At Last – A County Council gets fined for serious data breach

Having been banging on about this for a while, it seems that ICO chief Christopher Graham has got his wishes and handed out his first Public Sector fine. This morning, it was announced that Hertfordshire County Council (HCC) has had the first substantial fine of £100,000 for a major breach.

This has been too long in the coming, and if in indeed the data relates to a child sex abuse case, they are perhaps extremely fortunate that the ICO did not hand out the full £500,000 fine. The implications of the case are threefold:

1. The nature of the breach is so unacceptable, it takes ones breath away. This sort of thing happens when processes and procedures are either not in place, not observed or not substantial. None of these three excuses are valid in any way, shape or form, and somebody needs to own the liability within the Authority

2. The money to pay the fine will have to be found from somewhere. One would assume that HCC has a contingency reserve to cover such screw ups, but there is the chance that this could affect frontline services. Given the post-CSR world we live in right now, it’s not like we have piles of cash money just sloshing around Local Government

3. Christopher Graham signposted this clearly in September at IA10. If he had beamed his messages onto the face of the moon, he couldn’t have been more upfront about it. He effectively said that it was no surprise that Local Authorities that have poor children’s services also handle data badly. We now know who he meant. One wonders if anyone was listening, and what is left to come. Bet they are all ears now.

There is a temptation to get bandwagonesque about this, and all pile into HCC. But frankly, this has been coming for so long, they can hardly complain. It is time for Data Security to go mainstream topically, and senior staff to get accountable.

About Graeme Stewart, McAfee

I work for McAfee as Director of Public Sector Strategy and Relations, UK&I
This entry was posted in CSR, Efficiency, Legal, Security, Sophos. Bookmark the permalink.

3 Responses to At Last – A County Council gets fined for serious data breach

  1. Pingback: Lost laptop leads to first Data Protection Act fine for UK firm | Naked Security

  2. Juan Kasov says:

    It is a bit mean to say at last…!!!, I understand that many organisations do have a strict IA policy…..wasnt this a fax document…and not digital data…?

    • Hi Juan

      I make no apologies for my sentiments. Organisations in my experience split into the following types when it comes to IA policy

      1. Ones that have one, use it and enforce it
      2. Ones that have one, but don’t use it or enforce it
      3. Ones that don’t have one but chuck software at the problem in the hope the problem goes away
      4. Ones that don’t have a clue and don’t do anything

      And its worth noting I havent even factored in if the IA policy is any good or not, and thats a whole different axis

      Clearly, Type 4 are rare. In the case of the Council just fined, they appear to be a type 2. Data needs to be handled correctly whatever the medium or comms method, and this breach is symptomatic of an IA policy that has not been clearerly communicated and/or staff that do not understand/care about the outcome. How else could such sensitive and distressing details be just faxed out the building without diligence?

      So when I say ‘at last’ , its because I have shouting at people on this topic for as long as I can remember. Its been discussed, argued over, regulation put in place, legislated for and STILL people didnt take the topic seriously. ‘At last’ is because someone will take an almighty…telling off for costing the Authority £100k and being the first Local Authority in the UK to get fined with the attached stigma. As I pointed out in my subsequent blog entry, nobody puts up with Health and safety breaches any more. This topic requires a culture change, and a few more fines will help get the topic on the agenda, and make change finally, FINALLY happen.

      Thanks

      Graeme

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s