ICO Slams Council For Data Loss, Prepares For Fines

St.Alban’s City Council has been found in breach of the Data Protection Act by the Information Commissioner’s Office (ICO), after a laptop containing the details of postal voters was stolen from an office.

The data breach was announced shortly before the introduction of new powers next month for the ICO to administer fines of up to £500,000.

In a statement released this week, the ICO criticised the council for leaving the laptop concerned unsecured on a desk. The notebook computer, along with three other devices, were discovered to be missing in November 2009.

Contractor under suspicion

As is usual with minor breaches of the act, the head of the organisation has been asked to sign an undertaking to shape-up the organisation’s security policies. In this case it appears that the devices may have been stolen by a contractor, as the undertaking contains specific advice that council carries out checks on contractors staff.

The council also agreed to encrypt laptops and other portable devices used to store and transmit personal data. “When organisations store large volumes of personal details on portable computers, encryption is essential,” said Sally-anne Poole, head of enforcement and investigations at the ICO.

Poole added that the council should also take steps to educate staff about handling information securely. “They must ensure staff and contractors are trained to handle personal information securely to avoid the risk of information falling into the wrong hands,” she said. “It is also crucial organisations don’t keep personal information for longer than is necessary.”

Fines could catch companies out

New powers granted to the ICO by the government earlier this year are due to become law on 6 April. Companies that fall foul of the data breach laws now risk a maximum fine of £500,000. It is not clear at this time whether the same principle applies to government departments that lose sensitive data.

Some security experts have warned that UK companies may be caught out by the ICO’s new fines. A survey this week from Cyber-Ark Systems – which obviously has a vested interest in making dire predictions about the state of security planning – revealed that 65 percent of workers in the City of London questioned by the company had not received any warning from their company about the new regulations.

The survey also highlighted that 95 percent of workers believed they would take better care of data if they were personally responsible for any losses or theft. Commenting on the research, Cyber-Ark’s  vice president of products and strategy Adam Bosnian said that education is obviously important, but so is having the rights technology in place. “Organisations also need to control privileged users and accounts to protect sensitive information, such as customer data, from navigating its way into the wrong hands,” he said.

Earlier this month the ICO named and shamed Zurich Insurance for the loss of an unencrypted backup tape containing the financial personal information of around 46,000 policy holders by its sister company Zurich Insurance Company South Africa.