Data Breach Trends October 2015

Similar documents
Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

Once more unto the breach... Dealing with Personal Data Security Breaches. Helen Williamson Information Governance Officer

Everyone in the workplace has a legal duty to protect the privacy of information about individuals. AEP/BELB/LJ/2010 Awareness Session

External Communication to Third Parties

HIPAA and Privacy Policy Training

Incident reporting procedure

Information Governance

DATA AND PAYMENT SECURITY PART 1

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website

A GUIDE TO CRIMINAL INJURIES COMPENSATION

Data Protection Policy

The support you should get if you are a victim of crime

Merthyr Tydfil County Borough Council. Data Protection Policy

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

FROM CHARGE TO TRIAL: A GUIDE TO CRIMINAL PROCEEDINGS

GUIDANCE SOFTWARE WHITEPAPER. Tackling the Causes of Data Leakage and Data Loss

Photography and filming in schools Code of Practice

Pacific Medical Centers HIPAA Training for Residents, Fellows and Others

Reporting the crime to the police

BYOD BRING YOUR OWN DISASTER?

Contents. Introduction. How to report a fraud. What happens when you report a fraud? The investigation process

Data Security and Extranet

Checklist Guidance for Reporting, Managing and Investigating Information Governance Serious Incidents Requiring Investigation

Data Protection and Information Security Policy and Procedure

Policy: IG01. Information Governance Incident Reporting Policy. n/a. Date ratified: 16 th April 2014

Staff DBS Checks and Employing Exoffenders:

Police Officers who Commit Domestic Violence-Related Criminal Offences 1

Will we be in trouble? How information laws are enforced

Data protection. Report on the data protection guidance we gave schools in 2012

Information Management Handbook for Schools. Information Management Handbook for Schools London Borough of Barnet

Human Resources Policy documents. Data Protection Policy

Protecting the Information of Clients, Donors, the Organization, Oh MY! Stacey Keegan November 14, 2012

HIPAA Orientation. Health Insurance Portability and Accountability Act

Incident Reporting Procedure

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015

THIS GUIDANCE APPLIES FROM 10 MARCH 2014

You ve reported a crime so what happens next?

Contact us the different ways you can contact us are by writing to the address in the terms & conditions or call the helpline

Assess the purpose of the Criminal Justice System and the role of the Ministry of Justice.

Assessment Notices under the Data Protection Act 1998 Extension of the Information Commissioner s Powers

When things go wrong: information governance breaches and the role of the ICO. David Evans, Senior Policy Officer

A common sense guide to the Data Protection Act 1998 for volunteers

Identity Theft Data Privacy Day 2012 Dalhousie University Halifax, NS

Disciplinary policy INTRODUCTION

Whitepaper. Best Practices for Securing Your Backup Data. BOSaNOVA Phone: Web:

Information security incident reporting procedure

DATA PROTECTION POLICY

1.2 Scope This policy and guidance applies to all University staff, students and others who use or process any personal information.

COUNCIL OF EUROPE COMMITTEE OF MINISTERS

Tenants and Leaseholders Home Contents Insurance Scheme Application Form

Cybercrime: risks, penalties and prevention

CRIMINAL JUSTICE AND COURTS BILL. Factsheet Revenge Pornography

Information for victims of crime

Human Resources Author: Lou Hassen Version: 1 Review Date: Dec 2012 Page 1 of 7. Trinity Academy Disciplinary Policy

1. (a) Full name of proposer including trading names if any (if not a limited company include full names of partners) Date established

Thinking about using a hidden camera or other equipment to monitor someone s care?

Victims of Crime the help and advice that s available

Enforced subject access (section 56)

How To Protect Yourself From Violence

Cyber-safety Agreements are also an educative tool and shall be used as a resource to support the professional development of the school community.

Policy. Social Media Acceptable Use Policy. Executive Lead. Review Date. Low

Council Tax Reduction Anti-Fraud Policy

MRS Policy Unit. Submission to Which? task force on consent and lead generation in the direct marketing industry

How to complain about a doctor

Council, 14 May Information Governance Report. Introduction

ICT POLICY AND PROCEDURE

Data Protection Policy

Good Practice in Records Management and Information Security

Dealing With Information Rights Concerns

Applying appropriate sanctions consistently

Criminal appeals. Page 1 of 19 Criminal appeals version 3.0 Published for Home Office staff on 08 July 2015

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

TONBRIDGE & MALLING BOROUGH COUNCIL INTERNET & POLICY AND CODE

Protection of Computer Data and Software

Information Security Policy for Associates and Contractors

COUNCIL TAX REDUCTION, DISCOUNT & EXEMPTION ANTI- FRAUD POLICY

Raising and escalating concerns. Guidance for nurses and midwives

Guidance on data security breach management

REPORTING AN OFFENCE TO THE POLICE: A GUIDE TO CRIMINAL INVESTIGATIONS

Cyber Liability Insurance Data Security, Privacy and Multimedia Protection

Policing Together. A quick guide for businesses to Information Security and Cyber Crime

NORTHERN IRELAND OFFICE CONSULTATION CRIMINAL INJURIES COMPENSATION (NI) ORDER 2001 A RESPONSE BY THE ASSOCIATION OF PERSONAL INJURY LAWYERS

Information for registrants. What happens if a concern is raised about me?

Document Name Disciplinary Policy Accountable Body RADIUS Trust Reference HR.P2 Date Ratified 13 th August 2015 Version 1.5 Last Update August 2015

Information Security Incident Management Policy September 2013

Client complaint management policy

M&T BANK CANADIAN PRIVACY POLICY

MARYLAND IDENTITY THEFT RANKING BY STATE: Rank 10, 85.8 Complaints Per 100,000 Population, 4821 Complaints (2007) Updated January 29, 2009

How to complain about a doctor. England

Policy C11 Staff Disciplinary Policy and Procedure

PROTECTING PATIENT PRIVACY and INFORMATION SECURITY

DSHS CA Security For Providers

Victims of Crime. information leaflet. Working together for a safer Scotland

PENNSYLVANIA IDENTITY THEFT RANKING BY STATE: Rank 14, 72.5 Complaints Per 100,000 Population, 9016 Complaints (2007) Updated January 29, 2009

MOTOR LEGAL EXPENSES POLICY WORDING TERMS OF COVER

HIPAA PRIVACY POLICIES & PROCEDURES. Department of Behavioral Health and Developmental Services DBHHDS GENERAL AWARENESS TRAINING

Complaints. against nurses and midwives. Record keeping. Guidance for nurses and midwives. Helping you support patients and the public

Security breaches: A regulatory overview. Jonathan Bamford Head of Strategic Liaison

Notification of data security breaches to the Information Commissioner s

INFORMATION UPDATE: Removable media - Storage and Retention of Data - Research Studies

Transcription:

Data Breach Trends October 2015

Introduction In October 2015 the Information Commissioner s Office (ICO) published the latest data breach trends including incidents by quarter, type of incident and incidents by sector. We wanted to take the data available and turn it into an easy to read report, as we felt that the information available is something that anyone with an interest in security should have read. Typically, data security is managed by the IT team, but the impact is further reaching. It is not outside the realms of possibility that an enforcement action from the ICO could involve a financial penalty (which would have to be dealt with the finance team), additional training to be carried out (IT and HR), more than likely a disciplinary process for the person who caused the data breach (HR) and press control measures may need to be put in place too (marketing & PR functions). The point? Leaving data security up to one person (or a small team of people) is wholly unacceptable, whilst it is easy to say that everyone is responsible for managing data security, this is also not the right answer. Unfortunately, we don t have the solution - that is down to you, and your business. What we can do is give you some of the key information that the ICO has made available to make yourself better prepared of the consequences, and the types of breaches that have occured recently.

About the data Key information is readily available from the Information Commissioner s website www.ico.org.uk Data breach trends data can be found at https://ico.org.uk/action-weve-taken/data-breachtrends/ Notices of enforcement can be found at https://ico.org.uk/action-weve-taken/enforcement/ The most recent data was published on the 11th March 2015, comparison data was published on the 3rd November 2014. Zylpha do not have any relationship with the ICO and information is provided for information and illustrative purposes only. About the ICO The Information Commissioner s Office (ICO) is The UK s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. ICO Key Facts Total staff headcount 383 Calls to the ICO helplines 259,903 Public prompted awareness of data protection rights 87% Data Protection Cases received 14,738 Data Protection Cases closed in 30 days or less 58% Privacy and Electronic Communication Regulations Concerns reported 161,720 About Zylpha Headquartered in Southampton, Zylpha is an innovative specialist offering tools for the legal profession including secure electronic document production and delivery. The company, which was founded by CEO Tim Long, has won widespread acclaim in both the legal and local government sectors for its systems, which transform secure communications for court and case management bundles. South Wales Police The ICO has issued South Wales Police with a 160,000 fine for losing a video recording which formed part of the evidence in a sexual abuse case. The DVDs contained film of an interview with a victim, who had been sexually abused as a child. Despite the DVDs containing a graphic and disturbing account, the discs were unencrypted and left in a desk drawer. Page 3

Data Breach Incidents Other Local Government Legal Justice Health General Business Finance, insurance & credit Education Charitable & voluntary Central Government 0 50 100 150 200 250 Ministry of Justice A monetary penalty notice has been served on the Ministry of Justice for 180,000 over serious failings in the way prisons in England and Wales have been handling people s information. On 24 May 2013, a portable hard drive stored in a prison s Security Department and used to back up the prisoner intelligence database, was discovered to be missing. The hard drive had not been password protected and was left unencrypted. The information on the hard drive related to 2,935 prisoners and included confidential and highly sensitive personal data such as their name, date of birth, length of sentence, offence(s), physical description including details of any distinguishing marks, intelligence information such as links to other prisoners or organised crime, involvement with drug use, prison discipline, establishment location and some victim and/or visitor details. Page 4

Incident Type 100 90 80 70 60 50 40 30 20 10 0 Insecure webpage (inc hacking) Info uploaded to web-page Data sent by email to inc rep Verbal disclosure Data posted/faxed to inc rec Loss/theft of unencrypted device Loss/theft of paperwork Insecure disposal of hardware Insecure disposal of paperwork Failure to redact Other principle 7 data failure Serious Fraud Office The Information Commissioner s Office (ICO) has fined the Serious Fraud Office 180,000 after a witness in a serious fraud, bribery and corruption investigation was mistakenly sent evidence relating to 64 other people involved in the case. Aberdeen City Council A monetary penalty notice has been served on Aberdeen City Council after inadequate homeworking arrangements led to 39 pages of personal data being uploaded onto the internet by a Council employee. Page 5

Incidents by Sector Charitable & Voluntary Finance, insurance & credit Education General Business Local Government 0 2 4 6 8 10 12 14 16 18 Insecure disposal of hardware Verbal disclosure Information uploaded to webpage Insecure disposal of paperwork Insecure webpage (inc hacking) Failure to redact data Loss or theft of unencrypted device Other principle 7 failure Data sent by email to incorrect recipient data posted or faxed to incorrect recipient Loss or theft of paperwork Direct Assist Ltd A personal injuries claims management company Direct Assist Ltd has been issued with a monetary penalty by the ICO for making direct marketing calls to people without their consent. Between January 2013 and July 2014, the ICO and the Telephone Preference Service (TPS) registered 801 concerns about the Bolton-based company which offered access to solicitors for personal injury insurance claims. Wolverhampton City Council The ICO has issued an enforcement notice against Wolverhampton City Council, following an investigation into a data breach at the council that occurred in January 2012. The breach was caused when a social worker, who had not received data protection training, sent out a report to a former service user detailing their time in care. However, the social worker failed to remove highly sensitive information about the recipient s sister that should not have been included. Page 6

Department of Justice Northern Ireland A monetary penalty notice has been served on Department of Justice Northern Ireland after a filing cabinet containing details of a terrorist incident was sold at auction. North East Lincolnshire Council A monetary penalty notice has been served on North East Lincolnshire Council after the loss of an unencrypted memory device containing personal data and sensitive personal data relating to 286 children. NHS Surrey A monetary penalty notice has been served on NHS Surrey following the discovery of sensitive personal data belonging to thousands of patients on hard drives sold on an online auction site. Page 7

For more information contact Zylpha: T: 01962 658 881 E: sales@zylpha.com www.zylpha.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information