Data security: encryption failure

Stoke-on-Trent City Council has been fined £120,000 after an in-house solicitor sent highly sensitive information about a child protection case to the wrong e-mail address, rather than the barrister for whom it was intended.

It has led the Information Commissioner’s Office (ICO) – which levied the penalty for a “serious breach” of the Data Protection Act – to remind organisations that sensitive personal information should be encrypted when being stored and sent electronically.

The breach happened on 14 December 2011 when 11 e-mails were sent by a solicitor at the authority to the wrong address. The e-mails included highly sensitive information relating to the care of a child and further information about the health of two adults and two other children. The e-mails should have been sent to counsel instructed on a child protection case.

The e-mails also contained the brief to counsel, suggested directions and comments about the conduct of the case.

While the authority was able to establish that the e-mail address used was valid, the recipient failed to respond when asked to delete the e-mails.

The ICO’s investigation found the solicitor was in breach of the council’s own guidance, which confirmed that sensitive data should be sent over a secure network or encrypted. However, the solicitor was not disciplined because the council had failed to provide the legal department with encryption software and knew the team had to send e-mails to unsecure networks. The council also provided no relevant training.

In reaching its decision, the ICO also took account of an undertaking previously signed by the authority in early 2010. During this incident sensitive data relating to a childcare case was lost after being stored on an unencrypted memory stick. At the time the council agreed to introduce improvements to keep people’s data secure, including the introduction of encryption for portable devices used to store personal data.

Stephen Eckersley, head of enforcement at the ICO, said: “If this data had been encrypted, then the information would have stayed secure. Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure.

“It is particularly worrying that a breach in 2010 highlighted similar concerns around encryption at the authority, but the issue was not properly resolved.

“The council has now introduced new measures to improve the security of information sent electronically, as well as signing a legal notice to improve the data protection training provided to their staff. This should limit the chances of further personal information being lost.”

In a statement, the council said it had recently taken proactive extra measures to ensure data breaches are a thing of the past, including a new secure remote access systems for staff working from home, the encryption of all portable devices and media, blocking of unencrypted or non-council USB devices like iPhones and memory sticks, file encryption so that any information to be sent out of the council can be protected, a secure e-mail portal that allows it to communicate sensitive information safely with anyone outside the council and finally updating its anti-virus systems.

Steve Sankey, the council’s assistant director of business technology, said: “We have implemented a lot of new procedures and security measures that will help to prevent future breaches. It was prudent after the Information Commissioner’s Office notified us of our weaknesses that we acted immediately to improve the situation.”

 

Tags:


    Readers Comments

  • Unfortunately it is always those meant to be protected that bear the pain of information leaks such as this. Lets hope the Council take this as seriously as the situation deserves!


Leave a Comment

By clicking Submit you consent to Legal Futures storing your personal data and confirm you have read our Privacy Policy and section 5 of our Terms & Conditions which deals with user-generated content. All comments will be moderated before posting.

Required fields are marked *
Email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Reports

The working practices of property lawyers have changed little since the 19th century. Many aspects of the conveyancing process remain offline – documents are still on paper and the data entered manually. The commercial transaction process is laborious, slow and… Read More

Blog

20 June 2018

New tech on the block: what you need to know about blockchain

Blockchain. It’s been branded as the future of just about everything, and is soon expected to infiltrate all aspects of how we live our lives from banking, to tax returns to voting. But what is it, and how can it be used in property transactions?

Read More

18 June 2018

Surely no one would do this?

It’s slightly tongue-in-cheek, but let’s see if we can design a business model that is doomed to struggle and which will ensure that we miss out on the profit and cash opportunities that come with providing high-value services at high prices in a near-monopoly situation.

Read More