Feeds

Controlling the fallout of a data loss

Being proactive saves face

Protecting against web application threats using SSL

If readers want to examine an interesting example of how to manage a data loss, have a look at what happened at the London Borough of Barnet. A data loss involving 9,000 children followed a burglary of the home of a member of staff. The loss included the council’s computer equipment (a laptop), CD Roms and memory sticks, along with other items from the house.

Like most organisations, the council had implemented procedures and policies to ensure that the personal data on the computer equipment and related portable media were encrypted. Unfortunately, in this case, there were unencrypted personal data stored on CDs and memory sticks which were stolen with the laptop. As there had been a clear breach of council policies, the member of staff concerned was suspended and data subjects (or in this case, the parents of data subjects) were contacted by a letter. So what is new in this?

Well, I think the new item is the public relations handling of data subjects (and parents). I think the council formed the view that having reported the data loss to the parents (and presumably the ICO), an undertaking from the ICO would be a likely end-point of the process. Given this, it followed that the ICO’s publicity machine would be very likely to issue its usual press statement concerning details of the council’s undertaking (if there were to be one).

So instead of waiting for the inevitable, LB Barnet took the initiative. It published full details of the data loss on its website, invited data subjects to ask questions or exercise their right of access, gave details of what it was doing to remedy the situation and provided contact details for those who had questions. The letter to the parents of data subjects and the content of the website pages were either signed by the chief exec or approved by him.

In this way, the council managed the bad news instead of the ICO managing it through his usual press release that accompanies an undertaking. This means that if there were to be an undertaking and if the ICO were to issue a press release, then the subject is “old news”. In fact, is there a need for an undertaking if the chief exec has publicly committed himself to do the things that the undertaking would require of him?

It will be interesting to see how this pans out in practice. However, consideration of seizing the news agenda when there is a data loss is something that data controllers can do. In addition, one can always follow the government’s example of identifying “a very good day to bury bad news”. Issuing press releases at 4:00pm on a Friday or the day before a bank holiday is usually a good time for a press release to be missed.

Originally published on Hawktalk, the blog of Amberhawk Training Ltd.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.