ICO fines council £120,000 for crypto email fail
Take the money out of the bins budget
Stoke-on-Trent City Council has been fined £120,000 for failing to use proper cryptography, resulting in the details of a child-protection case being shared with the wrong people.
Last December a solicitor involved in a child-protection case sent 11 e-mails relating to the case to the wrong email address, a simple typo meaning that messages intended for the council were sent to a random member of the public. If they'd been encrypted, then that would have resulted in a confused recipient and no more – but they weren't and that's led to the £120,000 fine imposed by the Information Commissioner's Office.
The investigation found that the council already had guidelines in place which require the use of cryptography, and that the solicitor was in breach of those guidelines, but given the Council's own legal department had neither the skills nor the software to decrypt messages it was still fault.
The ICO was also upset as it had already raised the issue in 2010, when the same council lost a memory stick containing unencrypted data about another childcare case. Following that case, the council promised to try much harder in future, but it seems that the effort stalled once the guidelines had been written.
The case presents an interesting example of how important encrypted email is, even if there's no deliberate attacker trying to intercept messages. Privacy advocates have long argued that routine encryption of all messages would be to the benefit of all, comparing our existing email systems to a postal service comprised entirely of postcards, but lack (or proliferation) of standards and the desire for simplicity has stymied any such development. ®