Data Protection What Are We Doing? Alan Calder IT Governance Ltd NITES 24 February 2009 TM.

Data ProtectionWhat Are We Doing?

Alan CalderIT Governance Ltd

NITES24 February 2009

TM

TM

© IT Governance Ltd 2006

Welcome

• Alan Calder – my background and perspective– Businessman, not a lawyer– First ISO 27001 accredited certification in 1999– IT Governance: a Manager’s Guide to Data Security and ISO 27001/ISO 27002,

4th Edition (Open University Text Book) www.itgovernance.co.uk/products/4

• One-stop-shop for IT governance, risk management, compliance and information security: www.itgovernance.co.uk

– Data Breaches: Trends, Costs and Best Practices

provides lnformation on data breaches together with

worldwide legal overview and best-practice guidance

for staying on the right side of the law

www.itgovernance.co.uk/products/1615

TM


Agenda

• International Compliance Environment• Overview of the DPA and current requirements• Best Practice compliance actions• Enforcement• Data Breaches – the current environment• A closer look at the UK ICO• What’s going wrong• Some proposals for improvement• Questions and answers.

TM


4

International Compliance Environment

• Global information economy • Internet-based threats – international exposure• Outsourcing, e-commerce• EU Data Protection Directive

• National Data Protection Acts• UK Data Protection Act 1998

– US Regulation• EU Safe Harbor Regulations (SEC)• HIPAA, GLBA, SOX• SB 1386, OPPA, state-level breach laws

– Canada• PIPEDA

– OECD – Japan, Australia, South Africa and emerging economies• Public companies: SOX

• Contractual requirements– PCI DSS

TM


5

Data Protection – Europe & UK

• EU Data Protection Directive 1995• Data Protection Act 1998• Deals with personal information – related to living individuals (data subjects)

– Eight Data Protection Principles 1. Fairly and lawfully processed;2. Fairly and lawfully obtained;3. Adequate, relevant and not excessive;4. Accurate and up-to-date;5. Not kept longer than necessary;6. Processed only in accordance with the data subject’s rights;7. Kept safe and secure (“appropriate technical and organizational measures shall be taken against unauthorized

or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”)

8. Not transferred to a country outside the EU unless there is at least a similar level of data protection available there.

– 7th Principle compliance is critical for all EU organizations– 8th Principle affects any businesses with operations outside the EU

• US Safe Harbor regulations designed to assist, but very few US corporations meet the requirements

• Intersection with – Freedom of Information Act– Human Rights Act– Regulation of Investigatory Powers Act

TM

Compliance Action & Best Practice

• Comply with the 8 principles of the DPA1. Bring current practices into line with DPA

a) Audit of current practices & analysis of gap between DPA and current practicesa) The basics – is your registration up to date?

b) Identify where information is stored, and how it is classified

c) Ensure you can respond to an SAR

d) Assess all mobile devices and extent of encryption

e) Assess all technical & procedural aspects of data security management

b) Remedial action

2. Maintain DPA compliance regimea) Internal audit plan

b) Staff training and awareness

c) Incident reporting and resolution

3. Develop an ISO27001 ISMS – demonstrates best practice in DPA compliance as well as achieving other business and information objectives

4. Prepare for BS10012 Specification for the Management of Personal Information in compliance with the DPA

6


TM

Prepare for the worst

• Develop & test a data breach response plana) Escalation and reporting procedures

b) Breach response team

c) Consider potential remedial measures

d) Prepare PR and communications plan

e) Review and learning points

7


TM

All Time Top 10 Data Breaches

1. TJX – 94 million records – outside attack

2. US Dept of Veterans Affairs – 26.5 million records – outside attack

3. HMRC – 25 million records – internal incompetence

4. T-Mobile/Deutsche Telekom – 17 million records – lost disk

5. Archive Systems/Bank of New York – 12.5 million – lost backup tapes

6. GS Caltex – 11 million - lost CD

7. Dai Nippon Printing – 8.6 million – insider theft

8. Certegy Check Services/Fidelity Information Services – 8.5 million – insider theft

9. TD Ameritrade – 6.3 million – outside attack

10.Chilean Ministry of Education – 6 million – outside attack

• Source: http://datalossdb.org

8


TM

Data Breaches – the UK

• Breaches since the HMRC incident in Nov 07 (ICO Press release 23 April 08):– Almost 100 data breaches notified

• 66% Public sector• 30% private sector• 4% voluntary sector

– 1/3rd in central govt and related agencies

– 1/5th in NHS organisations

– Private sector: 50% in financial institutions

• Missing information includes:– Unencrypted laptops, computer discs, memory sticks

– Paper records

– Stolen, ‘lost in the mail’ and ‘while in transit’ with a courier

– Includes financial and health details

• ICO Investigations– 16 organisations required to make procedural changes to improve security

9


TM

Data Breaches - Ireland

• Bank of Ireland– Lost unencrypted memory stick with the personal details of nearly 1,000

customers (Nov 2008)

• Bank of Ireland– Four unencrypted laptops stolen with the personal records of 10,000

customers (April 2008)

• HSE – Two unencrypted laptops ‘gone missing’ (Sept 2008)

• Dept of Social & Family Affairs– Laptop with details of 390,000 citizens ‘lost or stolen at the bus stop’

10


TM

Number of Incidents - Trend

11

TM

Types of Data Breach

12

TM

The Poynter Report

• Two major institutional deficiencies at HMRC:– ‘Information security simpy wasn’t a management priority’

– ‘HMRC has an organisational design...which did not clearly focus on management accountability’

• 45 separate high-level recommendations– Stronger policy and procedures

– Stronger authorisation requirements

– Better internal communication

– Education, training & awareness

– new systems

– ‘hundreds of detailed recommendations’www.hm-treasur y.gov.uk/d/poynter_review250608.pdf

© IT Governance Ltd 2008 – this slide is published strictly without liability of any sort and does not provide specific legal guidance or advice and any user must therefore seek legal

advice on the DPA and any associated issues from their own professional advisers 13

TM

What’s going on?

• DPA Compliance cannot be demonstrated, so there is no way of improving the brand by claiming compliance

• DPA non-compliance brings:– No penalties– Cost savings

• CEOs and Top Management simply don’t care

• No clear accountability for data security

• Inadequate investment in data security management– Minimal procedures for fair processing– Minimal training for data controllers– Minimal awareness and education for all users– Inadequate security

• Unencrypted laptops• Unencrypted removable media• Inadequate perimeter security

– Minimal supervision and audit of third parties, third party agreements – PCI non-compliance

14© IT Governance Ltd 2005

TM

Costs of Identify Theft/Fraud

• Cybercrime – international $150 billion + industry

• US Identity theft up 22% in 2008 (Javelin Strategy & Research 2009 Report)– 9.9 million cases– Total Cost US$48 billion

• Success – CIFAS 2008 (www.cifas.org.uk) – 214,000 Fraud cases identified– £848 million ‘losses avoided’

15


TM

ICO Legal Powers

• The Information Commissioner's Office has the following powers for enforcing DPA:

– conduct assessments to check organisations are complying with the Act; – serve information notices requiring organisations to provide the Information

Commissioner's Office with specified information within a certain time period; – serve enforcement notices and 'stop now' orders where there has been a

breach of the Act, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law;

– prosecute those who commit criminal offences under the Act; – conduct audits to assess whether organisations processing of personal data

follows good practice.


16

TM

DPA – Criminal Offences

• Persistent breaches of the Act– A data controller who persistently breaches the Act and has been served with an

enforcement notice can be prosecuted for failing to comply with a notice. This offence carries a maximum penalty of a £5,000 fine in the magistrates' court and an unlimited fine in the Crown Court.

– Steps: Breach reported, enforcement notice served, only then can failure to comply lead to prosecution and maximum £5k fine

• Notification offences– A data controller who fails to notify the Information Commissioner's Office of the processing

being undertaken or of any changes to that processing can be prosecuted. Failure to notify is a strict liability offence. This means that if a data controller has to notify, they must notify. Being unaware of the law is not an excuse.

• Unlawful obtaining or disclosing of personal information– It is a criminal offence to knowingly or recklessly obtain, disclose or procure the disclosure

of personal information, without the consent of the data controller.


TM

ICO Data Protection Activity

• ICO Data Protection Case Load 2008: 25,000 cases

• The business areas generating the most complaints are:– Lenders 33%– Public sector 18%

• Policing and criminal records 5%

• Central government 5%

• Local government 4%

• Health 4%

– Other 7%– General business 7%– Telecoms 5%– Direct marketing 4%– Internet 3%

Source: ICO Annual Report 2008

18


TM

Reporting of “breaches”

• No legal obligation for data controllers to report breaches

• “the Information Commissioner believes serious breaches should be brought to the attention of his Office”

• “Serious breaches” are not defined

• Criteria for assessing seriousness:– Potential harm to data subjects– Volume of personal data lost/released/corrupted– Sensitivity of the data lost/released/unlawfully corrupted

19


TM

DPA Enforcement – ICO Response

• ICO published guidance 27 March 2008• What will the Information Commissioner’s Office do when a breach is reported?

• The nature and seriousness of the breach and the adequacy of any remedial action will be assessed and a course of action determined. The ICO may:

– Record the breach and take no further action , or– Investigate the circumstances of the breach and any remedial action . – This could lead to:

1. no further action, or

2. a requirement on the data controller to undertake a course of action to prevent further breaches, and/or

3. formal enforcement action turning such a requirement into a legal obligation

• The Information Commissioner does not have the power to impose a fine or other penalty as punishment for a breach. The regulator’s powers only extend to imposing obligations as to future conduct.

20


TM

ICO Approach to Enforcement

• ICO published guidance 27 March 2008• “We do not see it as our responsibility to publicise security breaches not already in the public

domain or to inform any individuals affected. In so far as they arise these are the responsibilities of the data controller. “

• “However, the ICO may recommend the data controller to make a breach public where it is clearly in the interests of the individuals concerned or there is a strong public interest argument to do so. “

• “Where the Information Commissioner takes regulatory action, it is policy to publicise such action, unless there are exceptional reasons not to do so. This policy on publication extends to any formal undertakings provided to the Commissioner by a data controller. “

• “However the Commissioner will not normally take regulatory action unless a data controller declines to take any recommended action, he has other reasons to doubt future compliance or there is a need to provide reassurance to the public. Such a need is most likely to arise where the circumstances of the breach are already in the public domain. “

21


TM

ICO ‘Achievements’ 2008

• 9 Enforcement notices for data protection breaches– Carphone Warehouse– Greater Manchester Police– Humberside Police– Lothian and Borders Police– Marks & Spencer– Northumbria Police– Staffordshire Police– Talk Talk Telecom

– West Midlands Police.

• 9 Formal Undertakings not to breach the DPA– Dipesh Ltd – Littlewoods Shop Direct Home Shopping– Orange Personal Communications Services Limited– Phones 4 U– Skipton Financial Services– Sunfield– The Department of Health– The Foreign and Commonwealth Office– The Northern Ireland Office.


TM

23

ICO – New Enforcement Powers

Criminal Justice and Immigration Act – royal assent in April 08 – two relevant clauses:

1. Increases penalties for data theft and trading in stolen information to a prison sentence– Requires a Ministerial order and resolutions from both Houses to come into force

– ICO will have first have to prove that the trade in stolen information is widespread and pervasive.

2. Gives ICO powers to impose substantial fines on organisations that ‘deliberately’ or ‘recklessly’ commit serious breaches of the DPA.– ‘Substantial’: Nationwide £980k, Norwich Union £1.26m from FSA

– Ministry of Justice now determining level of fines

– Not retrospective

– No custodial sentence (but Opposition parties narrowly averted from bringing this in!)


TM

Comparative budgets & resources

HSE ICO

Front Line Staff 1,325

Total Staff 3,573 261

Total Annual Budget £214 million 17 million (DPA & FOI)

Date of report 1 April 2008 2008

24


TM

What needs to happen?

1. ICO needs a real budget, with real resources - £200 million +

2. ICO needs powers to inspect and fine

3. BS10012 compliance should be explicitly recognised as DPA compliance

4. Loss of personal data on an unencrypted laptop or removable media should be prima facie evidence of reckless disregard of the DPA

5. Data Breach Legislation1. With central notification

2. With cost indemnity and full support for victims

6. Custodial sentences for reckless breaches – for CEOs and senior civil servants

7. Custodial sentences for data theft and trading in stolen data.

25


TM

26

THANK YOU!

Questions and Answers

Data Protection What Are We Doing? Alan Calder IT Governance Ltd NITES 24 February 2009 TM.

Documents

tm data breaches

data protection principles

data subjects rights

tm slide

individuals data subjects

information security

uk breaches

th principle compliance