didn't buy.
The laptop was stolen on December 7, 2011 from the neurology department at St. Joseph Office Park at 1401 Harrodsburg Road, in Lexington, Kentucky. According to kentucky.com, it took weeks to figure out what information was on the laptop, which was used with the clinic's electromyography machine.
However, in keeping with HITECH, the clinic had to make a disclosure before 60 business days had passed since the discovery of the breach. Seeing how the theft occurred on December 7 and was discovered on December 8, the notification comes towards the latter end of the 60-day rule: January 30 marks the 53rd day.
The computer contained names, contact information, and diagnoses for a number of patients that sought the neurology department's services, some going as far back as 5 years. It did not include SSNs, credit card numbers, bank account numbers, and other financial information.
Regardless, Lexington Clinic is asking any affected patients to "stay alert for signs of identity theft":
There are many that might jump up and ask, "hey, isn't this a HIPAA breach?" Not necessarily. Sure, the fact that patients and the media are being notified (under HITECH, which amends HIPAA, if more than 500 patients are affected, the covered entity must contact local media and disclose that data was breached) indicates that encryption software was not used on this laptop. It's an assumption that encryption wasn't used, of course. I'm of the opinion that most hospitals, clinics, and other medical organizations and agencies wouldn't want negative coverage, if avoidable, so the use of encryption would lead to bupkus in the event of a laptop theft; it's perfectly legal under HITECH. Plus, with the use of cryptographic solutions, it's not just a legal loophole. Technically, that data is safe no matter how the laptop thief tries to force his way into that device. (This, however, does not preclude a hospital from using encryption and going public with the breach. I can think of at least two occasions where this happened). Anyhow, returning to the subject at hand: this might not be a HIPAA breach. After all, consider the situation: the laptop was not stolen from a car, or an employee's home. It was stolen from the clinic. Strike one. I'm assuming that the clinic offered a certain degree of physical security. Second, the laptop did have "stringent security protocols." Again, it's pretty evident that encryption was not part of that security protocol. However, nothing within HIPAA states that encryption must be used. Encryption is known as an "addressable" issue: if a hospital thinks encryption is not necessary, they don't have to use it as long as there other security measures in place. Still, encryption is advisable even if it's only addressable: not only is it a better form of securing data, it's the only way to get out of the Breach Notification Rule under HITECH. It's win-win, for covered entities and patients alike. Plus, a solution like AlertBoot not only protects laptops' contents, it also makes conducting audits and monitoring easier. Its built-in and fail-safe encryption audit reports allow a covered-entity to quickly prove that a stolen laptop conforms with HIPAA and HITECH.
There are many that might jump up and ask, "hey, isn't this a HIPAA breach?" Not necessarily. Sure, the fact that patients and the media are being notified (under HITECH, which amends HIPAA, if more than 500 patients are affected, the covered entity must contact local media and disclose that data was breached) indicates that encryption software was not used on this laptop.
It's an assumption that encryption wasn't used, of course. I'm of the opinion that most hospitals, clinics, and other medical organizations and agencies wouldn't want negative coverage, if avoidable, so the use of encryption would lead to bupkus in the event of a laptop theft; it's perfectly legal under HITECH. Plus, with the use of cryptographic solutions, it's not just a legal loophole. Technically, that data is safe no matter how the laptop thief tries to force his way into that device. (This, however, does not preclude a hospital from using encryption and going public with the breach. I can think of at least two occasions where this happened).
Anyhow, returning to the subject at hand: this might not be a HIPAA breach. After all, consider the situation: the laptop was not stolen from a car, or an employee's home. It was stolen from the clinic. Strike one. I'm assuming that the clinic offered a certain degree of physical security.
Second, the laptop did have "stringent security protocols." Again, it's pretty evident that encryption was not part of that security protocol. However, nothing within HIPAA states that encryption must be used. Encryption is known as an "addressable" issue: if a hospital thinks encryption is not necessary, they don't have to use it as long as there other security measures in place.
Still, encryption is advisable even if it's only addressable: not only is it a better form of securing data, it's the only way to get out of the Breach Notification Rule under HITECH. It's win-win, for covered entities and patients alike.
Plus, a solution like AlertBoot not only protects laptops' contents, it also makes conducting audits and monitoring easier. Its built-in and fail-safe encryption audit reports allow a covered-entity to quickly prove that a stolen laptop conforms with HIPAA and HITECH.
Related Articles and Sites:http://www.phiprivacy.net/?p=8879http://www.lexingtonclinic.com/news/lexingtonclinicnotifyingpatientsofinformationsecuritybreach1.htmlhttp://www.kentucky.com/2012/01/31/2049109/stolen-lexington-clinic-laptop.htmlhttp://www.wtvq.com/content/localnews/story/Patients-Security-Breached-by-Stolen-Laptop/uVEV9skuAESFOF9-NCDw5Q.cspx
Current and former employees of Regions Financial Corp are facing a data breach after a USB flashdrive that was mailed went missing. The USB device was protected with data encryption software. This is a good thing. However, the information to decrypt the data was also mailed in the same envelope as the USB device.
The Regions Financial data breach was actually caused by outside auditor Ernst & Young. An employee mailed the flashdrive and the "decryption code" in the same envelope to a different branch. When the mail arrived at its destination, the USB drive was missing. The decryption code was still there. Employees of Regions were alerted of the breach via a letter dated January 23. The breach took place in November. Information about 401k plans were lost, including names, SSNs, and possibly dates of birth. The situation is ironic: E&Y has released studies concerning data security. Less than two years ago, it had noted that secondhand flashdrives were chock-full of sensitive data. If I'm not wrong, they had also pointed out the need for encryption, or at least the use of better data deletion techniques. I don't really remember if they had pointed out why keeping the passwords for accessing encrypted data and the encrypted data in the same place is a bad idea. On the other hand, do you really need a multi-million dollar consultancy firm to point out the truly obvious?
The Regions Financial data breach was actually caused by outside auditor Ernst & Young. An employee mailed the flashdrive and the "decryption code" in the same envelope to a different branch. When the mail arrived at its destination, the USB drive was missing. The decryption code was still there.
Employees of Regions were alerted of the breach via a letter dated January 23. The breach took place in November. Information about 401k plans were lost, including names, SSNs, and possibly dates of birth.
The situation is ironic: E&Y has released studies concerning data security. Less than two years ago, it had noted that secondhand flashdrives were chock-full of sensitive data. If I'm not wrong, they had also pointed out the need for encryption, or at least the use of better data deletion techniques.
I don't really remember if they had pointed out why keeping the passwords for accessing encrypted data and the encrypted data in the same place is a bad idea. On the other hand, do you really need a multi-million dollar consultancy firm to point out the truly obvious?
What should the employee have done? Obviously, I don't have a problem with sensitive data being sent over regular mail, as long as disk encryption was used to secure the data. But, doing so poses problems. How does one let the recipient know what the password is? Putting the password in the same envelope is a bad idea. Putting the password in a separate envelope and mailing it is acceptable. Some might to turn email, but this also poses a problem: what if the email address is a shared one? Or, what if the recipient's company has set up a policy where all emails are copied between a particular group's members? The best way to divulge the password might still be via the phone. Once the recipient has the USB device in his hands, he picks up the phone and calls the sender. Of course, there's also the possibility of a phone being tapped. All methods of sharing passwords are fraught with the possibility of a leak. Some, however, are much higher than others. I should also note that the fact the decryption code was still in the envelope is meaningless: anyone could have taken and made a copy of it.
What should the employee have done? Obviously, I don't have a problem with sensitive data being sent over regular mail, as long as disk encryption was used to secure the data. But, doing so poses problems. How does one let the recipient know what the password is?
Putting the password in the same envelope is a bad idea. Putting the password in a separate envelope and mailing it is acceptable. Some might to turn email, but this also poses a problem: what if the email address is a shared one? Or, what if the recipient's company has set up a policy where all emails are copied between a particular group's members?
The best way to divulge the password might still be via the phone. Once the recipient has the USB device in his hands, he picks up the phone and calls the sender. Of course, there's also the possibility of a phone being tapped.
All methods of sharing passwords are fraught with the possibility of a leak. Some, however, are much higher than others.
I should also note that the fact the decryption code was still in the envelope is meaningless: anyone could have taken and made a copy of it.
Related Articles and Sites:http://blog.al.com/businessnews/2012/01/regions_says_employee_401k_dat.html
In a clear sign that it frowns on all data breaches, not just electronic ones, the UK's Information Commissioner's Office (ICO) has handed out its largest penalty to date to the Midlothian Council in Scotland. It's the first ever ICO fine for any Scottish local government, and it underscores that, while laptop encryption software like AlertBoot goes a long way towards placating any concerns, it's not the only thing UK data controllers should be focusing on.
While it's true that the Midlothian Council has received the largest penalty to date (£140,000. The next largest one is £130,000 handed to the Powys County Council in December 2011. I keep a list of ICO monetary penalties), one could also argue that it's not a fine, but a total fine for 5 data breaches: The wrong child's name was entered into an agreement A GP was sent a request for a child's report. The child wasn't registered with the GP A file was unintentionally included with other documents and sent to unintended recipients Minutes of a child's protection conference were sent to an old address A letter on the foster care status of a child was sent to the wrong people The above occurred in a period of 4 months. It could be argued that each breach cost the council £28,000, putting it at the bottom of the pile. Incidentally, the £140,000 was the reduced figure from £150,000 after the council appealed the fine.
While it's true that the Midlothian Council has received the largest penalty to date (£140,000. The next largest one is £130,000 handed to the Powys County Council in December 2011. I keep a list of ICO monetary penalties), one could also argue that it's not a fine, but a total fine for 5 data breaches:
The above occurred in a period of 4 months. It could be argued that each breach cost the council £28,000, putting it at the bottom of the pile.
Incidentally, the £140,000 was the reduced figure from £150,000 after the council appealed the fine.
From scotsman.com: Midlothian Council said it referred itself to the commissioner and insisted its procedures were sound, despite the breaches. Colin Anderson, chief social work officer, said: "While the council accepts there were mistakes, they were caused by human error. Clear procedures were in place but were not followed." That the breach was a result of human error is a moot point: that's usually the case when it comes to the ICO handing monetary penalties. With respect to the UK data breaches I've covered on this site, especially those that have involved a penalty from the ICO, almost all of them involved human error. That is, I can't really recall a breach where someone caused the breach on purpose. That "clear procedures were in place but not followed" appears to exacerbate the situation, in my opinion. In fact, if the procedures were so clear but ignored, couldn't one argue that this was not a case of human error?
From scotsman.com:
Midlothian Council said it referred itself to the commissioner and insisted its procedures were sound, despite the breaches. Colin Anderson, chief social work officer, said: "While the council accepts there were mistakes, they were caused by human error. Clear procedures were in place but were not followed."
Midlothian Council said it referred itself to the commissioner and insisted its procedures were sound, despite the breaches.
Colin Anderson, chief social work officer, said: "While the council accepts there were mistakes, they were caused by human error. Clear procedures were in place but were not followed."
That the breach was a result of human error is a moot point: that's usually the case when it comes to the ICO handing monetary penalties. With respect to the UK data breaches I've covered on this site, especially those that have involved a penalty from the ICO, almost all of them involved human error. That is, I can't really recall a breach where someone caused the breach on purpose.
That "clear procedures were in place but not followed" appears to exacerbate the situation, in my opinion. In fact, if the procedures were so clear but ignored, couldn't one argue that this was not a case of human error?
Related Articles and Sites:http://www.scotsman.com/news/health/140_000_fine_after_sending_child_data_to_wrong_people_1_2085605http://www.databreaches.net/?p=23042http://www.ico.gov.uk/news/latest_news/2012/midlothian-council-handed-penalty-five-serious-data-breaches-30012012.aspxhttp://www.information-age.com/channels/information-management/news/1688338/ico-serves-scottish-council-with-record-140k-fine.thtmlhttp://www.zdnet.co.uk/news/security-management/2012/01/30/data-leaks-cost-midlothian-a-record-140k-fine-40094935/?s_cid=938