Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Protection What Are We Doing? Alan Calder IT Governance Ltd NITES 24 February 2009 TM.

Similar presentations

Presentation on theme: "Data Protection What Are We Doing? Alan Calder IT Governance Ltd NITES 24 February 2009 TM."— Presentation transcript:

1 Data Protection What Are We Doing? Alan Calder IT Governance Ltd NITES 24 February 2009 TM

2 © IT Governance Ltd 2006 Welcome Alan Calder – my background and perspective –Businessman, not a lawyer –First ISO 27001 accredited certification in 1999 –IT Governance: a Managers Guide to Data Security and ISO 27001/ISO 27002, 4 th Edition (Open University Text Book) One-stop-shop for IT governance, risk management, compliance and information security: –Data Breaches: Trends, Costs and Best Practices provides lnformation on data breaches together with worldwide legal overview and best-practice guidance for staying on the right side of the law

3 TM © IT Governance Ltd 2006 Agenda International Compliance Environment Overview of the DPA and current requirements Best Practice compliance actions Enforcement Data Breaches – the current environment A closer look at the UK ICO Whats going wrong Some proposals for improvement Questions and answers.

4 TM © IT Governance Ltd 2005 4 International Compliance Environment Global information economy Internet-based threats – international exposure Outsourcing, e-commerce EU Data Protection Directive National Data Protection Acts UK Data Protection Act 1998 – US Regulation EU Safe Harbor Regulations (SEC) HIPAA, GLBA, SOX SB 1386, OPPA, state-level breach laws – Canada PIPEDA – OECD – Japan, Australia, South Africa and emerging economies Public companies: SOX Contractual requirements –PCI DSS

5 TM © IT Governance Ltd 2005 5 Data Protection – Europe & UK EU Data Protection Directive 1995 Data Protection Act 1998 Deals with personal information – related to living individuals (data subjects) –Eight Data Protection Principles 1.Fairly and lawfully processed; 2.Fairly and lawfully obtained; 3.Adequate, relevant and not excessive; 4.Accurate and up-to-date; 5.Not kept longer than necessary; 6.Processed only in accordance with the data subjects rights; 7.Kept safe and secure (appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data) 8.Not transferred to a country outside the EU unless there is at least a similar level of data protection available there. –7 th Principle compliance is critical for all EU organizations –8 th Principle affects any businesses with operations outside the EU US Safe Harbor regulations designed to assist, but very few US corporations meet the requirements Intersection with –Freedom of Information Act –Human Rights Act –Regulation of Investigatory Powers Act

6 TM Compliance Action & Best Practice Comply with the 8 principles of the DPA 1. Bring current practices into line with DPA a)Audit of current practices & analysis of gap between DPA and current practices a)The basics – is your registration up to date? b)Identify where information is stored, and how it is classified c)Ensure you can respond to an SAR d)Assess all mobile devices and extent of encryption e)Assess all technical & procedural aspects of data security management b)Remedial action 2. Maintain DPA compliance regime a)Internal audit plan b)Staff training and awareness c)Incident reporting and resolution 3. Develop an ISO27001 ISMS – demonstrates best practice in DPA compliance as well as achieving other business and information objectives 4. Prepare for BS10012 Specification for the Management of Personal Information in compliance with the DPA 6 © IT Governance Ltd 2005

7 TM Prepare for the worst Develop & test a data breach response plan a)Escalation and reporting procedures b)Breach response team c)Consider potential remedial measures d)Prepare PR and communications plan e)Review and learning points 7 © IT Governance Ltd 2005

8 TM All Time Top 10 Data Breaches 1. TJX – 94 million records – outside attack 2. US Dept of Veterans Affairs – 26.5 million records – outside attack 3. HMRC – 25 million records – internal incompetence 4. T-Mobile/Deutsche Telekom – 17 million records – lost disk 5. Archive Systems/Bank of New York – 12.5 million – lost backup tapes 6. GS Caltex – 11 million - lost CD 7. Dai Nippon Printing – 8.6 million – insider theft 8. Certegy Check Services/Fidelity Information Services – 8.5 million – insider theft 9. TD Ameritrade – 6.3 million – outside attack 10. Chilean Ministry of Education – 6 million – outside attack Source: http://datalossdb.org 8 © IT Governance Ltd 2005

9 TM Data Breaches – the UK Breaches since the HMRC incident in Nov 07 (ICO Press release 23 April 08): –Almost 100 data breaches notified 66% Public sector 30% private sector 4% voluntary sector –1/3 rd in central govt and related agencies –1/5 th in NHS organisations –Private sector: 50% in financial institutions Missing information includes: –Unencrypted laptops, computer discs, memory sticks –Paper records –Stolen, lost in the mail and while in transit with a courier –Includes financial and health details ICO Investigations –16 organisations required to make procedural changes to improve security 9 © IT Governance Ltd 2005

10 TM Data Breaches - Ireland Bank of Ireland –Lost unencrypted memory stick with the personal details of nearly 1,000 customers (Nov 2008) Bank of Ireland –Four unencrypted laptops stolen with the personal records of 10,000 customers (April 2008) HSE –Two unencrypted laptops gone missing (Sept 2008) Dept of Social & Family Affairs –Laptop with details of 390,000 citizens lost or stolen at the bus stop 10 © IT Governance Ltd 2005

11 TM Number of Incidents - Trend 11

12 TM Types of Data Breach 12

13 TM The Poynter Report Two major institutional deficiencies at HMRC: –Information security simpy wasnt a management priority –HMRC has an organisational design...which did not clearly focus on management accountability 45 separate high-level recommendations –Stronger policy and procedures –Stronger authorisation requirements –Better internal communication –Education, training & awareness –new systems –hundreds of detailed recommendations © IT Governance Ltd 2008 – this slide is published strictly without liability of any sort and does not provide specific legal guidance or advice and any user must therefore seek legal advice on the DPA and any associated issues from their own professional advisers 13

14 TM Whats going on? DPA Compliance cannot be demonstrated, so there is no way of improving the brand by claiming compliance DPA non-compliance brings: –No penalties –Cost savings CEOs and Top Management simply dont care No clear accountability for data security Inadequate investment in data security management –Minimal procedures for fair processing –Minimal training for data controllers –Minimal awareness and education for all users –Inadequate security Unencrypted laptops Unencrypted removable media Inadequate perimeter security –Minimal supervision and audit of third parties, third party agreements –PCI non-compliance 14 © IT Governance Ltd 2005

15 TM Costs of Identify Theft/Fraud Cybercrime – international $150 billion + industry US Identity theft up 22% in 2008 (Javelin Strategy & Research 2009 Report) –9.9 million cases –Total Cost US$48 billion Success – CIFAS 2008 ( –214,000 Fraud cases identified –£848 million losses avoided 15 © IT Governance Ltd 2005

16 TM ICO Legal Powers The Information Commissioner's Office has the following powers for enforcing DPA: –conduct assessments to check organisations are complying with the Act; –serve information notices requiring organisations to provide the Information Commissioner's Office with specified information within a certain time period; –serve enforcement notices and 'stop now' orders where there has been a breach of the Act, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law; –prosecute those who commit criminal offences under the Act; –conduct audits to assess whether organisations processing of personal data follows good practice. © IT Governance Ltd 2009 16

17 TM DPA – Criminal Offences Persistent breaches of the Act –A data controller who persistently breaches the Act and has been served with an enforcement notice can be prosecuted for failing to comply with a notice. This offence carries a maximum penalty of a £5,000 fine in the magistrates' court and an unlimited fine in the Crown Court. –Steps: Breach reported, enforcement notice served, only then can failure to comply lead to prosecution and maximum £5k fine Notification offences –A data controller who fails to notify the Information Commissioner's Office of the processing being undertaken or of any changes to that processing can be prosecuted. Failure to notify is a strict liability offence. This means that if a data controller has to notify, they must notify. Being unaware of the law is not an excuse. Unlawful obtaining or disclosing of personal information –It is a criminal offence to knowingly or recklessly obtain, disclose or procure the disclosure of personal information, without the consent of the data controller. 17 © IT Governance Ltd 2005

18 TM ICO Data Protection Activity ICO Data Protection Case Load 2008: 25,000 cases The business areas generating the most complaints are: –Lenders 33% –Public sector 18% Policing and criminal records 5% Central government 5% Local government 4% Health 4% –Other 7% –General business 7% –Telecoms 5% –Direct marketing 4% –Internet 3% Source: ICO Annual Report 2008 18 © IT Governance Ltd 2009

19 TM Reporting of breaches No legal obligation for data controllers to report breaches the Information Commissioner believes serious breaches should be brought to the attention of his Office Serious breaches are not defined Criteria for assessing seriousness: –Potential harm to data subjects –Volume of personal data lost/released/corrupted –Sensitivity of the data lost/released/unlawfully corrupted 19 © IT Governance Ltd 2009

20 TM DPA Enforcement – ICO Response ICO published guidance 27 March 2008 What will the Information Commissioners Office do when a breach is reported? The nature and seriousness of the breach and the adequacy of any remedial action will be assessed and a course of action determined. The ICO may: –Record the breach and take no further action, or –Investigate the circumstances of the breach and any remedial action. –This could lead to: 1. no further action, or 2.a requirement on the data controller to undertake a course of action to prevent further breaches, and/or 3.formal enforcement action turning such a requirement into a legal obligation The Information Commissioner does not have the power to impose a fine or other penalty as punishment for a breach. The regulators powers only extend to imposing obligations as to future conduct. 20 © IT Governance Ltd 2009

21 TM ICO Approach to Enforcement ICO published guidance 27 March 2008 We do not see it as our responsibility to publicise security breaches not already in the public domain or to inform any individuals affected. In so far as they arise these are the responsibilities of the data controller. However, the ICO may recommend the data controller to make a breach public where it is clearly in the interests of the individuals concerned or there is a strong public interest argument to do so. Where the Information Commissioner takes regulatory action, it is policy to publicise such action, unless there are exceptional reasons not to do so. This policy on publication extends to any formal undertakings provided to the Commissioner by a data controller. However the Commissioner will not normally take regulatory action unless a data controller declines to take any recommended action, he has other reasons to doubt future compliance or there is a need to provide reassurance to the public. Such a need is most likely to arise where the circumstances of the breach are already in the public domain. 21 © IT Governance Ltd 2009

22 TM ICO Achievements 2008 9 Enforcement notices for data protection breaches –Carphone Warehouse –Greater Manchester Police –Humberside Police –Lothian and Borders Police –Marks & Spencer –Northumbria Police –Staffordshire Police –Talk Talk Telecom –West Midlands Police. 9 Formal Undertakings not to breach the DPA –Dipesh Ltd – Littlewoods Shop Direct Home Shopping – Orange Personal Communications Services Limited – Phones 4 U – Skipton Financial Services – Sunfield – The Department of Health – The Foreign and Commonwealth Office – The Northern Ireland Office. 22 © IT Governance Ltd 2005

23 TM 23 ICO – New Enforcement Powers Criminal Justice and Immigration Act – royal assent in April 08 – two relevant clauses: 1. Increases penalties for data theft and trading in stolen information to a prison sentence –Requires a Ministerial order and resolutions from both Houses to come into force –ICO will have first have to prove that the trade in stolen information is widespread and pervasive. 2. Gives ICO powers to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the DPA. –Substantial: Nationwide £980k, Norwich Union £1.26m from FSA –Ministry of Justice now determining level of fines –Not retrospective –No custodial sentence (but Opposition parties narrowly averted from bringing this in!) © IT Governance Ltd 2005

24 TM Comparative budgets & resources HSEICO Front Line Staff1,325 Total Staff3,573261 Total Annual Budget£214 million17 million (DPA & FOI) Date of report1 April 20082008 24 © IT Governance Ltd 2005

25 TM What needs to happen? 1. ICO needs a real budget, with real resources - £200 million + 2. ICO needs powers to inspect and fine 3. BS10012 compliance should be explicitly recognised as DPA compliance 4. Loss of personal data on an unencrypted laptop or removable media should be prima facie evidence of reckless disregard of the DPA 5. Data Breach Legislation 1.With central notification 2.With cost indemnity and full support for victims 6. Custodial sentences for reckless breaches – for CEOs and senior civil servants 7. Custodial sentences for data theft and trading in stolen data. 25 © IT Governance Ltd 2009

26 TM 26 THANK YOU! Questions and Answers

Download ppt "Data Protection What Are We Doing? Alan Calder IT Governance Ltd NITES 24 February 2009 TM."

Similar presentations

Ads by Google