Tuesday, October 29, 2013

What is the government doing to protect my data? Recent ICO fine is a wake-up call for us all

Daniel Hoy
UK Marketing Manager
Egress Software Technologies Ltd.
Last week, the latest Information Commissioner’s Office (ICO) fine hit the headlines – and for those of you who don’t follow the data security news as closely as I do, it was a big one! The Ministry of Justice, no less, was fined £140,000 due to a serious data breach that saw the details of prisoners at Cardiff Prison (all 1,182 of them) emailed incorrectly to three of the inmates’ families. The details included names, ethnicity, addresses and release dates – and as an internal investigation discovered, the same mistake had been made twice previously.

So concerned was the prison, they sent a member of staff accompanied by the police to the homes of each recipient to ensure the information had been properly deleted.

In isolation this story is worrying enough, but when you visit the ICO news pages you realise that this is just one of many similar incidents across the Public Sector, involving everyone from NHS trusts all the way to local authorities. This raises the following questions:

  1. What steps are being taken to protect data shared outside of government networks in order to prevent these breaches?  
  2. Is the government really protecting me and my data?

Facilitating the information security debate

Egress Software Technologies recently hosted an IL3 Certification Briefing in the Tower of London, partly to raise awareness of our status as the only UK Government CPA Foundation Grade certified email encryption product, but also to facilitate debate between government departments on the topic of secure data exchange.

Having attended the event, there is no doubting the appetite from within government to resolve the issue of how to share sensitive information with third parties that sit outside existing accredited networks, such as GCSX, NHSmail and CJSM.

Egress Switch offers part of the solution, as a spokesperson from CESG explained: “Egress’ innovative technology and commitment to demonstrating that it meets CESG’s standards means that the end-user has confidence that they are selecting an email encryption product that has been approved by CESG and is capable of protecting their organisation and the data they share from external threats.”

No easy answer

But the debate runs deeper than simply which email encryption solution to invest in. What became apparent when CESG representatives Geoff Eden (Deputy Technical Director) and Jon Lawrence (Technical Director) presented on the new Cabinet Office Classification Scheme and the CPA landscape, was the confusion and misunderstanding that seems to exist amongst the audience when it comes to sharing information outside of government. My colleague Tony Pepper presented on this topic at Infosecurity Europe 2013 in April, and again the feedback and questions posed were very similar.

Education, therefore, clearly has a part to play in this debate. Only when you combine effective technology solutions with end-user understanding of the steps that are needed to protect sensitive information, can you truly ensure you have a comprehensive data protection policy in place.

At Egress, we feel our technology offers this platform; working alongside CESG and other government bodies, the educational piece now needs to follow!

No comments:

Post a Comment