260 likes | 459 Vues
TM. Data Protection What Are We Doing?. Alan Calder IT Governance Ltd NITES 24 February 2009. Welcome. Alan Calder – my background and perspective Businessman, not a lawyer First ISO 27001 accredited certification in 1999
E N D
TM Data ProtectionWhat Are We Doing? Alan CalderIT Governance Ltd NITES 24 February 2009
Welcome • Alan Calder – my background and perspective • Businessman, not a lawyer • First ISO 27001 accredited certification in 1999 • IT Governance: a Manager’s Guide to Data Security and ISO 27001/ISO 27002, 4th Edition (Open University Text Book) www.itgovernance.co.uk/products/4 • One-stop-shop for IT governance, risk management, compliance and information security: www.itgovernance.co.uk • Data Breaches: Trends, Costs and Best Practices provides lnformation on data breaches together with worldwide legal overview and best-practice guidance for staying on the right side of the law www.itgovernance.co.uk/products/1615 © IT Governance Ltd 2006
Agenda • International Compliance Environment • Overview of the DPA and current requirements • Best Practice compliance actions • Enforcement • Data Breaches – the current environment • A closer look at the UK ICO • What’s going wrong • Some proposals for improvement • Questions and answers. © IT Governance Ltd 2006
International Compliance Environment • Global information economy • Internet-based threats – international exposure • Outsourcing, e-commerce • EU Data Protection Directive • National Data Protection Acts • UK Data Protection Act 1998 • US Regulation • EU Safe Harbor Regulations (SEC) • HIPAA, GLBA, SOX • SB 1386, OPPA, state-level breach laws • Canada • PIPEDA • OECD – Japan, Australia, South Africa and emerging economies • Public companies: SOX • Contractual requirements • PCI DSS © IT Governance Ltd 2005
Data Protection – Europe & UK • EU Data Protection Directive 1995 • Data Protection Act 1998 • Deals with personal information – related to living individuals (data subjects) • Eight Data Protection Principles • Fairly and lawfully processed; • Fairly and lawfully obtained; • Adequate, relevant and not excessive; • Accurate and up-to-date; • Not kept longer than necessary; • Processed only in accordance with the data subject’s rights; • Kept safe and secure (“appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”) • Not transferred to a country outside the EU unless there is at least a similar level of data protection available there. • 7th Principle compliance is critical for all EU organizations • 8th Principle affects any businesses with operations outside the EU • US Safe Harbor regulations designed to assist, but very few US corporations meet the requirements • Intersection with • Freedom of Information Act • Human Rights Act • Regulation of Investigatory Powers Act © IT Governance Ltd 2005
Compliance Action & Best Practice • Comply with the 8 principles of the DPA • Bring current practices into line with DPA • Audit of current practices & analysis of gap between DPA and current practices • The basics – is your registration up to date? • Identify where information is stored, and how it is classified • Ensure you can respond to an SAR • Assess all mobile devices and extent of encryption • Assess all technical & procedural aspects of data security management • Remedial action • Maintain DPA compliance regime • Internal audit plan • Staff training and awareness • Incident reporting and resolution • Develop an ISO27001 ISMS – demonstrates best practice in DPA compliance as well as achieving other business and information objectives • Prepare for BS10012 Specification for the Management of Personal Information in compliance with the DPA © IT Governance Ltd 2005
Prepare for the worst © IT Governance Ltd 2005 • Develop & test a data breach response plan • Escalation and reporting procedures • Breach response team • Consider potential remedial measures • Prepare PR and communications plan • Review and learning points
All Time Top 10 Data Breaches © IT Governance Ltd 2005 • TJX – 94 million records – outside attack • US Dept of Veterans Affairs – 26.5 million records – outside attack • HMRC – 25 million records – internal incompetence • T-Mobile/Deutsche Telekom – 17 million records – lost disk • Archive Systems/Bank of New York – 12.5 million – lost backup tapes • GS Caltex – 11 million - lost CD • Dai Nippon Printing – 8.6 million – insider theft • Certegy Check Services/Fidelity Information Services – 8.5 million – insider theft • TD Ameritrade – 6.3 million – outside attack • Chilean Ministry of Education – 6 million – outside attack • Source: http://datalossdb.org
Data Breaches – the UK © IT Governance Ltd 2005 • Breaches since the HMRC incident in Nov 07 (ICO Press release 23 April 08): • Almost 100 data breaches notified • 66% Public sector • 30% private sector • 4% voluntary sector • 1/3rd in central govt and related agencies • 1/5th in NHS organisations • Private sector: 50% in financial institutions • Missing information includes: • Unencrypted laptops, computer discs, memory sticks • Paper records • Stolen, ‘lost in the mail’ and ‘while in transit’ with a courier • Includes financial and health details • ICO Investigations • 16 organisations required to make procedural changes to improve security
Data Breaches - Ireland • Bank of Ireland • Lost unencrypted memory stick with the personal details of nearly 1,000 customers (Nov 2008) • Bank of Ireland • Four unencrypted laptops stolen with the personal records of 10,000 customers (April 2008) • HSE • Two unencrypted laptops ‘gone missing’ (Sept 2008) • Dept of Social & Family Affairs • Laptop with details of 390,000 citizens ‘lost or stolen at the bus stop’ © IT Governance Ltd 2005
The Poynter Report • Two major institutional deficiencies at HMRC: • ‘Information security simpy wasn’t a management priority’ • ‘HMRC has an organisational design...which did not clearly focus on management accountability’ • 45 separate high-level recommendations • Stronger policy and procedures • Stronger authorisation requirements • Better internal communication • Education, training & awareness • new systems • ‘hundreds of detailed recommendations’ www.hm-treasur y.gov.uk/d/poynter_review250608.pdf © IT Governance Ltd 2008 – this slide is published strictly without liability of any sort and does not provide specific legal guidance or advice and any user must therefore seek legal advice on the DPA and any associated issues from their own professional advisers
What’s going on? • DPA Compliance cannot be demonstrated, so there is no way of improving the brand by claiming compliance • DPA non-compliance brings: • No penalties • Cost savings • CEOs and Top Management simply don’t care • No clear accountability for data security • Inadequate investment in data security management • Minimal procedures for fair processing • Minimal training for data controllers • Minimal awareness and education for all users • Inadequate security • Unencrypted laptops • Unencrypted removable media • Inadequate perimeter security • Minimal supervision and audit of third parties, third party agreements • PCI non-compliance © IT Governance Ltd 2005
Costs of Identify Theft/Fraud © IT Governance Ltd 2005 • Cybercrime – international $150 billion + industry • US Identity theft up 22% in 2008 (Javelin Strategy & Research 2009 Report) • 9.9 million cases • Total Cost US$48 billion • Success – CIFAS 2008 (www.cifas.org.uk) • 214,000 Fraud cases identified • £848 million ‘losses avoided’
ICO Legal Powers • The Information Commissioner's Office has the following powers for enforcing DPA: • conduct assessments to check organisations are complying with the Act; • serve information notices requiring organisations to provide the Information Commissioner's Office with specified information within a certain time period; • serve enforcement notices and 'stop now' orders where there has been a breach of the Act, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law; • prosecute those who commit criminal offences under the Act; • conduct audits to assess whether organisations processing of personal data follows good practice. © IT Governance Ltd 2009
DPA – Criminal Offences • Persistent breaches of the Act • A data controller who persistently breaches the Act and has been served with an enforcement notice can be prosecuted for failing to comply with a notice. This offence carries a maximum penalty of a £5,000 fine in the magistrates' court and an unlimited fine in the Crown Court. • Steps: Breach reported, enforcement notice served, only then can failure to comply lead to prosecution and maximum £5k fine • Notification offences • A data controller who fails to notify the Information Commissioner's Office of the processing being undertaken or of any changes to that processing can be prosecuted. Failure to notify is a strict liability offence. This means that if a data controller has to notify, they must notify. Being unaware of the law is not an excuse. • Unlawful obtaining or disclosing of personal information • It is a criminal offence to knowingly or recklessly obtain, disclose or procure the disclosure of personal information, without the consent of the data controller. © IT Governance Ltd 2005
ICO Data Protection Activity • ICO Data Protection Case Load 2008: 25,000 cases • The business areas generating the most complaints are: • Lenders 33% • Public sector 18% • Policing and criminal records 5% • Central government 5% • Local government 4% • Health 4% • Other 7% • General business 7% • Telecoms 5% • Direct marketing 4% • Internet 3% Source: ICO Annual Report 2008 © IT Governance Ltd 2009
Reporting of “breaches” • No legal obligation for data controllers to report breaches • “the Information Commissioner believes serious breaches should be brought to the attention of his Office” • “Serious breaches” are not defined • Criteria for assessing seriousness: • Potential harm to data subjects • Volume of personal data lost/released/corrupted • Sensitivity of the data lost/released/unlawfully corrupted © IT Governance Ltd 2009
DPA Enforcement – ICO Response • ICO published guidance 27 March 2008 • What will the Information Commissioner’s Office do when a breach is reported? • The nature and seriousness of the breach and the adequacy of any remedial action will be assessed and a course of action determined. The ICO may: • Record the breach and take no further action , or • Investigate the circumstances of the breach and any remedial action . • This could lead to: • no further action, or • a requirement on the data controller to undertake a course of action to prevent further breaches, and/or • formal enforcement action turning such a requirement into a legal obligation • The Information Commissioner does not have the power to impose a fine or other penalty as punishment for a breach. The regulator’s powers only extend to imposing obligations as to future conduct. © IT Governance Ltd 2009
ICO Approach to Enforcement © IT Governance Ltd 2009 • ICO published guidance 27 March 2008 • “We do not see it as our responsibility to publicise security breaches not already in the public domain or to inform any individuals affected. In so far as they arise these are the responsibilities of the data controller. “ • “However, the ICO may recommend the data controller to make a breach public where it is clearly in the interests of the individuals concerned or there is a strong public interest argument to do so. “ • “Where the Information Commissioner takes regulatory action, it is policy to publicise such action, unless there are exceptional reasons not to do so. This policy on publication extends to any formal undertakings provided to the Commissioner by a data controller. “ • “However the Commissioner will not normally take regulatory action unless a data controller declines to take any recommended action, he has other reasons to doubt future compliance or there is a need to provide reassurance to the public. Such a need is most likely to arise where the circumstances of the breach are already in the public domain. “
ICO ‘Achievements’ 2008 • 9 Enforcement notices for data protection breaches • Carphone Warehouse • Greater Manchester Police • Humberside Police • Lothian and Borders Police • Marks & Spencer • Northumbria Police • Staffordshire Police • Talk Talk Telecom • West Midlands Police. • 9 Formal Undertakings not to breach the DPA • Dipesh Ltd • Littlewoods Shop Direct Home Shopping • Orange Personal Communications Services Limited • Phones 4 U • Skipton Financial Services • Sunfield • The Department of Health • The Foreign and Commonwealth Office • The Northern Ireland Office. © IT Governance Ltd 2005
ICO – New Enforcement Powers Criminal Justice and Immigration Act – royal assent in April 08 – two relevant clauses: • Increases penalties for data theft and trading in stolen information to a prison sentence • Requires a Ministerial order and resolutions from both Houses to come into force • ICO will have first have to prove that the trade in stolen information is widespread and pervasive. • Gives ICO powers to impose substantial fines on organisations that ‘deliberately’ or ‘recklessly’ commit serious breaches of the DPA. • ‘Substantial’: Nationwide £980k, Norwich Union £1.26m from FSA • Ministry of Justice now determining level of fines • Not retrospective • No custodial sentence (but Opposition parties narrowly averted from bringing this in!) © IT Governance Ltd 2005
Comparative budgets & resources © IT Governance Ltd 2005
What needs to happen? © IT Governance Ltd 2009 • ICO needs a real budget, with real resources - £200 million + • ICO needs powers to inspect and fine • BS10012 compliance should be explicitly recognised as DPA compliance • Loss of personal data on an unencrypted laptop or removable media should be prima facie evidence of reckless disregard of the DPA • Data Breach Legislation • With central notification • With cost indemnity and full support for victims • Custodial sentences for reckless breaches – for CEOs and senior civil servants • Custodial sentences for data theft and trading in stolen data.
THANK YOU! Questions and Answers