Tag Archives: Data Protection Act

Communicating Data Breaches with Employees

Data breaches happened less frequently in the past. With the increased activity in ransom-ware, data breaches are now becoming a daily occurrence.  Major corporations like Sony, Domino’s and Home Depot have been hacked. It is believed that there will be more data breaches in the coming months and years. If, as an employer, you find yourself in the unfortunate situation of a data breach, how are you going to communicate the breach to your employees?  What happens after the security breach?

Be Transparent

Employers should notify the breach to employees as soon as possible once they have all the facts about the breach.  Employees have the right to know about the breach incident directly from the employer, rather than from the rumours circulating. On the other hand, the companies are also required to make sure that workers will keep the shared information strictly confidential or at least until it is officially announced.

An Inside Job?

It is essential to ensure that employees are receiving the right information in a timely fashion. Tell them that concerned department has started investigations about the matter; without divulging too much details into the breach, so as not to alarm the culprit in case it is an inside-job.

An Outside Attack?

Share more detailed information (as they become available) about the breaches if your investigation confirms that the cause is not internal. Update them as frequently as possible.  This will ensure that the workers are not worried about their personal information. Personal information, like: address, social security numbers, birthday, salary amount, etc. could be recipes for an identity theft.

Personal Information

You need to think about Data Protection Act (DPA). In the UK, for instance, businesses must adhere to DPA. This act ensures that employers holding personal information on their workers must keep the information safe and secure. DPA is very helpful to avoid information breaches.

Businesses must report data breaches to the Information Commissioner in the UK. It also makes sense that employers inform and update their employees at the same time. If it is confirmed that employees’ personal information have been compromised, then the employer should offer support to its affected employees. Advice such as what the next steps should be and what to do if unauthorized credit card transaction is posted in their account. Detailed procedures should be described so that the victims can take immediate action whenever they face identity theft or unauthorized bank transaction.

It would be better to develop a database or provide a fully dedicated hotline so the staff can call and ask questions about the breach.

Official Press Release Statement

It is important to communicate with all employees, informing them that they are not authorized to speak to the press media about the incident at all times. Tell them that it is a standard process and everyone should obey this because the breach is related to company’s reputation and business.

Remember that data breaches are juicy stories. Reporters and bloggers love to write about them. Many true and false stories will be written. The key is to share the details with employees and release an official press release. You can win the trust of your employees by sharing timely information with them. This will give them more confidence and they will not share the details outside the company. The last thing you want is for the employees to learn about the breach from a third-party website or other traditional media.

 

UK’s ICO Data Protection Act

The UK Data Protection Act, put into action by the Information Commissioner’s Office (ICO), regulates the use of personal data that is within the reach of commercial and non-commercial companies, as well as individuals. Such data might have been acquired for various kinds of reasons and, therefore, adherence to compliance is expected. The ICO is a self regulating authority created to support information rights for protecting personal privacy.

Basic Interpretative Provisions

The Data Protection Act defines “Data” as “information which—

(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,

(b) is recorded with the intention that it should be processed by means of such equipment,

(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,

(d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68,

(e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d)”.

The Data Protection Act further defines “Personal Data” as “data which relate to a living individual who can be identified—

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual”.

“Sensitive Personal Data” is further explained here:

According to The Data Protection Act, “Sensitive Personal Data” means personal data consisting of information as to—

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the M1Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

ICO has already levied penalties under the Data Protection Act for data breaches. The fine amount shows that the ICO office is very serious to reinforce the act. It continues to monitor violations and regulate the provisions of the act in the entire UK. For that reason, if are a UK based organisation that is engaged in a service that warrants collection of information or data of various sorts, you need to pay a special attention to compliance under the act; so as to avoid penalties and legal suits. It must be noted that compliance to the data protection act is not an option, but mandatory.

 

Non-Compliance is Very Expensive

For enterprises and businesses, compliance is a term that shows the company is following laws and regulations concerning business, personnel and clients. For businesses, compliance is not optional. In fact, it is obligatory for organizations and divergence to this act results in form of penalties.

 

Accounting scandals of a number of corporations made it necessary to establish an act therefore the Act Sarbanes Oxley was passed against such companies. As a result, non compliant enterprises have to face penalties such as loss of D & O insurance, imprisonment, heavy fines and lose exchange listing. It is given that investors do not have an interest to invest in non-compliant organizations. In case, CFOs or CEOs give fake certifications, they will face charges of one million dollars fine for their un-willful wrong doing. On the other hand, charges for willful doings are up to five million dollars. In addition to penalties, CEOs and CFOs can be imprisoned for up to ten to twenty years based on the evidence presented.

 

HIPAA is an act concerning health insurance portability & accountability. HIPAA is applied to service providers dealing with health care departments. The act also equally applies to health care associates. If service providers are unable to meet the demands of HIPAA Act, they will be fined severe penalties. Health care providers are castigated when they ignore standard of HIPAA. In such cases, the Secretary has the right to charge $100-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year.

 

Another important part of HIPAA is its relation to personal health information (PHI). When sensitive information such as PHI of patients is disclosed, health care providers are penalized for their carelessness. In case this infringement is willful, up to $50,000 penalty, with a year imprisonment or both is imposed on the wrong doer. Conversely, if the violation is done with false pretences, an amount of $100,000 is imposed, with five years imprisonment or both. However, if such violation is for to get commercial benefits, a fine up to $250,000, with 10 years of imprisonment or both is imposed.

 

Punishments related to PCI-DSS and data protection act impose charges of up to $500,000 for data breaches. Non-compliant companies not only get charged fines, but also have to face long lasting penalties, such as credit card activity shut down, loss of business, staff cost during recovery process, detailed and increased audit requirements, charges of printing clients’ notification, printing costs, emailing costs, as well as loss of clients’ trust.

 

Controllers of non-compliant data are also punished by Data Protection Act. They are required to get registration and follow data protection act to become qualified for processing sensitive information of customers. If data controllers do not get registration, they can face litigation and penalties. On the other hand, data controllers and agents who misuse personal client information in other ways that are not mentioned in the act, they could be charged under the civil or criminal act sanctions.

 

In short, non compliance can be terrible and costly for companies.

Asigra, the Best Cloud Backup Software, Powers BTL

In case you have not heard about Asigra, a disk to disk (D2D) data backup and vaulting solution, this article will introduce you. Asigra solution has been designed to address lots of serious compliance needs and provide data protection that is cost-effective. Its effortless software manages data life cycles, as well as allows a speedy recovery of data. Organizations may need to change their remote site backup or recovery procedures that based on legacy tape with high-tech and innovative backup systems that focus mainly on security of data in flight and at rest. Among the things that make Asigra software exceptional cloud backup solution include: hard coded security, agentless solution, and WAN optimization techniques.

The unique selling proposition (USP) for Asigra is its FIPS 140 certified cryptographic model. For refined security, Asigra encrypts data on the fly and stores it in the vaults in an encrypted format. Since Asigra’s launch in 1986, data stored under its software have never had any breach. In addition, there are no open firewall ports in Asigra and that is why is has never been hacked. Among the strengths of Asigra include: user authentication, encryption, role based access, secure offsite storage, as well as the granular level reports.

Asigra handles security and data privacy with second to none technology and provides protection for the major concerns of laws like: Data Protection Act, Sarbanes-Oxley Act, and HIPAA. Asigra makes sure that data is captured properly and accurately. It ensures that data is processed lawfully and access is limited to only authorized personnel in the organization. There is also definition of data process that does not go against the rights of the data owner. In order to ensure that all stipulations and provisions are adhered to, this disk to disk data vaulting solution enables data protection officers to speedily and simply answer to queries of data owners and establish periodic checks.

It important for you to know that Asigra Televaulting solution flawlessly protects and combines local, remote or branch office data to meet the terms on all the aforementioned legal mandates. In order to make it easy for organizations to comply with the regulatory acts that have long-term retention periods, such as the OSHA*, Asigra offers secure long-term data retention. For legal discovery and compliance, Asigra allows a much faster data access and recovery. Really, Asigra’s data lifecycle management technology makes sure that data that need to be destroyed is dealt with swiftly using proper controls of primary data preservation policies.

Asigra architecture has been recognized by industry experts as a leading cloud backup and storage solution with many industry-firsts in the areas of computerization, efficiency and security. This helps to reduce boring backup jobs and puts onsite and offsite data capture in place easily, migrate data from local servers to cloud based servers, and formation of backup strategies that are compliant. Asigra also provides the user with absolute control over backed up data, and also accommodates changes in strategies.

We, at Backup Technology Limited (BTL), are proud to be a 3D Hybrid Partner of Asigra since 2010. Please visit Asigra’s website for more information – www.asigra.com.

http://goo.gl/wBJLbU

NI Department of Justice Fined by ICO after Data Breach

Northern Irelands Department of Justice has suffered from an embarrassing data breach which has resulted in them being hit with a185,000 fine by theInformation Commissioners Office (ICO). The fine was reduced to 148,000 for early payment.

The data breach occurred when one of the departments agencies, the Northern Ireland Compensation Agency, sent 59 locked filing cabinets without keys to auction without checking what was in them beforehand.

Once the person who bought the filing cabinet at the auction had managed to break into it, he then contacted police upon realising the contents within. The filing cabinet was full of confidential paperwork from the 1970s to 2005. This paperwork contained confidential data such as personal details belonging to victims of a terrorist attack, the injuries that they suffered and the amount of compensation that they had been offered.

The Police Service of Northern Ireland took the documents and handed them back to the department who in turn, reported the incident to the ICO.

After the ICOs investigation, the Department of Justice have stated that they are confident that none of the data has been compromised as the cabinet had remained locked until the person who purchased it had forced it open. The department is also confident that none of the other filing cabinets contained any files and were keen to stress that they openly cooperated with the ICO as soon as they knew about the data breach.

Justice Minister David Ford stated, I, and my Department, take the security of personal data very seriously and accept that this was a breach of the Data Protection Act and should not have happened. We informed the Information Commissioner as soon as we became aware of the breach. The Justice Committee was also subsequently made aware.

Ford added, The Department has co-operated fully with the Information Commissioner and paid the penalty imposed. This was an unfortunate breach of data security caused by simple human error and not a systemic problem within the Department. We are satisfied that none of the information was compromised and none of the other cabinets sold contained any files.

Ford concluded, Detailed procedures have now been implemented to ensure that, in future, any personal data contained in furniture that is being disposed of will be dealt with securely.

Ken Macdonald who is the assistant commissioner for Northern Ireland believes that the fine imposed is suitable due to the potential harm that this data breach could have had if the data had fallen into the wrong hands.

Macdonald stated, This is clearly a very serious case. While failing to check the contents of a filing cabinet before selling it may seem careless, the nature of the information typically held by this organisation made the error all the more concerning. The distress that could have been caused to victims and their families had this fallen into the wrong hands is self-evident.”

This latest security breach just shows that it is now imperative that companies have a strict data security plan in place which is followed and fully understood by all employees. This is another incident where if the department had been proactive rather than reactive with ensuring that appropriate procedures were in place, they would have saved themselves a significant amount of money and damage to their reputation.

Scottish Health Boards Suffer 806 Data Breaches in Last Five Years

The Scottish Health Boards have suffered from 806 data breaches between 2009 and 2013. This involves a range of different data breaches from data loss and data leaks to breaches of the Data Protection Act

The figures were obtained and revealed by the Scottish Liberal Democrats through the Freedom of Information requests. What is more concerning is that the total number of data breaches increased from 86 incidents in 2009 to 223 in 2013.

With such a high number of data breaches, there is invariably a wide range of different types of data breaches which makes it much harder for the Scottish Government to implement regulations and to ensure that they are all being adhered to.

Such incidents that have resulted in a data breach within the last five years include documents being sent to the wrong addresses and being left in public places such as in car parks and on public transport. One such incident occurred in NHS Greater Glasgow and Clyde in July 2013 when a folder was fond by a member of the public at a bus stop which contained information relating to 60 patients. The folder was handed in at a nearby hospital.

Such statistics is a cause for concern, especially with the drastic increase of data breach incidents within a five year period. As a result, the Scottish Lib Dems have appealed for the Scottish Government to ensure that the Scottish Health Boards are given adequate support to ensure that confidential data remains secure.

Jim Hume who is a Scottish Lib Dem health spokesman stated, NHS staff work extremely hard under an enormous amount of pressure but there must be a vigilant approach when it comes to protecting confidential patient information. The Health Secretary must ensure that NHS boards are given the support needed to learn lessons and prevent further breaches of patient confidentiality. We have no choice but to trust the people looking after our families to look after their personal details too.

Hume added, Whilst the year-on-year rise in incidents may be due to an increase in reporting, this should make health boards all the more aware of the scale of the problem. In one instance, a patient was given the pregnancy record of another patient. Our figures also show a number of important patient records and notes were lost. Some of those that were found had been left in public places where anyone could have read that private information.

Hume concluded, A mistake here or there might not seem much but the bigger picture is one of patient information being lost across Scotland. The Health Secretary must explain what he is doing to address this.”

The Scottish Government has responded and stated that they are already taking action to help reduce the number of data breaches within the Scottish Health Boards.

A spokesman stated, We take patient confidentiality and security of patient information very seriously and believe any data breach is unacceptable. All health boards are required to have robust procedures in place to secure patient information and staff should be given ongoing training in data protection.

The spokesman added, All mobile devices holding any patient data are now encrypted so, even if a laptop is stolen, patient information cannot be accessed; boards are installing a new tool to pinpoint staff who are accessing information they are not entitled to see; and health boards are rapidly moving from paper files to encrypted devices.

The spokesman concluded by stating, In the interests of greater transparency and to make data breach statistics easier to interpret, the Scottish Government plans to introduce a severity scale and national reporting mechanisms in line with recommendations made by Dame Fiona Caldicott. This should also lead to more clarity on data breaches and other security matters.

With such cases, it is very hard to pinpoint why there have been so many data breach cases. It will take time for the Scottish Governments actions to start making an impact and to see how much they have helped to reduce the number of data breaches.

It is all good and well introducing policies and regulations but the staff need to be educated about data security. This will help them understand the importance of following the regulations and minimise the number if simple mistakes that are made.

Our Customers

  • ATOS
  • Age UK
  • Alliance Pharma
  • Liverpool Football Club
  • CSC
  • Centrica
  • Citizens Advice
  • City of London
  • Fujitsu
  • Government Offices
  • HCL
  • LK Bennett
  • Lambretta Clothing
  • Leicester City
  • Lloyds Register
  • Logica
  • Meadowvale
  • National Farmers Union
  • Network Rail
  • PKR

Sales question? Need support? Start a chat session with one of our experts!

For support, call the 24-hour hotline:

UK: 0800 999 3600
US: 800-220-7013

Or, if you've been given a screen sharing code:

Existing customer?

Click below to login to our secure enterprise Portal and view the real-time status of your data protection.

Login to Portal