Feeds

Controlling the fallout of a data loss

Being proactive saves face

SANS - Survey on application security programs

If readers want to examine an interesting example of how to manage a data loss, have a look at what happened at the London Borough of Barnet. A data loss involving 9,000 children followed a burglary of the home of a member of staff. The loss included the council’s computer equipment (a laptop), CD Roms and memory sticks, along with other items from the house.

Like most organisations, the council had implemented procedures and policies to ensure that the personal data on the computer equipment and related portable media were encrypted. Unfortunately, in this case, there were unencrypted personal data stored on CDs and memory sticks which were stolen with the laptop. As there had been a clear breach of council policies, the member of staff concerned was suspended and data subjects (or in this case, the parents of data subjects) were contacted by a letter. So what is new in this?

Well, I think the new item is the public relations handling of data subjects (and parents). I think the council formed the view that having reported the data loss to the parents (and presumably the ICO), an undertaking from the ICO would be a likely end-point of the process. Given this, it followed that the ICO’s publicity machine would be very likely to issue its usual press statement concerning details of the council’s undertaking (if there were to be one).

So instead of waiting for the inevitable, LB Barnet took the initiative. It published full details of the data loss on its website, invited data subjects to ask questions or exercise their right of access, gave details of what it was doing to remedy the situation and provided contact details for those who had questions. The letter to the parents of data subjects and the content of the website pages were either signed by the chief exec or approved by him.

In this way, the council managed the bad news instead of the ICO managing it through his usual press release that accompanies an undertaking. This means that if there were to be an undertaking and if the ICO were to issue a press release, then the subject is “old news”. In fact, is there a need for an undertaking if the chief exec has publicly committed himself to do the things that the undertaking would require of him?

It will be interesting to see how this pans out in practice. However, consideration of seizing the news agenda when there is a data loss is something that data controllers can do. In addition, one can always follow the government’s example of identifying “a very good day to bury bad news”. Issuing press releases at 4:00pm on a Friday or the day before a bank holiday is usually a good time for a press release to be missed.

Originally published on Hawktalk, the blog of Amberhawk Training Ltd.

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.