See http://www.out-law.com/page-7778
"Humphries also said that the £980,000 fine was not just in relation to one
single laptop incident. "We went in and did an investigation and found wider
failings, and took action on the security systems and controls, which we
found were not up to scratch," he said."
If procedures were not sufficient, to take action against a single employee
would be scapegoating them rather than improving the company procedures.
It would be easier taking action against the employee than improving the
systems.
We don't know to what extent the employee was in breach of procedures.
According to the BBC
"The FSA's investigation showed that the building society had not known that
the laptop contained any confidential customer information at all.
The laptop was stolen from the home of a long-standing and trusted employee
of the Nationwide who needed access to the data.
However, despite reporting the theft of the laptop promptly, he did not tell
his employer what was on it and then went on holiday abroad.
It was only three weeks later that he told the building society that
customer information had been lost, prompting its investigation.
_"The failure to manage or monitor downloads of very large amounts of data
onto portable storage devices meant that Nationwide had limited control over
information held in this way or how it was used, " said the FSA."_
http://news.bbc.co.uk/1/hi/business/6360715.stm
With laptops and downloads, I imagine that this is a fairly wide problem.
Can someone tell us what precautions can be put into place to avoid this
kind of problem?
Nick Landau
----- Original Message -----
From: "Carter, Antoinette (MCS)" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Monday, February 19, 2007 2:29 PM
Subject: Re: [data-protection] FW: Personal data loss - One Million Pounds
fine
What I find interesting is that there is no mention of whether the
person whose laptop was stolen was sacked/disciplined as a result of
this. A huge fine only addresses the problem at corporate level,
whereas sacking someone brings it home to a whole different set of
people (ie. those who actually made the mistake).
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Nick Landau
Sent: 19 February 2007 10:56
To: [log in to unmask]
Subject: Re: [data-protection] FW: Personal data loss - One Million
Pounds fine
See
http://www.cbronline.com/article_news.asp?guid=F3020E93-098D-462F-92C6-F
FAFECE6F5CF
and http://news.bbc.co.uk/1/hi/programmes/moneybox/6371089.stm
The Moneybox site says:
"The Information Commissioner, the body which protects our data, let the
FSA take the lead in the investigation of what was almost certainly a
breach of the Data Protection rules.
Assistant Commissioner Phil Jones told Money Box: "It sends a very
important wake-up call particularly to banks and others in the financial
sector and to all organisations that hold personal information."
But he warned that customers could not use the Data Protection Act to
find out what data of theirs was on the laptop.
"The obligation is to tell you what information they hold," he said,
"but you and I don't have rights to require someone to tell us what data
is held in what particular kit in what particular place.
"The Data Protection Act does not require them to go into that sort of
details."
However, he confirmed the decision was up to Nationwide: "There is
nothing in the Data Protection Act that would stop them passing that
information on to customers who asked them."
Listeners contacted the programme because the company, and therefore the
customers, were having to pay the fine rather than the Directors.
Of course, as it is a building society and the customers are all
shareholders they could presumably remove the shareholders or ask them
what steps they have done to improve their information security at the
next AGM.
Nick Landau
----- Original Message -----
From: "Ian Welton" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Monday, February 19, 2007 10:54 AM
Subject: [data-protection] FW: Personal data loss - One Million Pounds
fine
> As pointed out to me off-list this was the 'NATIONWIDE' building
society
> involved and not as incorrectly stated in my original post.
>
> Ian W
>
> -----Original Message-----
> From: Ian Welton [mailto:[log in to unmask]]
> Sent: Saturday, February 17, 2007 12:20 PM
> To: [log in to unmask]
> Subject: Personal data loss - One Million Pounds fine
>
>
> I have been somewhat surprised this week not to see any discussion
> regarding
> the UK Financial Services Authorities fine on the Norwich Union
building
> society of nearly 1 million pounds for the loss of a laptop during the
> burglary of a member of staffs house.
>
> With Chris Pounder and the ICO's office both appearing on the TV and
in
> other media I had expected some discussion regarding Principle 7 and
the
> potentials for avoiding such heavy fines by embedding effective access
> control and encryption requirements in robust security policies for
all of
> those small mobile devices. Perhaps there is little perceived need to
> publicly increase appropriate knowledge of those issues as questions
> inevitably arise anyway.
>
> Home working anyone?
> Difficulties in justifying expenditure on improving old or
non-existent
> security software?
>
> Whilst the ICO is frequently less than lukewarm in supporting DP
measures
> which involve business costs, this type of fine should be most helpful
in
> reducing competing expenditures into small bucks thereby assuring
> appropriate business protections can exist.
>
> Searching the Web for the UK will no doubt reveal many links to
> appropriate
> articles for those in the position of having to conduct a state of the
art
> risk analysis following this business accident.
>
> Ian W
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the
list
> owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your
> needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your
needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This message is for the use of the intended recipient(s) only.
If you have received this message in error, please notify the sender and
delete it.The British Council accepts no liability for loss or damage caused
by software viruses and you are advised to carry out a virus check on any
attachments contained in this message. Our purpose is to build mutually
beneficial relationships between people in the UK and other countries and to
increase appreciation of the UK's creative ideas and achievements. The
British Council is registered in England as a charity.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your
needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|