Brighton and Sussex University Hospitals NHS is facing a fine of £375,000 fine for breaching the UK's Data Protection Act (DPA). Confidential information on tens of thousands of people were exposed when decommissioned hard drives were stolen. Like I've often noted, hard disk encryption like AlertBoot is not just laptops and external hard drives only. Full desktop encryption is a good idea as well. Update (12 JAN 2012): phiprivacy.net notes that the thief actually worked for Sussex Health Informatics Service, the company in charge of disposing of the hard drives. This makes it an internal attack, which is one of the hardest types of data breaches to avoid. And yet, this is the breach that has garnered the dubious honor of receiving the highest ICO penalty to date. I can only assume that I've overlooked something. Issuing some kind of penalty is warranted. Like I noted in my conclusion, the use of encryption would have prevented the situation from ever developing into a data breach. But, the largest penalty to date?
Brighton and Sussex University Hospitals NHS is facing a fine of £375,000 fine for breaching the UK's Data Protection Act (DPA). Confidential information on tens of thousands of people were exposed when decommissioned hard drives were stolen. Like I've often noted, hard disk encryption like AlertBoot is not just laptops and external hard drives only. Full desktop encryption is a good idea as well.
Update (12 JAN 2012): phiprivacy.net notes that the thief actually worked for Sussex Health Informatics Service, the company in charge of disposing of the hard drives. This makes it an internal attack, which is one of the hardest types of data breaches to avoid. And yet, this is the breach that has garnered the dubious honor of receiving the highest ICO penalty to date. I can only assume that I've overlooked something. Issuing some kind of penalty is warranted. Like I noted in my conclusion, the use of encryption would have prevented the situation from ever developing into a data breach. But, the largest penalty to date?
Brighton and Sussex University Hospitals NHS is facing the largest penalty the Information Commissioner's Office has assessed to date. The trust will contest the fine, noting that they were the victims of a crime. To which I would remark, being victimized doesn't absolve one from his responsibilities. One of the surprising things about this story is that the ICO is assessing a fine that has no precedence or structure. Supposedly, the ICO doles out its penalties based on what kind of message it's trying to send. According to theargus.co.uk, "tens of thousands" of people were affected by this breach. And yet, when A4e lost a laptop and affected 24,000 people, it only got fined £60,000. I don't understand how having been a victim of a crime merits a larger penalty than being cavalier with sensitive data (in the A4e case, the laptop was stolen from an employee's house. It might not be as bad as leaving it at a McDonald's or a car break-in, but come on. You're allowing an employee to go about with sensitive data and haven't encrypted it? That's being careless). One could argue that holding a massive number of drives merits extra security. But, ultimately, the severity of a data breach lies not in the number of hardware involved, but the number of people affected by a breach. I guess you could also raise fines because people are not paying attention, so you need to send a stronger message: the A4e fine was handed in November 2010. If Brighton and Sussex didn't do anything in the past year...well, the original message didn't take, did it?
Brighton and Sussex University Hospitals NHS is facing the largest penalty the Information Commissioner's Office has assessed to date. The trust will contest the fine, noting that they were the victims of a crime. To which I would remark, being victimized doesn't absolve one from his responsibilities.
One of the surprising things about this story is that the ICO is assessing a fine that has no precedence or structure. Supposedly, the ICO doles out its penalties based on what kind of message it's trying to send. According to theargus.co.uk, "tens of thousands" of people were affected by this breach.
And yet, when A4e lost a laptop and affected 24,000 people, it only got fined £60,000.
I don't understand how having been a victim of a crime merits a larger penalty than being cavalier with sensitive data (in the A4e case, the laptop was stolen from an employee's house. It might not be as bad as leaving it at a McDonald's or a car break-in, but come on. You're allowing an employee to go about with sensitive data and haven't encrypted it? That's being careless).
One could argue that holding a massive number of drives merits extra security. But, ultimately, the severity of a data breach lies not in the number of hardware involved, but the number of people affected by a breach. I guess you could also raise fines because people are not paying attention, so you need to send a stronger message: the A4e fine was handed in November 2010. If Brighton and Sussex didn't do anything in the past year...well, the original message didn't take, did it?
The hard drives were, according to theargus.co.uk, stored "in a locked store at Brighton General Hospital where they were being decommissioned." One thousand (1,000) hard drives were decommissioned. It's safe to assume, I'd say, that some, if not most, of the hard drives were used in desktop computers. The decommissioned drives were to be disposed by Sussex Health Informatics Service. They didn't do a good job, apparently, because four of them ended up for sale on eBay. A subsequent investigation showed that a total of 232 drives were stolen (all were eventually recovered) Disposed. It's a tricky word. Technically, hard drives could be disposed of and still show up on auction sites. After all, disposed doesn't necessarily mean "destroyed," which is what one generally does with sensitive data, and why destroy equipment that still works if you can sell it and recoup some of your sunk-in costs?
The hard drives were, according to theargus.co.uk, stored "in a locked store at Brighton General Hospital where they were being decommissioned." One thousand (1,000) hard drives were decommissioned. It's safe to assume, I'd say, that some, if not most, of the hard drives were used in desktop computers.
The decommissioned drives were to be disposed by Sussex Health Informatics Service. They didn't do a good job, apparently, because four of them ended up for sale on eBay. A subsequent investigation showed that a total of 232 drives were stolen (all were eventually recovered)
Disposed. It's a tricky word. Technically, hard drives could be disposed of and still show up on auction sites. After all, disposed doesn't necessarily mean "destroyed," which is what one generally does with sensitive data, and why destroy equipment that still works if you can sell it and recoup some of your sunk-in costs?
When reselling equipment that used to store sensitive data, it should be ensured that it's done correctly... and by "correctly" I don't mean ensuring one's not scammed out of his money after the sale. Rather, I'm referring to selling the hard drives while sensitive information is still technically available on them. Of course, you don't want to sell hard drives that visually contain sensitive documents in them. However, you also don't want to sell hard drives where files can be retrieved (resuscitated, if you will). When it comes to computers, you can (a) "delete" files or you can (b) write over them. The former, a misnomer, doesn't really delete the file; it merely marks the bytes where the document was stored as "free to use," meaning eventually it will get written over with new files: word processing files, spreadsheets, images, what have you. However, when it will be written over is up to the computer. Conceivably, the "deleted" file could still be reclaimed 5 years after the fact. The latter, "write over them", is what computer technicians and data privacy laws mean when referring to "deleting data." Data in a computer is only truly erased when a computer's storage sector is written over (replaced) with new data. That's why full disk encryption is valuable when it comes to data security. With the use of encryption, data is stored in a garbled state. By using a password or other means of access, that garbled information is "made normal" temporarily, so you can work with it. When the computer is shut off, the data reverts to its garbled state. If Brighton and Sussex University Hospitals NHS had used encryption software to protect its computers' hard drives, it wouldn't be in its current position. Patient data would have been protected during the lifetime of the computer as well as afterwards, when it was marked for disposal (pulling the disk drive from computers wouldn't have affected the encryption state).
When reselling equipment that used to store sensitive data, it should be ensured that it's done correctly... and by "correctly" I don't mean ensuring one's not scammed out of his money after the sale. Rather, I'm referring to selling the hard drives while sensitive information is still technically available on them.
Of course, you don't want to sell hard drives that visually contain sensitive documents in them. However, you also don't want to sell hard drives where files can be retrieved (resuscitated, if you will). When it comes to computers, you can (a) "delete" files or you can (b) write over them.
The former, a misnomer, doesn't really delete the file; it merely marks the bytes where the document was stored as "free to use," meaning eventually it will get written over with new files: word processing files, spreadsheets, images, what have you. However, when it will be written over is up to the computer. Conceivably, the "deleted" file could still be reclaimed 5 years after the fact.
The latter, "write over them", is what computer technicians and data privacy laws mean when referring to "deleting data." Data in a computer is only truly erased when a computer's storage sector is written over (replaced) with new data.
That's why full disk encryption is valuable when it comes to data security. With the use of encryption, data is stored in a garbled state. By using a password or other means of access, that garbled information is "made normal" temporarily, so you can work with it. When the computer is shut off, the data reverts to its garbled state.
If Brighton and Sussex University Hospitals NHS had used encryption software to protect its computers' hard drives, it wouldn't be in its current position. Patient data would have been protected during the lifetime of the computer as well as afterwards, when it was marked for disposal (pulling the disk drive from computers wouldn't have affected the encryption state).
Related Articles and Sites:http://www.phiprivacy.net/?p=8776http://www.theargus.co.uk/news/9462435.Patient_details_on_stolen_hard_drives/