in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

ICO Issues Penalties To North Somerset And Worcestershire Councils

The UK's Information Commissioner has assessed penalties of £80,000 and £60,000 to Worcestershire County Council and North Somerset Council, respectively.  These fines were assessed for sending emails to the wrong recipients.  Of course, there is nothing that a laptop encryption software solution like AlertBoot could have done to prevent this.  Perhaps email encryption could have made an impact.  Well, at least in one of the cases.

Worcestershire County Council

Worcestershire County Council was fined £80,000 for a March 2011 incident.  An employee emailed sensitive information to 23 people who shouldn't have been recipients of the electronic missive.  The situation arose because an additional email list (containing the addresses of the 23) was added to the email by accident.

The employee realized the mistake immediately and tried to contain the situation, which was successful and probably only possible because they were also working in similar organizations.

It was not revealed how many people were affected by the breach, only that it involved "a large number of vulnerable people."  I hope it involved a lot of people because...well, otherwise, this is the reason for the penalty (my emphasis):

Enquiries by the ICO found that Worcestershire County Council had failed to take appropriate measures to guard against the unauthorised processing of personal data, such as providing employees with appropriate training and clearly distinguishing between internal and external email distribution lists. The council had also failed to properly consider an alternative means of handling the information, such as holding it in a secure system that could only be accessed by members of staff who needed to see it.

80,000 quid for not officially separating internal and external email lists?  There are companies who've been fined less for more.

North Somerset Council

North Somerset Council was fined £60,000 and, of the two cases, is the more entertaining one.  In November and December 2010, a North Somerset employee sent an email to an NHS employee.  The NHS employee alerted this person of the error.  After this, the NHS employee was further emailed an extra three times.

At this point, the NHS employee must have done something because two North Somerset Assistant Directors talked to their employee about the continued data breaches.  A fifth email was sent to the NHS employee that very same day.

Of the five emails, two of them contained sensitive and confidential information.

The incident occurred because the NHS employee was added to a mailing list by mistake.

Mitigating Circumstances

The Information Commissioner had this to say about the two incidents (my emphasis, ico.gov.uk):

"Personal information in cases involving vulnerable people is about the most sensitive personal information imaginable. It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils. It was fortunate that in both cases at least the email recipients worked in a similar sector and so were used to handling sensitive information. This mitigating factor has been taken into account in assessing the amount of the penalties.

Apparently, it wasn't much of a mitigating factor is the penalties are that big.  It should be noted that the amount is one of the lowest to date, but larger than the one assessed on the one private company that was fined to date.


Related Articles and Sites:
http://www.csoonline.com/article/695362/ico-fines-councils-after-serious-email-data-breaches
http://www.guardian.co.uk/government-computing-network/2011/nov/28/ico-fines-worcestershire-north-somerset-data-breaches?newsfeed=true
http://www.ico.gov.uk/news/latest_news/2011/monetary-penalties-served-to-councils-for-serious-email-errors-28112011.aspx
http://www.publicservice.co.uk/feature_story.asp?id=18195

 
<Previous Next>

Full Disk Encryption: Study Proves It Works (And Law Enforcement Has Problems With It)

Disk Encryption: VA CIO Says All Laptops Encrypted By 2012

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.