Since April this year the entire infosecurity industry in the UK and beyond has been waiting with baited breath for the dreaded £500,000 fine to be levied.

It is now August and yet with several high profile breaches, including that of Barnet Council and the Kent Police, made public, a financial penalty has yet to be issued by the ICO.

When Google revealed its Street View cars inadvertently collected data from unsecure Wi-Fi networks, the authorities in Germany, Australia and America were quick to take action.

And while it is not fair to lay all the blame at Google’s door – why were so many Wi-Fi networks left unsecure?? – we can’t ignore the fact that personally identifiable information was harvested by Street View without our knowledge.

The ICO visited Google HQ and examined a sample of the ‘payload’ only to find the information did not include “meaningful” details which could be linked to an individual.

They said in a statement: “As we have only seen samples of the records collected in the UK we recognise that other data protection authorities conducting a detailed analysis of all the payload data collected in their jurisdictions may nevertheless find samples of information which can be linked to identifiable individuals.

“However, on the basis of the samples we saw we are satisfied so far that it is unlikely that Google will have captured significant amounts of personal data”.

So while Google gets sued in the US, Street View cars are back on the beat in the UK, albeit this time without the offending antennas.

At least we can watch horse boy in Aberdeen, shark attacks in Oxford and Paddington Bear strolling down Trafalgar Square, while we wait for the ICO to bear its teeth.

Probably not.

Well what if I told you some of these data leaks cost you money.

Now I’ve got your attention.

It seems our very own Government is the biggest culprit of data storage equipment loss but it’s the average Joe tax payer that foots the bill.

According to figures, released by Lewis PR following a Freedom of Information request, between June 2008 and the end of May this year 340 laptops have been lost or stolen from Ministry of Defence staff, costing us a whopping £620,000.

A further 593 CDs, DVDs and floppy disks, 215 USB memory sticks, 96 hard-disk drives and 13 mobile phones also went missing.

And if that wasn’t bad enough, some of the stolen items weren’t encrypted so could be accessed by criminals.

Of 1,257 hi-tech items that disappeared from the MoD, a staggering 983 were not encrypted.

Yet only nine staff were disciplined over the losses.

The statistics also detailed a further 10 Governmental departments that incurred major data losses.  In fact more than 500 laptops were lost or stolen from 11 UK Whitehall departments during this period. 

These combined losses cost the tax payer approximately £777,854.29 in the last two years.

Only 17 staff members were disciplined over these incidents.

These are worrying statistics indeed particularly as many of the lost items were Blackberries, USB sticks and mobile phones.

In these days of heightened global security how can this amount of data be unencrypted? 

How can staff continue to be so lax with our private information?

If they’re that careless about their current equipment containing sensitive data, do they have a strictly audited security disposal policy for data destruction of these portable storage devices at their normal end-of-life?  Or do they just leave them lying around?

How long will the taxpayer be expected to pay for these mistakes?

I don’t know about the average Joe but I would rather have the money in my pocket…wouldn’t you?

The beauty of these models is you can do everything on the go – check emails, send texts, make calls, surf the net and even arrange your schedule.  It’s like carrying a mini laptop in your pocket.

But the problem with having so much information stored on your phone is that you have so much information stored on your phone.

Take a minute and think about how much personally identifiable information is on your phone.  Portable devices carry personal data relating to recent calls made, photos, emails, route from home to work, stored texts which are all potentially comprising data.

Now imagine your phone is lost or stolen.

Scary thought isn’t it.  Especially if you use the phone for business.

But it’s not just theft and loss that are dangerous.  Even the simply upgrading your phone can be hazardous.  Has your phone been completely wiped of all data?  That’s the risk you take when you hand in your old phone over for a shiny new replacement.

It is important, especially for those who store both personal and work related information on their smartphones, to ensure the data is secure.  It’s not enough to shred the storage devices from servers, laptops and PC’s, these handheld devices also need to be physically destroyed if they are no longer used.

It is vital that all categories of personally identifiable information are securely disposed of.

A new report from consultancy PwC this week found that a company’s employees are its best defence against security threats, and should be empowered and educated about technology risk including mobile phones.

So let’s all start by taking much more ‘personal accountability’ by looking after portable business data as carefully as you would your own personal filing cabinet.  You wouldn’t leave your last itemised phone bill, bank details, personal address book or photos lying around would you?

And beware of the honey trap.  Just ask Gordon Brown’s aide about securing his BlackBerry.

First it was Google.  The corporation with the most popular search engine in the world came under heavy fire after it was revealed its Street View cars inadvertently collected data from unsecured Wi-Fi networks.  Now Google is being sued across the globe and Australian Communications Minister Stephen Conroy has dubbed the incident possibly “the largest privacy breach in the history across western democracies”.

Then came Facebook.  The social networking site has been repeatedly criticised for its privacy controls and last week CEO Mark Zuckerberg finally acknowledged that they had “missed the mark” with their privacy settings.  They have now released new “simplified” privacy settings to fix the problem.

But is it fair to lay all the blame at the doors of Google and Facebook?

In the Google case there is a lesson to be learned here.  Why are so many of us not securing our home and business Wi-Fi networks? 

Anyone can sit outside your house or business and use your internet service to download your private information including bank account details, passwords, date of birth…the list goes on.

Securing your Wi-Fi network is vital whether it is at home or at work.  If you are a business owner ensure your employees are aware of your data security protocols and the dangers of unsecured wireless networks.  Nobody wants a staff member sharing private corporate information while using free Wi-Fi at the corner Starbucks.

With Facebook, the privacy settings were getting too complicated and steps needed to be taken to ensure users were fully aware of what information was private and what was not.

However how much information is too much to share on these sites? 

Most people include their name, date of birth, place of residence, relationship status, children’s names while others share much more including phone numbers, email addresses and corporate information.

How many times has someone on your friends list lost their mobile phone and posted their new number or in fact asked you to post your number to reload onto the new phone.   They wouldn’t normally contemplate leaving their address book lying around, so why publicise this type of personally identifiable information?

A seasoned fraudster could potentially use this information to bypass security questions about you…think about it how many of us use our date of birth or child’s name as a password?  Not to mention the number of Facebook ‘Friends’ who we have never met or even know.

While I agree Facebook needed to review the privacy controls, we need to review how much information we reveal online.

Poised to attack, the ICO is ready to dish out hefty fines to those who are careless with their data security.  But recent market research showed smaller SMEs were unaware of the ICO’s new powers.

For Northern Ireland companies unsure about the changes in the law there is a conference next month that can help. 

The Legal-Island Data Protection & Compliance Update Conference takes place on Thursday 3^rdJune at Dunsilly Hotel, Junction One in Antrim.  The full day event aims to arm organisations with all the very latest information on how to comply with the new measures and avoid the substantial monetary penalties now in force.

The conference will break down the responsibilities of organisations when processing employee or customer data, explain the new penalties and advise on data storage or disposal.  The afternoon session is broken into three streams – Customer Data, Marketing Both Online and Offline and Human Resources.  Delegates can choose which stream will benefit them the most.

Conferences like this are very beneficial for organisations particularly management staff and those in charge of sensitive information.  As I have said many times it is vital to educate staff on data protection and it is the responsibility of management to initiate and then enforce security protocols in the workplace.

If that hasn’t sold you perhaps one of the speakers will.  Catherine Vint, a senior investigator in the Information Commissioner’s Office Northern Ireland will be addressing the conference.  Where better to get advice on how to avoid the £500k fine than from the ICO itself?

And if that still hasn’t sold you – we’ll be there!  DiskShred are one of the sponsors and we’ll be exhibiting at the conference.  If you have any questions about secure data destruction feel free to drop by and say hello. 

Full conference details and prices can be found here.

The big story of the three-day exhibition was the ICO Deputy Commissioner David Smith’s opening address to delegates.  Not only did he name and shame the NHS as the worst culprit for data breaches but he warned plans to make some data breach notifications mandatory in the UK as part of a wider European directive are afoot.

The ICO Deputy Commissioner David Smith

He said the European Commission review of data laws will mean huge changes for organisations whose data security has been breached.

“Breach notification is on the agenda”, said Mr Smith.  “It’s coming for telecommunications companies, and there’s no logical reason to confine it to them.”

The UK will have data breach notification laws for the telecommunications sector within 18 months and the ICO expects this to roll out to other business organisations.

But perhaps the most surprising part of Mr Smith’s speech was his remarks regarding the ICO’s new penalty powers.

He said: “We have got some more powers now and are no longer the toothless tiger or bulldog we have been described as”.

He told the audience of exhibitors and delegates that the ICO were ready and willing to hand out fines to organisations who deliberately breach the Data Protection Act.

In fact Mr Smith even called for prison sentences for professional data thieves, including private investigators and employees who sell valuable information.

I took some time out from our stand to sit in on the address and when Mr Smith asked for questions from the floor I took the opportunity to pose the final question.

In light of recent market research, which showed smaller SMEs were unaware of the ICO’s new powers, I asked Mr Smith if he was concerned about these findings and if they planned to target a couple of offending organisations soon to help publicise their new ’super powers’.

He replied that while they recognised the need to highlight the new powers to fine small businesses, they would not set out to target any one particular organisation.  However his earlier comments on the NHS might suggest otherwise.

No one knows when the ICO will strike but one thing is for sure, it will happen organisations will be fined, despite all the warnings from InfoSec exhibitors.

Over 12,000 people attended the three day event and our stand was busy throughout.  We got more than 500 entries to our iPad giveaway, which was won by Rob Howell-Jones.

The busy DiskShred stand at InfoSec Europe 2010

Information Security expert and well known blogger /author Brian Honan of BH Consulting dropped by the DiskShred stand.  He attended the InfoSec exhibition to sign copies of his new book Implementing ISO27001 in a Windows 7 Environment on the IT Governance stand – his book is a must for every information security practitioner’s technical library.

Also Peter Hayes from the CCTM Secretariat (Claims Tested Mark awarding body on behalf of UK Government CESG) visited our stand to congratulate us on prominently promoting the CESG Claims Tested logo on the stand header.

InfoSec gave us time to network and meet fellow information security Tweeters and bloggers.  We met Tim Schraider and Maritz Cloete, two directors of CS Risk Management & Compliance in London, who are avid followers of DiskShred’s comments on Twitter.  It was great to put a face to the profile!

All in all it was a worthwhile experience for the DiskShred team.  I can only hope events like InfoSec Europe succeed in educating staff from all sectors and business organisations about the importance of information security and data protection.

Check out pics of the event on the InfoSec 2010 Flickr group.

Celebrating 15 years in the industry, this event is by far the biggest in the information security calendar with exhibitors from all over the world displaying their products.

But that’s not all InfoSec has to offer.

Unlike other industry events, InfoSec offers a free Education Programme.  This includes seminars, workshops and round table discussions featuring talks from some of the most influential security experts in the world.

New to this year’s line-up are the Discussion Den and Security Workshops.  The Discussion Den involves an interactive panel session debating various topics including cybercrime and mobile security.  No doubt the Caretower IT Specialists talk on Tried & Tested Methods Of Securing Funding For Your Security Projects will be popular.

The eagerly anticipated Security Workshops are proving very popular with organisers asking people to pre-register to attend.  The four themes are Data Leakage Prevention, Global Corporate Challenges, Online Security and Threats & Mitigation. 

I hope to get the opportunity to hear the keynote address by Deputy Information Commissioner David Smith, where he’ll discuss the ‘ins and outs’ of the new £500k data loss fines.

I am well aware that I may be preaching to the converted but I can’t help stressing the importance of events like InfoSec.  The exhibition is designed to educate businesses on data protection in the hope that they will return to their offices armed with the information and contacts they need to implement a security structure.

However in some cases, the very people who should be attending to learn more about protecting their reputation and their clients’ privacy are the ones who are probably careless about personal identifiable information and are likely to get hit with the wrath of the ICO.

So if you want to avoid a nasty fine, speak to the experts at InfoSec Europe…

And if you want to win a brand new Apple iPad visit us at stand E64!

Hope to see you there.

It’s time to wake up and smell the coffee – the ICO is ready, willing and able to impose these fines.  Do you want to incur the wrath of the ICO?  I didn’t think so. 

We are a leading on-site data disposal service with over nine years experience of secure data destruction so we know a little something about information security.  We have put together a guide to help businesses get their house in order and avoid a hefty fine.

1. First things first organisations need to be aware of the importance of data.  Whether it is trade secrets or personal customer information, a data breach can cause serious damage to a business – and not just financially.  When trust is lost it can be extremely difficult for a company to repair its reputation and this affects future business prospects.  Losing information is very serious, be aware of that.
2. There are some people out there who think the ICO won’t enforce the new powers but don’t be misled.  The new Information Commissioner Christopher Graham is poised to pounce.  He said: “Getting data protection right has never been more important than it is today…I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law.”
3. As I have talked about before, all staff must be educated on the importance of data protection.  Careless staff can cost a business dearly, security protocols must be in place to ensure the protection of information.  Just last month the personal details of 9000 school children were compromised after unencrypted CDs and USB sticks were stolen from a council employee’s home.  Fortunately for the council the incident occurred before the ICO powers came into force and they avoided a substantial penalty.
4. And that goes for the big wigs too.  There has to be corporate compliance to ensure a data loss does not occur.  The top dogs in any company must also take these measures seriously.  However as the recent Ponemon study revealed, that is not always the case.  The survey found that 53 per cent of British business managers have disengaged the encryption on their laptops.  This is hardly a good leadership example to set for their own staff.
5. The best way to know if your data protection policies are up to scratch is to test them.  Give your procedures a complete overhaul to ensure your data security and breach policies are running smoothly.  This includes website privacy, internal data, data retention, data disposal, portable information and the use of third parties.
6. When outsourcing services to a third party, whether it’s for hard drive shredding or encryptions, make sure all contracts meet your data security policies.  Ask the contractors for proof of pre-employment screening and 5-year security background checks (in compliance with BS7856:2006).  Also ask for proof that the chosen data destruction company is accredited to BSEN15713:2009 for Secure Destruction of Confidential Media or holds a CESG CCTM accreditation from the UK Government.
7. These days data can be stored on the smallest of devices.  CDs, USBs, PDAs and even Smartphones store an enormous amount of information but they are easily misplaced and could fall into the wrong hands.  It is important for businesses to enforce ‘don’t take home’ policies with staff to avoid loss or theft, and when these devices are deemed redundant dispose of them correctly, guaranteeing all data has been destroyed.
8. Greening your office is good for the environment but before donating old computer equipment make sure it has been professionally wiped and overwritten using software that meets an accredited standard, such as the CESG InfoSec IA Standard 5, otherwise significant data could end up in the wrong hands.  This point has been championed by European Data Protection Supervisor Peter Hustinx, who warned the EU’s proposal to recast the old WEEE (Waste Electrical and Electronic Equipment) Directive focuses too heavily on the environmental issues. He said: “It is important to take into account the potentially damaging effects of WEEE disposal on the protection of personal data stored in used equipment. Respect for security measures and a ‘privacy by design’ approach should be seen as essential pre-conditions in order to effectively guarantee the right to the protection of personal data.”
9. Trusting an outsider to dispose of data storage devices can be difficult for some companies.  Take control of your data disposal and insist on witnessing the destruction.  That way you know the job has been done.
10. Finally, information security is an ongoing process.  This isn’t a Spring clean quick fix.  Businesses need a long-term strategy to keep them and their customers secure.  I know it might sound like a broken record but it’s better to be safe than sorry, particularly when potentially up to £500k is at stake.

To discuss this further, we’ll be taking a stand at InfoSecurity Europe at Earl’s Court in London from 27^th – 29^th April.  Visit us at stand E64.

Credant Technologies, who conducted the survey amongst 100 dry cleaners across the UK, believe it’s not because users are more vigilant, instead they are downloading information onto other handy devices like netbooks and Smartphones.

Date loss from portable devices is still a huge problem.  The products are getting smaller and smaller making them easily mislaid or forgotten.

According to Credant, 4,500 memory sticks have been left in people’s pockets as they take their clothes to be washed at their local dry cleaners.

USB thumb drives have now joined wedding rings and lipsticks in the realm of dry cleaning lost and found.  But the data stored on these devices could prove priceless if they fall into the wrong hands.

The use of these gadgets does have significant business benefits especially for those who work from home or travel as part of their job.

However in these cases the onus is on the individual to ensure the data is protected particularly if the company hasn’t enforced an encryption policy on the devices.

In October last year Ashford and St Peter’s Hospitals NHS Trust informed the Information Commissioner’s Office that three unencrypted USB sticks containing sensitive patient information had been lost or stolen.  An investigation showed staff were unaware of their role in protecting patient information.

Can you trust your staff not to leave valuable data in their jacket pocket?

And we don’t think for a second that these sacred facts will be left on a train or posted to someone else’s address.

Are we to blame for being naive?  No we aren’t.  We take businesses into our confidence when we share this information and they are supposed to value this as much as we do.

Organisations aren’t putting enough effort and funds into the protection of personal information.  In the last few months alone details have emerged of new data leaks from city councils, hospital trusts, banks, lawyers, the Student Loans Company and even MI5.

From laptop theft through to careless disposal policies, it is clear many companies are leaving the protection of data to chance.

In response to this, the Information Commissioner’s Office issued The Privacy Dividend report, urging businesses to be proactive and invest in data protection protocols.

This is a complete turnaround.  At last there is a business case justification for proper investment in privacy protection rather than reactionary spending after the fact.

The report details a plan for businesses to assess and implement a protection plan for their data, whether it’s the calculation of the value of personal information to the benefits of privacy protection.

But these protections must be built into the company’s core business.  There are no halfway measures when it comes to protecting private information.

Having preventative measures in place will not only improve your compliance with the law but will also promote loyalty and reduce potential financial risks.

Trust is a tricky business – when you have it it’s invaluable but when you lose it, it’s nearly impossible to get back.