Since April this year the entire infosecurity industry in the UK and beyond has been waiting with baited breath for the dreaded £500,000 fine to be levied.

It is now August and yet with several high profile breaches, including that of Barnet Council and the Kent Police, made public, a financial penalty has yet to be issued by the ICO.

When Google revealed its Street View cars inadvertently collected data from unsecure Wi-Fi networks, the authorities in Germany, Australia and America were quick to take action.

And while it is not fair to lay all the blame at Google’s door – why were so many Wi-Fi networks left unsecure?? – we can’t ignore the fact that personally identifiable information was harvested by Street View without our knowledge.

The ICO visited Google HQ and examined a sample of the ‘payload’ only to find the information did not include “meaningful” details which could be linked to an individual.

They said in a statement: “As we have only seen samples of the records collected in the UK we recognise that other data protection authorities conducting a detailed analysis of all the payload data collected in their jurisdictions may nevertheless find samples of information which can be linked to identifiable individuals.

“However, on the basis of the samples we saw we are satisfied so far that it is unlikely that Google will have captured significant amounts of personal data”.

So while Google gets sued in the US, Street View cars are back on the beat in the UK, albeit this time without the offending antennas.

At least we can watch horse boy in Aberdeen, shark attacks in Oxford and Paddington Bear strolling down Trafalgar Square, while we wait for the ICO to bear its teeth.

Poised to attack, the ICO is ready to dish out hefty fines to those who are careless with their data security.  But recent market research showed smaller SMEs were unaware of the ICO’s new powers.

For Northern Ireland companies unsure about the changes in the law there is a conference next month that can help. 

The Legal-Island Data Protection & Compliance Update Conference takes place on Thursday 3^rdJune at Dunsilly Hotel, Junction One in Antrim.  The full day event aims to arm organisations with all the very latest information on how to comply with the new measures and avoid the substantial monetary penalties now in force.

The conference will break down the responsibilities of organisations when processing employee or customer data, explain the new penalties and advise on data storage or disposal.  The afternoon session is broken into three streams – Customer Data, Marketing Both Online and Offline and Human Resources.  Delegates can choose which stream will benefit them the most.

Conferences like this are very beneficial for organisations particularly management staff and those in charge of sensitive information.  As I have said many times it is vital to educate staff on data protection and it is the responsibility of management to initiate and then enforce security protocols in the workplace.

If that hasn’t sold you perhaps one of the speakers will.  Catherine Vint, a senior investigator in the Information Commissioner’s Office Northern Ireland will be addressing the conference.  Where better to get advice on how to avoid the £500k fine than from the ICO itself?

And if that still hasn’t sold you – we’ll be there!  DiskShred are one of the sponsors and we’ll be exhibiting at the conference.  If you have any questions about secure data destruction feel free to drop by and say hello. 

Full conference details and prices can be found here.

The big story of the three-day exhibition was the ICO Deputy Commissioner David Smith’s opening address to delegates.  Not only did he name and shame the NHS as the worst culprit for data breaches but he warned plans to make some data breach notifications mandatory in the UK as part of a wider European directive are afoot.

The ICO Deputy Commissioner David Smith

He said the European Commission review of data laws will mean huge changes for organisations whose data security has been breached.

“Breach notification is on the agenda”, said Mr Smith.  “It’s coming for telecommunications companies, and there’s no logical reason to confine it to them.”

The UK will have data breach notification laws for the telecommunications sector within 18 months and the ICO expects this to roll out to other business organisations.

But perhaps the most surprising part of Mr Smith’s speech was his remarks regarding the ICO’s new penalty powers.

He said: “We have got some more powers now and are no longer the toothless tiger or bulldog we have been described as”.

He told the audience of exhibitors and delegates that the ICO were ready and willing to hand out fines to organisations who deliberately breach the Data Protection Act.

In fact Mr Smith even called for prison sentences for professional data thieves, including private investigators and employees who sell valuable information.

I took some time out from our stand to sit in on the address and when Mr Smith asked for questions from the floor I took the opportunity to pose the final question.

In light of recent market research, which showed smaller SMEs were unaware of the ICO’s new powers, I asked Mr Smith if he was concerned about these findings and if they planned to target a couple of offending organisations soon to help publicise their new ’super powers’.

He replied that while they recognised the need to highlight the new powers to fine small businesses, they would not set out to target any one particular organisation.  However his earlier comments on the NHS might suggest otherwise.

No one knows when the ICO will strike but one thing is for sure, it will happen organisations will be fined, despite all the warnings from InfoSec exhibitors.

Over 12,000 people attended the three day event and our stand was busy throughout.  We got more than 500 entries to our iPad giveaway, which was won by Rob Howell-Jones.

The busy DiskShred stand at InfoSec Europe 2010

Information Security expert and well known blogger /author Brian Honan of BH Consulting dropped by the DiskShred stand.  He attended the InfoSec exhibition to sign copies of his new book Implementing ISO27001 in a Windows 7 Environment on the IT Governance stand – his book is a must for every information security practitioner’s technical library.

Also Peter Hayes from the CCTM Secretariat (Claims Tested Mark awarding body on behalf of UK Government CESG) visited our stand to congratulate us on prominently promoting the CESG Claims Tested logo on the stand header.

InfoSec gave us time to network and meet fellow information security Tweeters and bloggers.  We met Tim Schraider and Maritz Cloete, two directors of CS Risk Management & Compliance in London, who are avid followers of DiskShred’s comments on Twitter.  It was great to put a face to the profile!

All in all it was a worthwhile experience for the DiskShred team.  I can only hope events like InfoSec Europe succeed in educating staff from all sectors and business organisations about the importance of information security and data protection.

Check out pics of the event on the InfoSec 2010 Flickr group.

Celebrating 15 years in the industry, this event is by far the biggest in the information security calendar with exhibitors from all over the world displaying their products.

But that’s not all InfoSec has to offer.

Unlike other industry events, InfoSec offers a free Education Programme.  This includes seminars, workshops and round table discussions featuring talks from some of the most influential security experts in the world.

New to this year’s line-up are the Discussion Den and Security Workshops.  The Discussion Den involves an interactive panel session debating various topics including cybercrime and mobile security.  No doubt the Caretower IT Specialists talk on Tried & Tested Methods Of Securing Funding For Your Security Projects will be popular.

The eagerly anticipated Security Workshops are proving very popular with organisers asking people to pre-register to attend.  The four themes are Data Leakage Prevention, Global Corporate Challenges, Online Security and Threats & Mitigation. 

I hope to get the opportunity to hear the keynote address by Deputy Information Commissioner David Smith, where he’ll discuss the ‘ins and outs’ of the new £500k data loss fines.

I am well aware that I may be preaching to the converted but I can’t help stressing the importance of events like InfoSec.  The exhibition is designed to educate businesses on data protection in the hope that they will return to their offices armed with the information and contacts they need to implement a security structure.

However in some cases, the very people who should be attending to learn more about protecting their reputation and their clients’ privacy are the ones who are probably careless about personal identifiable information and are likely to get hit with the wrath of the ICO.

So if you want to avoid a nasty fine, speak to the experts at InfoSec Europe…

And if you want to win a brand new Apple iPad visit us at stand E64!

Hope to see you there.

It’s time to wake up and smell the coffee – the ICO is ready, willing and able to impose these fines.  Do you want to incur the wrath of the ICO?  I didn’t think so. 

We are a leading on-site data disposal service with over nine years experience of secure data destruction so we know a little something about information security.  We have put together a guide to help businesses get their house in order and avoid a hefty fine.

1. First things first organisations need to be aware of the importance of data.  Whether it is trade secrets or personal customer information, a data breach can cause serious damage to a business – and not just financially.  When trust is lost it can be extremely difficult for a company to repair its reputation and this affects future business prospects.  Losing information is very serious, be aware of that.
2. There are some people out there who think the ICO won’t enforce the new powers but don’t be misled.  The new Information Commissioner Christopher Graham is poised to pounce.  He said: “Getting data protection right has never been more important than it is today…I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law.”
3. As I have talked about before, all staff must be educated on the importance of data protection.  Careless staff can cost a business dearly, security protocols must be in place to ensure the protection of information.  Just last month the personal details of 9000 school children were compromised after unencrypted CDs and USB sticks were stolen from a council employee’s home.  Fortunately for the council the incident occurred before the ICO powers came into force and they avoided a substantial penalty.
4. And that goes for the big wigs too.  There has to be corporate compliance to ensure a data loss does not occur.  The top dogs in any company must also take these measures seriously.  However as the recent Ponemon study revealed, that is not always the case.  The survey found that 53 per cent of British business managers have disengaged the encryption on their laptops.  This is hardly a good leadership example to set for their own staff.
5. The best way to know if your data protection policies are up to scratch is to test them.  Give your procedures a complete overhaul to ensure your data security and breach policies are running smoothly.  This includes website privacy, internal data, data retention, data disposal, portable information and the use of third parties.
6. When outsourcing services to a third party, whether it’s for hard drive shredding or encryptions, make sure all contracts meet your data security policies.  Ask the contractors for proof of pre-employment screening and 5-year security background checks (in compliance with BS7856:2006).  Also ask for proof that the chosen data destruction company is accredited to BSEN15713:2009 for Secure Destruction of Confidential Media or holds a CESG CCTM accreditation from the UK Government.
7. These days data can be stored on the smallest of devices.  CDs, USBs, PDAs and even Smartphones store an enormous amount of information but they are easily misplaced and could fall into the wrong hands.  It is important for businesses to enforce ‘don’t take home’ policies with staff to avoid loss or theft, and when these devices are deemed redundant dispose of them correctly, guaranteeing all data has been destroyed.
8. Greening your office is good for the environment but before donating old computer equipment make sure it has been professionally wiped and overwritten using software that meets an accredited standard, such as the CESG InfoSec IA Standard 5, otherwise significant data could end up in the wrong hands.  This point has been championed by European Data Protection Supervisor Peter Hustinx, who warned the EU’s proposal to recast the old WEEE (Waste Electrical and Electronic Equipment) Directive focuses too heavily on the environmental issues. He said: “It is important to take into account the potentially damaging effects of WEEE disposal on the protection of personal data stored in used equipment. Respect for security measures and a ‘privacy by design’ approach should be seen as essential pre-conditions in order to effectively guarantee the right to the protection of personal data.”
9. Trusting an outsider to dispose of data storage devices can be difficult for some companies.  Take control of your data disposal and insist on witnessing the destruction.  That way you know the job has been done.
10. Finally, information security is an ongoing process.  This isn’t a Spring clean quick fix.  Businesses need a long-term strategy to keep them and their customers secure.  I know it might sound like a broken record but it’s better to be safe than sorry, particularly when potentially up to £500k is at stake.

To discuss this further, we’ll be taking a stand at InfoSecurity Europe at Earl’s Court in London from 27^th – 29^th April.  Visit us at stand E64.