Why you need a Data Protection Notice

Data protection notices ( commonly known now as privacy policies) often go unread and many companies handling personal data will not take the time to ensure their notices are drafted specifically with their business activities in mind. Many will seek to rely on a standard form notice, despite the potential repercussions stemming from an inadequate notice.

The Data Controller identified in the notice should use their legal name. In the case of a company, this would be its full company name, as registered at Companies House, together with any trading name, if this differs from the registered name. Where the Data Controller includes group companies, these should also be identified, either in the notice or by way of a link in the notice to a list of the relevant companies. Once the identity of the data controller is established, it is common for the data controller to refer to themselves as ‘we’ or ‘us’.

The Data Controller should also take steps to ensure they are clear about what information is being processed and the purpose for which it is being processed. Where a company is seeking to build up a customer profile in order to better understand consumer habits, for example, an appropriate reference should be included in the data protection notice.

It is important, however, to ensure that the stated purpose for which data is being processed is an accurate reflection of the organisation’s current or immediately foreseeable data processing activities. Data must be processed fairly and this means that data subjects must not be misled as to the purpose or the extent to which their data is being used by a company.

Third Parties

A notice should also mention if third parties are being used to process data on behalf of an organisation, although this does not necessarily entail disclosing the identity of each and every data processor. The data subject’s consent is also not required prior to sending the data to the third party for processing.

Consent from a data subject is required, however, where data is to be provided to a third party for a purpose other than processing that data. Under these circumstances the data controller should make the identity of the third parties clear, either by referring to them directly in the notice or referring them to an online webpage, for example, which identifies the third parties. In any event the notice must make clear the purpose for which consent is being sought.

A third party will only be permitted to use the data provided by the data controller under the terms of the controller’s data protection policy. When processing the data, however, the third party will need to provide the individual with their own data protection notice and may, as a result, process that data in accordance with its own notice and not the original controller’s. This may, however, leave the third party liable to legal action by the original data controller if there was a legal agreement between them to prevent the use of personal data in such a manner.

A fee of up to £10.00 may be levied in order to grant a subject access to the data being held which relates to them. Individuals have a right to access their data and to have inaccurate information corrected. Whilst inclusion of this right is not a specific requirement under the Data Protection Act 1998, organisation should, as a matter of good practice, seek to include this in their notice.

Data Collection

Data collection may involve the collection of email addresses or telephone numbers. The Privacy and Electronic Communications (EC Directive) Regulations 2003 state that the consent of the data subject must be obtained before they can be contacted for marketing purposes via text message, facsimile or email or before automated calling systems can be used. Consent in this context requires the individual to take some form of positive action, as opposed to passively consenting. Positive action could include clicking a tick box in the submission of an online form, for instance.

Contact by telephone does not require consent, although the telephone number must be screened against both the Telephone Preference Service and the data controller’s internal list comprising persons who do not wish to be contacted. Contact by mail also does not require consent. In practice, many organisations will benefit from obtaining consent to all forms of communication at once rather than attempting to follow the minimum legal requirements. This is particularly important where industry-specific codes of conduct go further than statutory requirements.

Credit Checks

Specific wording exists for inclusion in a data protection notice if the data controller wishes to carry out credit checks or credit scoring activities on the basis of the information received. Credit checks and credit scoring are marked against an individual’s credit record and may adversely affect their ability to secure credit. It is therefore vital that this is drawn to an individual’s attention and to ensure their consent is obtained on the basis of full and factual information.

A similar approach should be adopted when carrying out a money laundering check. The Money Laundering Regulations 2003 require that in certain circumstances where the identity of an individual needs to be verified, the data protection notice should be drafted in a way which allows the data subject to understand how the information will be used.

Sensitive Personal Data

The Data Protection Act defines sensitive personal data as information which can be used to identify a living individual. A data protection notice does not automatically give rise to a right to process sensitive personal data. A positive opt-in action is required on the part of the data subject before such data may be processed; silence or an omission to act can never constitute consent.

Michael Coyle specialises in IT and data protection. He can be contacted at michael.coyle@lawdit.co.uk.

Lawdit Solicitors is a commercial law firm based in Southampton with associate offices in London, Malaga and Rome

European Distrust of US Data Security Creates Market for Local Cloud Service

Concern in the European Union that U.S. data protection laws are too lax has created a new market for European cloud computing services.

A recent survey indicated that 70 percent of Europeans have concerns about their online data and how well companies secure it and now two Swedish companies, Severalnines and City Network, have begun promoting their newly merged service as “a safe haven from the reaches of the U.S. Patriot Act.” Under the U.S. Patriot Act, data from European users of U.S.-based cloud services can secretly be seized by U.S. law enforcement agencies.

“We believe that a service owned and operated locally in the E.U., and fully compliant with E.U. data protection laws, will be very attractive for European companies. U.S. companies with European operations will also benefit from the lower latency of a locally hosted solution,” said City Network chairman Johan Christenson.

This gap in the market is also being exploited by other firms such as DNS Europe, Colt and MESH. The latter strongly promotes its location in Germany and “data separation in strict compliance with German data protection laws.”

European legislators are also worried about the protection accorded to personal data held in the cloud.

“It is crucial, for European businesses and users, that the data on the cloud is stored in a safe country,” said Philippe Juvin, a Member of the European Parliament (MEP), on Thursday.

The E.U. and the U.S. attempted to overcome user mistrust with the Safe Harbor Agreement, but is widely seen to have failed. Under the agreement, U.S. organizations self-certify their adherence to principles of data security, but there is very little enforcement and some U.S. legislation, in particular the Patriot Act, can override these principles.

Lawyers such as Theo Bosboom of Dirkzager Lawyers see the Safe Harbor Agreement as outdated. “I’m afraid that safe harbor has very little value anymore, since it came out that it might be possible that U.S. companies that offer to keep data in a European cloud are still obliged to allow the U.S. government access to these data on the basis of the Patriot Act,” he said. “Europeans would be better to keep their data in Europe. If a European contract partner for a European cloud solution offers the guarantee that data stays within the European Union, that is without a doubt the best choice, legally.”

MEP Sophie In’t Veld, too, is no fan of the agreement. “Safe harbor nice idea, but it didn’t work. When it was set up, times were different and it has almost become redundant by technological progress. We are increasingly aware of problem areas of jurisdiction between the E.U. and U.S. and a voluntary scheme like safe harbor is not a strong concept and will not solve these problems,” she said.

The E.U. is currently in talks with the U.S. over sensitive data transfers across the Atlantic and a new European Data Protection Directive will be published in early 2012, which Justice Commissioner Viviane Reding promises will include measures to cover data in the cloud, but it appears that European could services still have a unique marketing opportunity.

By Jennifer Baker, IDG News

Follow Jennifer on Twitter at @BrusselsGeek or email tips and comments tojennifer_baker@idg.com.

Disaster Recovery Rates as Worst Data Challenge

Data managers report information lost 56 percent of time after a disaster; cloud more popular with smaller enterprises

November 21, 2011 – Disaster recovery is the top challenge for data managers, with much of the information lost due to lags in recovery time and lack of backups, according to a new survey by vendor Iron Mountain.

Iron Mountain questioned 1,200 data management and recovery officials on their data recovery awareness, practices and responses. Sixty-eight percent stated that disaster recovery is their biggest data challenge, with less than half (44 percent) having successfully recovered information after a recent data recovery event. The top two reasons for data loss after a disaster were lag in recovery time (27 percent) and lack of necessary backup files (15 percent).

The survey also revealed that cloud computing has taken hold more quickly at smaller enterprises. Overall, 20 percent of respondents stated they rely on the cloud for their day-to-day data management operations, though that number was proportionately higher for organizations with fewer than 1,000 employees and/or less than 25 terabytes of enterprise information.

More organizations keep all information as part of their data compliance strategy (25 percent), while, on the other end of the survey’s spectrum, 17 percent have a formal, company-wide retention and destruction policy, according to the survey. Forty-eight percent of organizations back up information at a remote data center or tape-storage facility, and that same amount stores information on site.

Blaine Rigler, SVP and general manager for data backup and recovery at the information management provider, said in a news release on the survey that the results show struggles with managing a growing amount of information that creates “data challenges every day.” “At its basic level, controlling data is about controlling risk, which means being prepared in the event of disaster so that you can restore your business without losing its most important asset – information,” Rigler said.

Rigler recommended implementing data rules that are adaptable to growing volumes of data and known across all business units, as well as setting up regimented policies for destroying data you don’t need and moving some critical information offsite.

 

Justin Kern is associate editor at Information Management and can be reached at justin.kern@sourcemedia.com. Follow him on Twitter at @IMJustinKern.

We know document management works and is needed, but why is it so hard?

Written by Mark Palmer, Director of Products and Marketing, Invu Services

Tuesday, 15 November 2011

The pre-requisites for a successful DMS deployment. The Finance community faces rigorous compliance demands compounded by senior management obligations for continuity planning. It’s a highly integrated industry and the pressures of multiple Financial Service Authority (FSA) requirements mean that firms must increasingly demonstrate easy, efficient and effective business solutions. Take, for example, document transmission and storage; a mundane but essential source of key client and transactional data which needs to be carefully managed. For too many firms this is a Cinderella issue and the potential risk is high, not just to cost, but also to reputation. The obvious solution is to leverage document management systems (DMS) to remove the reliance on paper, streamline processes and transform the timeliness of information access. But as many companies have discovered, the road to DMS can be strewn with pitfalls that can quickly derail a project. Regulatory Environment In an industry with multiple regulations, the FSA’s demands for compliance and governance cannot be brushed aside. Where compliance or governance fails, then good document management records could potentially eliminate or reduce the risk of heavy financial repercussions, by providing an auditable trail of paper work. And yet many firms’ compliance is fundamentally undermined by their reliance on out-dated methods and their quaint paper storage. This all comes down to a reliance on poor manual, paper-based processes that slow down document retrieval and procurement. Less Haste, More Speed How can firms possibly guarantee regulatory and legal compliance without a clear auditable trail? Good document management relies on the regular review of records, with the controlled retention and destruction of information. The obvious answer is to adopt a DMS to automate processes, eliminate paper, and achieve control over the document trail and hence financial procedures. But simply deciding to implement a DMS to become more efficient is not enough; this is a product set that can be deployed in many ways to meet numerous diverse regulatory and corporate requirements. Fully functional, wide-reaching solutions can take several years to deploy – during which time business needs have changed, and opportunities have been missed. The emphasis right now is to get rid of the paper-based processes that are compromising business value and compliance. Don’t get distracted by additional features, however appealing, simply because they are available. This whole process should take around one month – and certainly no more than three. Peripheral View Whilst imperative to clearly define the specific requirements, the exact implications of the objective must also be clearly understood – does it require lengthy integration with other systems, for example? The key is to define statements of work (SOW), undertake pre-implementation review sessions and work closely with a supplier. Use proof of concept trials, followed by staged implementations to create manageable projects that deliver incremental business value. It is also essential to avoid over-elaboration, a classic error with any functionally-rich technology. For example, DMS utilise configurable structures and metadata – most also enable content searching. Defining a complex taxonomy may appear the best route towards a flexible and future proof solution, but, as organisations have discovered, in areas where the filing is not automated, the overhead of working to the structure and metadata requirements resulted in slow operational processing, end user frustration and a reduction in Return on Investment (ROI). A simple taxonomy, with limited mandatory metadata, is actually a far more sustainable and usable model. Conclusion It is easy to get derailed by DMS: this is a highly functional product set that can meet the very diverse needs of each and every organisation. The challenge is in effectively defining those needs and designing a simple, elegant solution that can be deployed quickly to meet those requirements. With the right approach, an organisation can transform operational efficiency, achieve clarity of communication and meet regulatory pressures. It can improve cash flow, drive down administrative costs and improve performance insight. Critically, it can become a far better business operation, and strengthen its position as a strong trading partner.

 

Tape Storage Continues Upward Growth Trend as the Favored Solution for Data Archiving and Long Term Data Retention

Overland Storage Offers New NEO 600s and NEO 800s Tape Libraries to Meet Growing Demand for Tape Solutions

SAN DIEGO, CA, Nov 10, 2011 (MARKETWIRE via COMTEX) — Overland Storage OVRL 0.00% , the trusted global provider of effortless data management and data protection solutions across the data lifecycle, today announced the availability of NEO 600s and NEO 800s, two new additions to its popular line of automated tape libraries aimed at offering more choices for tape deployments in the growing tape storage market. Fueling the current expansion of the tape storage market is an increased demand for flexible solutions designed to address rapid business data growth combined with the increasing acknowledgment of tape’s cost-effectiveness over de-duplicated disk.

Research from analysts at Enterprise Strategy Group indicates: “Tape is the predominant storage media used for data protection due to its portability and, from an acquisition cost perspective, its price.” As tape capacities continue to out-ship disk capacities and “the use of tape now dominates archiving over internal disk, external disk or cloud… tape’s lead is expected to grow during the next five years, demonstrating 45 percent annual growth by 2015.”

Features of the NEO 600s and NEO 800s from Overland Storage In response to the increasing demand for more long-term data storage and archiving capacity, Overland Storage has added the NEO 600s and NEO 800s to its popular NEO portfolio. NEO 600s and NEO 800s solve the complex data storage protection challenges that businesses face when budgets are limited and users demand more storage capacity. NEO 600s packs up to 216TB of backup and archive capacity into a space-efficient 6U form factor while NEO 800s provides up to 244TB in an 8U form factor, making both solutions ideal for data centers that need large amounts of storage capacity. In addition to high-capacity storage, NEO 600s and NEO 800s feature multi-drive support for increased performance, redundant power for increased data availability and remote management for ease of use and reduced administrative overhead. Utilizing LTO-5 tape drive technology, NEO 600s and NEO 800s allows businesses to leverage the efficiencies of new linear tape file system (LTFS) technology, allowing disk-like “drag & drop” functionality on a tape.

Overland Storage Customers Discuss Tape Usage Overland Storage recently conducted a nationwide survey of its customers in the United States to learn more about how they use Overland tape libraries. The results of the survey indicate that tape storage remains a vital and irreplaceable component of the datacenter:

— Half of respondents said that their business could not manage without tape storage

— 56% of respondents said they keep data on disk for a month or less before moving it to tape

— 74% of respondents are using tape storage for onsite backups and 63% are using tape storage for offsite backups and disaster recovery

— 80% of respondents do not believe that archiving to the cloud will replace tape storage

“Industry analyst research, Overland Storage customer survey data and the overall growth in the tape storage marketplace confirm that tape-based storage remains a critical part of any data protection strategy due to its cost of ownership, portability, lower energy consumption, long shelf life, robust design and compact footprint advantages,” said Peri Grover, director of marketing for tape solutions at Overland Storage. “In response to the increasing IT demand for Overland Storage’s tape-based solutions, we’ve added NEO 600s and NEO 800s to our NEO line of automated tape libraries to provide users with additional choices in capacity, performance, features and affordability to address their data storage challenges.”

Pricing and Availability The new NEO 600s and NEO 800s solutions are available immediately with a starting MSRP of $14,499 and are included in Overland’s “Trade Up and Save” promotion, which offers customers up to $2,000 in cash rebates for a limited time. For more information, please visit http://www.overlandstorage.com .

About Overland Storage Overland Storage is the trusted global provider of effortless data management and data protection solutions across the data lifecycle. By providing an integrated range of technologies and services for primary, near line, offline, archival and cloud data storage, Overland makes it easy and cost effective to manage different tiers of information over time. Whether distributed data is across the hall or across the globe, Overland enables companies to focus on building their business instead of worrying about data growth. Overland SnapServer, SnapSAN, NEO Series and REO Series solutions are available through a select network of value added resellers and system integrators. For more information, visit http://www.overlandstorage.com .

Connect with Overland Storage: Read the Overland blog: http://overlandstorage.com/blog Follow Overland on Twitter: http://www.twitter.com/OverlandStorage Visit Overland on Facebook: http://www.facebook.com/OverlandStorage

Overland Storage, SnapServer, SnapSAN, NEO, REO and the Overland logo are trademarks Overland Storage, Inc., that may be registered in some jurisdictions. All other trademarks used are owned by their respective owners.

        
        Media Contact
        Elizabeth Zaborowska
        Bhava Communications
        overland@bhavacom.com
        510-219-8127

The BSIA Briefing: November 2011

In this month’s BSIA Briefing, Amanda Beesley focuses on the topical issues of metal theft (and how to prevent it), the destruction of confidential information and Best Practice in the lone working environment.

–

ByAmanda Beesley

With an estimated cost to the UK economy of around £770 million per annum, the issue of metal theft – and how to prevent it – is at the top of the current agenda for many sections of the BSIA’s membership, whose customers are increasingly seeking effective security measures to protect valuable metals such as copper and lead from being targeted by thieves.

The sudden increase in this type of criminal activity has been associated with the rise in price of copper and metal and further compounded, of course, by the impact of the recession.

Cables are frequently being stolen direct from their position underground and also when stored in compounds, with the financial and logistical repercussions of such incidents becoming considerably more onerous as the level of criminality increases.

According to the BBC, in the transport sector alone cable theft increased by about 52% in the last financial year, in turn costing Network Rail £16.5 million to replace stolen cable and compensate train operators for lost service.

Cable theft is a growing concern for many industry sectors as well as transport. The telecommunications sector is heavily targeted as well, with the high value of fibre optic cables making them attractive to thieves.

In January last year, the customers of a global media and telecommunications provider were left without broadband when thieves stole a mile’s worth of fibre cables. Criminals dug two holes in the ground in Sutton, Greater London and, according to the Sutton Guardian, around 1,500 metres of fibre optic cable was taken. This disrupted broadband, telephone and television services for up to 48 hours.

For many victims of metal theft, the solution has come in the form of integrated security measures including a variety of deterrents from physical security through to CCTV and intruder alarms.

One heritage building in London’s Tottenham area employed a mixture of anti-climb razor roll-bars, CCTV and an intruder alarm system with motion detectors supplied by a BSIA member after lead flashing and pipe had been illegally removed from the roof.

Members of the BSIA’s Security Guarding, Physical Security, Cash and Property Marking and CCTV Sections have all seen an increased demand for their products and services by customers hoping to tackle the growing issue of metal theft.

A spokesperson representing the Trade Association’s Security Guarding Section commented: “Our security team is deployed to a number of high-risk sites around the UK in order to combat the theft of valuable materials including metals, and to prevent instances where businesses and transport companies are unable to operate due to the mindless acts of criminals.”

The spokesperson continued: “We cannot underestimate the effect that metal theft has, not just on those who own and use the materials but also on those who rely on the goods or services they provide as a result. It’s vital that the UK’s security firms hone the service they provide to targeted sites, including giving clients a comprehensive assessment of where the risks lie and how to overcome them.”

For more information on the security measures provided by BSIA member organisations visit the main BSIA Internet site.

 

BSIA to share essential guidance on information destruction

 

The BSIA has been invited to share information destruction Best Practice advice with other industry sectors at the Trade Association Forum’s Best Practice Exchange event later this month.

Leading a discussion group entitled ‘Protecting Your Organisation and Reducing ID Theft’, the BSIA’s session aims to provide Trade Associations from a wide range of industries with the information they need to educate their members on their responsibilities under the Data Protection Act.

Representatives from the Information Commissioner’s Office (ICO) will also be on hand alongside the BSIA’s team members to provide advice and guidance on legal compliance.

Raising awareness among all business sectors of the importance of secure data destruction is of key importance to the BSIA’s Information Destruction Section, whose members offer secure destruction of a range of confidential information that’s paper-based, contained on DVDs and/or computer hard-drives.

Recent research conducted by the BSIA shows that 41% of companies are still unaware of the ability of the ICO to issue penalty fines of up to £500,000 to those who fail to fulfill their obligations under the Data Protection Act.

Russell Harris, chairman of the BSIA’s Information Destruction Section, explained: “Our research shows that much more needs to be done by organisations to protect themselves against the threat of data breaches and the potential for the loss of commercially sensitive information or details which could lead to identify fraud.”

Harris continued: “We also need to ensure that organisations understand the measures which can be taken against them – such as fines – if they don’t comply with the requirements of the Data Protection Act.”

According to the Act, every Data Controller using an information destruction company is required to choose a supplier that provides sufficient guarantees of security measures, including destruction being carried out under contract and evidenced in writing.

However, a worrying proportion still fail to understand the consequences of non-compliance: a concern that will be addressed thanks to representatives of a variety of at-risk industry sectors being involved in the BSIA’s discussion at the Trade Association Forum.

To find out more about the BSIA’s Information Destruction Section take a look here.

 

The Big Issue: protecting lone workers during hours of darkness

 

More than six million people in the UK work either in isolation or without direct supervision, often in places or circumstances that place them at potential risk.

A wide variety of organisations employ people whose jobs require them to work or operate alone, either regularly or occasionally.

Almost by definition, this kind of employment can be both intimidating and at times dangerous, particularly now that the nights are drawing in.

As such, the protection of lone workers involves a two-fold approach, not only aimed at providing safeguards but also to offer reassurance for the people involved.

To address these important issues, the security industry has worked with the police and end users to develop a combination of practice, technology and standards capable of providing an effective – and cost-conscious – solution to the risks.

The development of technology and practice in the field has focused on encouraging and enabling lone workers to assess the risks they might be facing, and then provide them with the means both to summon aid in an emergency and collect information that can be used in evidence (if necessary).

This has led to the creation of lone worker devices equipped with mobile phone technology that connect employees quickly and discreetly with an emergency response system that has direct links to the police.

A number of products are commercially available from BSIA member companies, including miniature devices that resemble ID holders.

A key element of all this work has been the development of British Standard BS 8484, a Code of Practice for the Provision of Lone Worker Services, which is employed by all BSIA members in the field and forms the basis for police response to lone worker systems.

The BSIA has also published an associated guide affording employers easy-to-follow advice about what to look for when sourcing a supplier. The guide covers the employers’ responsibilities to its lone workers, as well as specific criteria for selecting technology, monitoring services and providers (including the possession of quality management systems such as ISO 9001 and the delivery of appropriate training).

‘Lone Workers: An Employers Guide’ can be downloaded free by visiting www.bsia.co.uk/publications and searching for form number 288.

Alex Carmichael, technical director at the BSIA, commented: “This guide recognises the importance of keeping lone workers safe and secure. Responsible employers will consider the Health and Safety of their lone workers as a top priority, and the use of lone worker devices can help by connecting such employees with an emergency response system that has direct links to the police.”

Carmichael added: “BS 8484 is the basis on which the police responds to lone worker systems, so it’s important for employers to choose a supplier who works to these standards.”

For employees whose role requires them to work alone, the BSIA has produced a separate guide which can be downloaded free by visiting the website above and searching for form number 284.

Amanda Beesley is PR and communications manager at the British Security Industry Association

Beating the Breach: 10 Best Practices for Database Security and Compliance

Life for security professionals used to be simpler. You could stop outsiders from accessing your data by establishing perimeter defenses such as firewalls and anti-virus systems, and by having on-site security guards and identity checks at the entrance to your corporate data center.In today’s interconnected world, that’s no longer the case because the boundaries of our business infrastructure are constantly being extended by the emergence of cloud, mobility, Big Data and more.

To be useful, a company’s data must be continuously connected to its customers, partners and employees. That exposes sensitive data to more automated and targeted attacks than ever before. We’re now seeing numerous attacks that easily bypass traditional perimeter defenses by exploiting Web application vulnerabilities such as SQL injection, or by spear phishing key employees and then using stolen administrative credentials to compromise back-end databases.

Despite more attention being paid to secure coding practices, SQL injection continues to be the #1 high-volume signature tracked by IBM Managed Security Services and a favorite attack vector amongst malicious groups, according to the 2011 IBM X-Force Mid Year Trend & Risk Report.

Lowering compliance costs by streamlining processes is also an important driver for implementing database security technologies. Many organizations are now looking to replace their manual, siloed compliance processes with a single unified set of centralized, standardized and automated controls for all key applications, database platforms and compliance mandates.

Based on our engagements with Global 1000 organizations, the following best practices have emerged for strengthening database security and compliance in enterprise environments.

Discover: Data can’t be secured if you don’t know it exists in the first place. Discover all locations of sensitive data including rogue databases and legacy applications. Don’t forget about non-regulated data and corporate intellectual property (IP) such as strategic plans, product designs and proprietary algorithms. Execute automated discovery scans on a regular basis because sensitive data locations are constantly changing.

Assess vulnerabilities: Regularly assess database configurations to ensure they don’t have security holes or missing patches. Use standard checklists such as the CIS Database Server Benchmarks and the DISA Security Technical Implementation Guides (STIGs). Don’t forget to check OS-level parameters such as file privileges for database configuration files and database configuration options such as roles and permissions, or how many failed logins result in a locked account (these types of database-specific checks are typically not performed by network vulnerability assessment scanners).

Harden the database: The result of a vulnerability assessment is often a set of specific configuration recommendations to take as next steps. You should also remove all database functions and options that you don’t use.

Audit configuration changes: Once the hardened configuration is established, continually track it to ensure the “gold” configuration hasn’t changed. Use change auditing tools that compare configuration snapshots and immediately alert whenever a change is made that affects your security posture.

Deploy Database Activity Monitoring (DAM) and Database Auditing: Continuous, real-time monitoring is crucial for rapidly detecting suspicious or unauthorized activity – such as a customer service rep downloading hundreds of customer records in a single day. Monitoring privileged users — such as DBAs, developer and outsourced personnel — is also a requirement for most compliance regulations, as well as for detecting intrusions from outside attackers, since cyber attacks frequently result in the attacker gaining control of privileged accounts. DAM is also essential for finding “behavioral vulnerabilities” such as users sharing privileged credentials. Database auditing allows organizations to generate a secure, non-repudiable audit trail for all critical database activities — such as creation of new accounts and viewing or changing sensitive data — and it’s also important for forensic investigations.

Authenticate, control access and manage entitlements: Controlling access to sensitive data on a “least privilege” basis is essential to ensuring full accountability. You should also periodically review entitlement reports as part of a formal audit process.

Monitor the application layer: Well-designed DAM solutions associate specific database transactions performed by the application with specific end-user IDs, in order to deterministically identify individuals violating corporate policies. In addition, combining database auditing information with OS and network logs via a security information and event management (SIEM) system to see everything that a user has done can also provide critical information for forensic investigations.

Encrypt: Encryption renders sensitive data unreadable, so an attacker can’t gain unauthorized access to data from outside the database. File-level encryption at the OS layer, combined with granular real-time monitoring and access control at the database layer, is typically accepted as a practical alternative to column-level encryption and a compensating control for Requirement 3.3 of PCI-DSS.

Mask test data: Masking is a key database security technology that de-identifies live production data, replacing it with realistic but fictional data that can then be used for testing, training and development purposes, because it is contextually appropriate to the production data it has replaced.

Automate and standardize compliance processes: Most compliance regulations require implementation of data security measures to reduce risks to a reasonable and appropriate level. Achieving compliance is not only important because no one likes to fail an audit, but it also provides third-party validation that your organization has implemented the proper controls to ensure the confidentiality, integrity and availability of your data. Automating and standardizing compliance processes is essential for reducing compliance costs, minimizing last-minute audit fire drills and easily addressing ever-changing regulations.

Once these 10 steps have been taken, enterprises should feel confident that they have taken the necessary steps to mitigate the risk of a data breach.

 

Security | Guest Opinion | Phil Neray, Thursday, November 3, 2011

http://www.ctoedge.com

NHS Staff breach personal data 806 times in three years.

One in eight breaches reported by health service organisations resulted in staff dismissal.

• Sade Laja
• Guardian Professional, Friday 28 October 2011 00.01 BST
• Article history

Figures released to the privacy campaign group Big Brother Watch show that 806 separate incidents involving patient medical records being compromised took place at 152 NHS trusts between July 2008 and July 2011.

The group, which obtained data from the majority of NHS organisations in the UK, found that breaches included 23 incidents of patient information being posted on social networking sites by staff, 129 separate instances of NHS employees looking up details of colleagues and family members and 57 incidents involving unsecured confidential information being stolen or lost by staff.

Of the 129 incidents concerning healthcare staff inappropriately looking up patient information, 91 related to an NHS employee illicitly viewing the confidential medical details of a colleague. In some cases the individual was found to have revealed the information to other staff.

The 23 incidents relating to breaches involving social media shows that 11 trusts released details of such incidents, in which 13 medical personnel were involved. One of the cases resulted in the dismissal of the employee. Over the last three years 102 health service employees have been dismissed for breaching data protection.

Nick Pickles, director of Big Brother Watch, said: “This research highlights how the NHS is simply not doing enough to ensure confidential patient information is protected.

“The information held in medical records is of huge personal significance and for details to be disclosed, maliciously accessed or lost and these cases represents serious infringements on patient privacy.”

The group obtained the data through freedom of information requests sent to 428 trusts in England, Scotland, Wales and Northern Ireland. It received responses from 354 trusts, with 55 providing partial responses and 74 not replying.

Commenting on the findings, health minister Simon Burns said: “It is completely unacceptable for staff with no involvement in providing or supporting care to access confidential patient information. Patients have a right to expect that their personal medical information is kept private.

“We have issued clear standards and guidance to the NHS about what needs to be done to keep patient records secure and confidential. Individual NHS organisations are responsible for ensuring their staff understand and follow that guidance. Any member of staff discovered intentionally breaching this should be subject to appropriate disciplinary action.”

The group’s findings follow the justice committee’s recent backing for the Information Commissioner’s Office (ICO) to gain more powers. A report by the committee said that the ICO should have the power to issue custodial sentences for breaches of the Data Protection Act. At present it can only issue fines to organisations which breach the act. Its report also said that the privacy watchdog has limited powers to prevent data protection breaches, particularly in the healthcare sector.

This article is published by Guardian Professional. Join the Guardian Healthcare Network to receive regular emails on NHS innovation.

The DPA more than an Act, it’s a way of life

As you are no doubt aware, the Information Commissioners Office (ICO) has a number of regulatory actions it can use to ensure compliance with the Data Protection Act (DPA), not least of which are its powers to serve monetary penalty notices of up to £500,000 for serious contraventions of the data protection principles.  But now there is renewed activity in the arena of providing more ‘new teeth’ to the Commissioner that could see compulsory audits across all sectors, not just central government.

At the 10th annual data protection compliance conference in London on 13th October, the Information Commissioner, Christopher Graham stated that “Compulsory audit powers are needed for local government, the NHS and the private sector” and “the ICO is being blocked from auditing organisations in sectors that are causing concern over their handling of personal information.”  Currently the ICO can only conduct compulsory audits on central government departments, but there have been well publicised cases where breaches have occurred in other organisations that may have been prevented had the ICO been able to audit them.

As I write this, the Commissioner is preparing a business case that will change the law and provide an extension of the ICO’s Assessment Notice powers under the Coroners and Justice Act of 2009.  Unlike, what the ICO like to term the “good practice” consensual audits, a compulsory audit is conducted following the issuing of an assessment notice.  These notices are used in circumstances where there is a risk that individuals’ data will be compromised, but the organisation is unwilling, for whatever reason, to engage constructively with the ICO.

Given that this change in legislation will give the ICO additional powers to inspect the aforementioned organisations, I wonder whether all data controllers are ready and have their house in order so they can demonstrate to the ICO that they are complying with the Data Protection Act principles and so avoid an assessment notice.  Some of the initial drivers that would lead the ICO to consider using its formal regulatory powers are firms carrying out the following types of conduct, so I suggest that your data controllers at least check these areas:

• repeated failure to take adequate security measures;
• collecting and retaining detailed or sensitive personal information on a ‘just in case’ basis;
• seriously intrusive marketing, for example repeated failure to observe the customers telephone preference service requirements;
• failure to notify, despite receiving reminders from the ICO; and
• denial of subject access where it is reasonable to suppose significant information is held.

The ICO does not have to seek the consent of the data controller to undertake this assessment, and the organisation will be required by law to take certain action such as:

• permitting the Commissioner to enter any specified premises and observe the processing of any personal data that takes place;
• allowing the Commissioner access to documents, equipment or other material on the premises and provide copies if requested by the commissioner; and
• making available for interview by the Commissioner persons who process personal data on behalf of the data controller.

In my opinion, these powers, once granted to the ICO, would mean that the ICO’s ‘good practice consensual audit’ may manifest itself into a regulatory tool and for those organisations failing the audit further sanctions could be applied.

Is data and information security embedded into your organisation, is it part of your way of life?  If not then you could become a victim of the Commissioners new regulatory ‘teeth’.

AMANDA HARTSHORNE      www.finextra.com

ICO Repeats Data Encryption Guidance

24 October 2011

The Information Commissioner’s Office (ICO) has repeated its guidance that organisations that handle personal data must encrypt that information if its loss would cause distress or damage. The ICO’s advice is given with reference to the Data Protection Act, which states that appropriate technical and organisational measures must be taken to protect personal data. The ICO issued a statement following the loss of laptops by two separate organisations containing unencrypted personal data.

Data encryption is a relatively straightforward process and a variety of programs are available on numerous platforms; many of them free open-source projects. Most encryption programs are easy to use, although the largest obstacle to adoption of this security measure appears to be awareness amongst staff of both the use of encryption and its importance in relation to data protection.

Organisations would benefit from holding staff training sessions where they are able to raise awareness of data protection issues. Most employees undoubtedly have a good understanding of the principle of confidentiality and why it is important, although information about the difference between data, personal data and sensitive personal data could benefit an organisation by making its employees think twice before handling it.

The ICO offers a range of free literature for individuals and organisations on its website and many organisations would do well to take advantage of this. Members of staff who handle personal data and sensitive personal data should also be required to attend training on data encryption and to use it as part of their data processing duties.

Lawdit understands the importance of good data protection practices and we believe it is vital that every organisation should have procedures and safeguards in place to protect against data loss. Please contact us for a free discussion if you have any data protection questions or concerns and a member of our team will be pleased to offer you the help and advice you’re after.

By Aasim Durrani. Aasim is a legal assistant to Izaz Ali (izaz.ali@lawdit.co.uk) and can be contacted on aasim.durrani@lawdit.co.uk