Printer problems?

HP produced a very interesting article on printer security and the potential risks, particularly with a network printer.  The link below will take you to the article.

http://h20435.www2.hp.com/t5/HP-BusinessReady/Is-your-printer-putting-sensitive-data-at-risk/ba-p/89690#.VEVg3fl4rtw

Data protection breaches and how they happen - but not to you if you follow the tips!

The news is filled with details of Data Protection breaches or, as they are sometimes called, information security breaches. Any breach of information creates the image of someone deliberately hacking your system to access your valuable data. Data protection breaches have increased over the last 10 years and the information being sought is the basic personal information about individuals which can be found in the databases and filing cabinets of many businesses and can easily be used for identity theft purposes.

In reality, breaches can just as commonly occur as a result of human error from inside the organisation. These usually result from a lack of training and understanding. This could be through the loss or theft of laptops, tablets, portable drives or work mobile phones. A common mistake is emailing information to the wrong address or posting it where it can be seen by the general public on the internet. In addition there are poor disposal procedures, especially for paper records where they are just thrown in the general rubbish rather than securely shredded. Old office equipment such a filing cabinets have been disposed off with the files still in them!

So top tips for keeping your data safe

• Ensure you have adequate passwords on your files and change them frequently.
• Limit personal information access to those who need it to do their jobs.
• Set up systems to ensure that database contents cannot be sent via email.
• Ensure that there is adequate training in place to support your staff.
• When disposing of old paper files, ensure they are shredded by a reputable company.
• When disposing of old office equipment, make sure that there is no personal information in it.
• Have a process in place to effectively deal with any breaches or compromises that occur.

7 Lessons to be learned from the Swale Council Email disclosure

In the news this week Swale Council admit that they sent the email addresses of 2500 residents to other residents in an email. See the link for the newspaper report.

http://www.kentonline.co.uk/sittingbourne/news/council-may-face-action-over-24879/

This is an easy error to make if there is insufficient guidance or training around emails.

So here are our 7 top tips to stop you making the same costly mistake:

• Who has access to your database?

One of the principles of the Data Protection Act is that the information should only be made available to those who need to see it.

• Who has the final approval for emails being sent out to the mailing list?

Who is checking the emails before the send button is being pushed? We all know how easy it is to make a mistake in an email and only realise just after you have sent it. My usual mistake is forgetting to attach a file.

• What's your email policy?

Does your email policy allow emails to be sent to large groups of people from your main system? If so there should be a practice in place which limits the number of addresses that any single email can be sent to. This will reduce the potential for error. This is different from emails being sent via a mailing package such as mail chimp because this would automatically ensure the security settings meet DP requirements. 

• How often are staff reminded of the email protocols?

It's great to have a process in place but completely useless if the staff who might need to use it are unaware of it. In a large staff team, it is good practice to have regular training around data protection and this should include information around email protocols. Records of the training should be maintained, including the date and the names of the staff who attended.

• Can you create controls in the email system which limit the number of addresses?

In larger organisations the IT system can sometimes be sophisticated enough to limit the number of addressees an email can be sent to. This is to stop emails being sent to large groups of people and considered spam.

• What happens following the breach?

How you handle a breach will be considered as part of any ICO investigation. Depending on the type of breach, dictates the action to be taken. You should try to notify those whose information is affected of the details of the incident and provide advice where necessary on what will happen next and any action the individual may need to take. Ideally have a written plan as to what you will do in the event of a breach as this will save time when it happens and you won't need to think what you should be doing.

• Do I need to report the breach to the ICO?

This depends on the extent and severity of the breach. How many people the information related to and what the information was. If it is the email addresses of 5 people then no you would not need to report it. If it is the health records of 5 people, then you would need to report it. At the time of a breach you need to seek advice to ensure that further breaches do not occur and ensure that the breach is dealt with professionally and effectively. 

Data breaches happen all the time, it is what you do as a result of one which will be of interest to the ICO.

If you would like to discuss any aspect of the above, please contact me at lesley@audit-and-risk.co.uk or give me a call on 07828 124588. I look forward to hearing from you.

How many Data Protection Breaches have leaked your information this week?

We all take for granted that our personal information is secure, don't we?

This week there have been a few data breaches where my information has been accessed or provided to someone who shouldn't have it. Most worrying was a professional body, to which I belong, who emailed the names and email addresses from their membership database to an outside email address. It's good that the disclosure was identified and that the organisation contacted me to let me know, but how did it happen? Why would a membership database need to be emailed to another individual? Most organisations now have some form of CRM so why didn't the person who needed the information already have access to it?

The other breach was where an organisation emailed a group of people and failed to hide the email addresses of the recipients from the other people being emailed. A simple thing but now all those other people have my email address and I didn't agree to that. Also it usually results in a load of spam emails. This breach could have been easily avoided by using the bcc option in the email.

So what did I learn? The professional body took the correct steps to report the breach to the Information Commissioner, kept me informed about the action they had taken and explained how the breach came about. This improved my confidence in them because they did quickly realise that they had made a mistake.

The other organisation didn't have a clue that they had breached the Data Protection Act. Apparently they have always done it this way and didn't know that there was a requirement to get permission to share this information. What will they do in future? I have no idea but the fact that they didn't have a clue about the requirements of the Act did not inspire confidence.

The Data Protection Act has been around since 1984, so there are no excuses for not being aware of it or what's required to comply with it. If you need some help or advice to ensure you comply, please contact me at lesley@audit-and-risk.co.uk. I would be very happy to help.