This changes everything….

Every so often something comes along that really does change how things work and only last week this happened again, the implications are far reaching for the IT industry.

As you may be aware the Information Commissioner’s Office (ICO) has begun to issue fines over breaches of the Data Protection Act (DPA). Since there has been a large number of published data losses it cannot come soon enough for the general public.

Last week another set of fines were issue to Ealing Council at £80,000 and Hounslow Council at £70,000, you can read the full story here. What is so special about this case is that it involved the loss of two unencrypted laptops, one from each council, containing the details of around 1,700 individuals from an employee’s home. Ealing Council provides an out of hours service on behalf of both councils, which is operated by nine staff who work from home. The team receive contact from a variety of sources and rely on laptops to record information about individuals. Ealing Council was found to be in breach of the DPA as it had issued an unencrypted laptop to a member of staff which is in breach of it’s own policies. This process had been established for a number of years and insufficient checks were made to ensure that relevant policies were understood and adhered to by employee’s. Hounslow Council were found to have breached the DPA as they had failed to have a written contract in place with Ealing Council, they also did not monitor Ealing Council’s procedures established to operate the service securely.

You may be wondering why this changes everything? As an outsourced IT service provider there may be occasion where you may have to remove a laptop/desktop/server from site in order to action a repair of the equipment, a normal everyday IT activity. What this could mean is that if that device is then lost or stolen while in your possession and it is not encrypted then you will potentially share equal liability for the data loss. Since that liability can include a rather hefty fine of up to £500,000, not too mention the bad press that would go with it, then the impact on your business could be catastrophic.

The question now is, what are you going to do to mitigate your risk? Please feel free to drop a comment in on this as I would love to hear your thoughts

– Rob

Rob Written by:

7 Comments

  1. February 21, 2011
    Reply

    Rob – excellent point, and you’re to be commended on bringing this to the attention of your peers in the IT community.

    We in the IT industry have long since realised that the value of data contained on IT equipment outstretches the value of the hardware itself, although the majority of the general public still need educating on this.

    My feeling is that IT providers should be doing three things.

    One – making sure they’re behaving in a professional manner with the correct Insurance policies in place, including Professional Indemnity. This is especially important for the smaller IT providers who might think this sort of insurance isn’t needed at their level.

    Two – advising clients of the options they have in the field of encryption and data security. There are a number of both simple to use and inexpensive options nowadays.

    Three – we, as IT providers, to do as the Americans say and “Eat our own Dog food”. That is to say, if we’re preaching the values of encryption and data security to clients – then we should be actively using those technologies and techniques ourselves.

    Great blog Rob, keep up the good work!

  2. February 21, 2011
    Reply

    I don’t think we have gone too far down this path in the US, but I imagine that it won’t be long before we get to enjoy the same sort of liability.

    If all drives are encrypted, it raises the level of expense for the equipment needed to either do the encryption or manage it. Plus, when you have a hardware failure, especially on the drive, it also adds an order of magnatude to the complexity of repair.

    Hopefully we all have a good (and encrypted) backup image, but unless we are using something that takes periodic incrementals (such as ShadowProtect or AppAssure), we will all want to recover data from the hard drive so we do not lose a day’s work.

    With all of this added complexity and indemnity, will our billing rate increase proportionally?

  3. February 21, 2011
    Reply

    Rob,

    As Richard said, thank you for bringing it to the attention, we all know that the IT community is at risk on a daily basis from a variety of legislation. This is a story that has come to a head as it involves 2 councils and public money so the duty of care is highlighted and rightly so. For every one that is reported and in the public domain how many are not reported.

    It is the responsibility of us within the community to create best practice and benchmarking through the various peer groups and on and offline communities that we are all involved in.

    Creating internal procedures within our own IT organisations and then communicating this through to our customers and starting/creating open discussion and debate can actually create a business opportunity to upsell/cross sell additional security products and services.

  4. admin
    February 21, 2011
    Reply

    Randy,

    As you say, in encrypting client data we do add another level of complexity when things go wrong. This in turn will inevitably drive up costs to the client as well as increase the time required to resolve issues. In the short term I believe that this will create a situation whereby some clients will be ‘driven’ to lower cost providers that do not acknowledge or understand the implications that this new presidence brings. They will only understand when things go wrong, which is inevitably when it is too late.

    Rob

  5. admin
    February 21, 2011
    Reply

    Richard,

    As always, these are very wise words. Sadly in this type of situation it is unlikely that insurance will cover this nor will the other points, though this is open to debate. I believe that there are only two ways in which you can truely cover yourself:
    1) Do not remove any equipment, which contains information covered under the DPA, from the clients site.
    2) Have a written contract in place which covers all of these aspects.

    Although, to be honest I believe that only in the first instance will you fully be covered, like I say just my opinion.

    Rob

  6. February 25, 2011
    Reply

    Rob,

    As service providers I agree that you now run a tightrope walk with your customers on this issue. Encryption and resolving an issue in the event of hardware failure is as has been pointed out a time consuming exercise. However does it cost £80 per record retrieved which is the average cost thus far(four fines in total have now been issued by the ICO) for each record lost? Your customers naturally are trying to keep costs low and productivity high, without the right explanation and open minded approach of your customer you do run the risk of pushing them towards less diligent IT professionals who will of course either a) not bring this issue up or b) suggest that TrueCrypt or another free software is certified and thus will do the job. If your software is not FIPS 140-2 or 197 certified then it is not recognised as being a valid protection method.

    http://www.ico.gov.uk/news/current_topics/Our_approach_to_encryption.aspx

    I believe the only way forward is education and information auditing.

    Understand what data your customer owns is covered by the DPA
    Where is it on their network?
    Who has access to it?
    Does it leave the network?

    From these simple questions you can understand and highlight the machines that will cause you as service professionals issues if you were to remove them and then subsequently lose the data. This way you can mark the boundaries between your customers’ liability and your own. Not knowing will not save a fine here.

    Educating your customers as to the risk is probably more difficult although the news story that Rob highlights and the one back in November involving an SME which lost one laptop with 24,000 records on it may help with this however you will always get customers who will fix the problem after the event and will either do nothing or look for an alternative provider. Although paying customers are the cornerstone of any business you must consider how good a customer they are if they are prepared to run this risk and put your business at risk also.

    As for insurance I agree with you Rob that the insurers will not want to pay out for negligent breach of regulatory compliance, we can be assured that if anyone is taking steps to cover themselves then these guys probably already have in anticipation of a wave of these fines which no doubt will be regular news stories. Insurers don’t cover you against a speeding fine or a parking ticket.

    There is a test case in the making somewhere here and I don’t think anyone wants to be sat in the ICO’s dock when this does happen.

    Rob great post! Would you like a copy of my Data Protection Act guidance and questionnaire document?

    James

Leave a Reply