How To Avoid Data Breaches
News that the Cabinet Office has been fined £500,000 by the Information Commissioner’s Office (ICO) following a data breach that resulted in the disclosing of the postal addresses of the recipients of the 2020 News Year’s Honours List once again puts local authorities and charities on notice in relation to data protection.
The incident occurred on 27 December 2019, when the Cabinet Office published the names and unredacted addresses of more than 1,000 people announced in the New Year’s Honour list on Gov.uk. Three people, who had been affected by the data breach complained to the ICO who subsequently launched an investigation.
Investigators found that the root cause of the breach stemmed from a new IT system introduced by the Honours and Appointments Secretariat (HAS). Due to the system being set up incorrectly the postal addresses were included on the CSV file.
Due to tight timescales to get the New Year Honours list published, the HAS operations team decided to amend the file instead of modifying the IT system. However, each time a new file version was generated, the postal address data was automatically included in the file.
The file was immediately removed upon discovery of the breach, however, it was still cached, therefore, those with the exact website address could access it.
In a statement, Steve Eckersley, ICO Director of Investigations, said:
"When data breaches happen, they have real life consequences. In this case, more than 1,000 people were affected. At a time when they should have been celebrating and enjoying the announcement of their honour, they were faced with the distress of their personal details being exposed.
"The Cabinet Office's complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety.
"The fine issued today sends a message to other organisations that looking after people's information safely, as well as regularly checking that appropriate measures are in place, must be at the top of their agenda."
The ICO did acknowledge, however, that the Cabinet Office undertook a full review following the breach and
“…has since instigated a number of operational and technical measures to improve the security of its systems, and an independent review focusing on data handling was completed in 2020.”
Steps to take to minimise the risk of a data breach
It is impossible to completely eliminate the risk of a data breach occurring, however, there are several steps local authorities and charities can take to mitigate the risk. Having robust data protection policies and procedures in place will ensure you are quickly able to spot a data breach and comply with the UK GDPR reporting requirements which state that personal data breaches must be reported to the ICO within 72 hours. If you cannot meet the deadline a reason must be provided.
- You can mitigate your risk of a data breach occurring by:
• Completing and regularly updating a data map to ensure you know who, where, how, and why specific people in your organisation process personal data. Understand where personal data can be located so if a breach occurs, the data subjects’ affected can be quickly identified and informed (if required).
• Undertake a comprehensive work from home risk assessment. Employees’ homes will always be less secure than the office, therefore, it is essential to understand areas of high risks and have mitigating policies and procedures in place. For example, people who work from home should be careful never to leave sensitive personal information unattended or in a place that could be visible during an online meeting.
• Restrict access to personal data. Not every employee needs access to all the data you process. For example, the only people who would normally need direct access to employees’ personal data is HR and direct line managers.
• Practice data protection by design and default. Data protection by design essentially means privacy and data protection measures are implemented at the start of a project or policy, rather than hurriedly attached at the end. It also encourages an organisational wide ethos of being proactive about protecting personal data rather than improving systems and measures only after a breach has occurred. Data protection by default is defined by the ICO as requiring “you to ensure that you only process the data that is necessary to achieve your specific purpose. It links to the fundamental data protection principles of data minimisation and purpose limitation.”
Wrapping up
When people think about who is responsible for most data breaches they imagine a criminal gang from a foreign country or a teenager sitting in a dark bedroom. The unfortunate fact is most data breaches are due to internal errors rather than external hacks.
The above points are merely an introduction to ways your organisation can prevent data breaches and the financial and reputational repercussions that follow. Like all safety measures, the basic principles of conducting regular risk assessments, proactively putting in measures to mitigate risks, and having an organisation-wide culture of compliance, communication, and training are the key building blocks of success.
While every effort has been made to ensure the accuracy of these court updates, these articles are intended as a general overview and not intended, and should not be used, as a substitute for taking legal advice in any specific situation. Neither Zurich Municipal, nor any member of the Zurich group of companies, will accept any responsibility for any actions taken or not taken on the basis of these articles.
