Ponemon's back

The Ponemon Institute has published its latest 2009 instalment of its UK Annual Study: Cost of a Data Breach (a US version is also available). So what has changed since last year?

Well, there has been a general decline in media interest in and exposure of data breaches of late, so does this have an impact on the cost of losing data? The answer is a resounding "no". Although average institutional costs of a data breach decreased nearly 3% over 2009, the average cost per compromised record rose 7% to £64. However, generally costs of detection, escalation and notification have decreased.

More notably there has been recorded, for the first time, a decrease in lost business as a result of a data breach. This an be partly explained by the increase in government organisations taking part in the study, as the cost of lost business for the public sector is much lower than the private sector - which could be attributed to lack of competition. One might also be tempted to proffer a view that the public became somewhat desensitised to data loss during the last couple of years. However, countering this is the fact that the cost of lost business still remains the largest cost component, with an average of 4% churn, so consumers are still concerned about the impact of a data breach on them.

Breaking down the cost of a data breach by sector - transportation, financial and communications have the highest cost of a data breach, whereas government and retailers have a lower cost of breach overall. Contrast this with last year's position where education, communications and consumer had the highest cost.

A general warning to businesses engaged in or thinking of outsourcing - 36% of all cases in the study involved third-party mistakes, which are more costly, especially when the third party is offshore. The cost per compromised record for data breaches involving third parties was £81 compared with £55 for those that did not.

Another interesting statistic is that data breaches experienced for the first time by a company are more expensive than for those who have previously experienced data breaches. The first time cost is £68 versus £61 for 'repeat offenders'. This is a good reminder that having the right policies and staff in place to deal with personal data, and a data breach is generally a sound investment of time and money. This is borne out by the recorded average cost per compromised record of £59 for organisations which had a Chief Information Security Officer or equivalent to manage the fallout from the breach, as opposed to £67 per record for those that did not.

You can read more interesting finding from the study (and the US equivalent) by downloading the report here.

A birthday present for EU data protection?

Datonomy readers could be forgiven for having missed the fact that yesterday was the EU's 4th annual "Data Protection Day" - especially since Datonomy itself is a day late!

To mark the occasion, the EU's Commissioner for Media and Information Society Viviane Reding promised the world of data protection a very special birthday treat - namely, much-awaited reform of 1995 EU Data Protection Directive. In a press release the Commissioner emphasised the need for data protection rules to keep up with the challenges of new technology in the decade ahead. The privacy challenges posed by social networking and online behavioural advertising got a specific mention. The press release recaps on the Commission's privacy related achievements during 2009, but is disappointingly light on the detail of the promised reforms to come.

During the second half of last year, as reported on Datonomy, the Commission conducted an online consultation seeking views on reform of the Directive. Certain aspects of telecoms and internet related privacy have already been strengthened in the recently-adopted Telecoms Package. So, it will be interesting to see what concrete proposals the Commission has for refreshing the legislation. One specific measure already alluded to in the Telecoms Package is a widening of the breach notification obligations , as a matter of priority, to all organisations regardless of sector. Let's hope this birthday present lives up to its promise!

Happy (belated) Data Protection Day!

Charities and Data Protection Notification

Datonomite Rosie recently became a trustee of a wonderful little charity called Livlife. In the process of her new role as trustee, she as been learning all about the world of data protection and the way in which it relates to charities. It is a little known fact that not all organisations are required to notify under the Data Protection Act. Charities (and other not for profit organisations) are one of the main exceptions.

The key factors in determining whether or not a charity is required to notify are these:

(i) Do the charity's objects state that it is "not for profit";
(ii) Is the information is collected in order to reach the charity's objectives?
(iii) Is the collected information not passed outside of the charity's objectives?
(iv) Does the charity have regular contact with its clientele?

If the answer to all of the above is "yes", then the charity does not have to notify the ICO. Even if the answer is "no", the more standard notification exemption may apply (i.e. the exemption for core business processes such as staff administration, advertising, marketing and PR and accounts and record keeping).

Since the saving of even £35 for notification fee will make a difference to a charity, Datonomy praises this wonderful exemption.

You can find out more information on notification via the ICO website here.

Inside Out: Cultural Reflections on Freedom of Information and Data Protection.

FoI and Data Protection have separate and disparate origins, but both have emerged into a culture which in some respects subdues or subverts the effects they were intended to achieve.

FoI has its origins in Constitutional Reform, and was implemented in some countries well before the UK. Open Government is the objective, and better government because more open. Transparency is all. But in spite of the big objectives, in many ways the general culture was there much earlier. In the UK, FoI was behind the cultural times rather than in front of them.

Postmodern culture, the dominant cultural movement of the second part of the 20th century, is essentially about transparency and democratic openness. Take the Centre Pompidou, where the insides are on the outside, as a presiding motif. Take with it the playful rejection of seriousness, of the idea that there is a big truth somewhere, some revelatory set of facts.

FoI has delivered transparency of a kind, but has not delivered a revelation, and there are reasons for that - but not the government’s game playing on the exemptions or the congestion of the system. It, the revelation, the big truth, simply isn’t there, under any circumstances. The Iraq Inquiry is a memorial to the same expectations, which will not materialise. When Tony Blair appears next Friday, the second coming – or is it the third ? - will not take place. Post modernism is right about that.

Data protection, on the other hand, has been subverted by the culture of transparency and democratic access, largely because there is nothing left inside to be kept private any longer, or not much. Why, then, are people still concerned about their personal data? What has happened, I think, is that the digital world now provides a complete environment for personal data quite independent of any privacy concerns, or at least concerns based on claims about the private self.

Personal data has a financial value, it can be physically lost, it can be thought of as social capital, it can amount to a proxy self in a digital society, and it can be all of these things with consequent legitimate concerns without it having much to do with the private self.

Which means we should catch up culturally, and not use privacy talk to discuss those concerns.

Blow that whistle ... carefully!

Reporting your company or fellow employees is not a topic that is often discussed in polite circles. Someone who takes what they believe to be a moral stand and reports suspicious behaviour can be seen as disgruntled or stirring up trouble or, to put it another way, as a "snitch". Sadly, outside the Harry Potter context, a snitch is not generally seen as a positive descriptor and, like the golden snitch, the reporting of another's behaviour may result more in a chase to catch the person who has reported a problem than to rectify the problem itself.

However, whistleblowing can be vital for companies in understanding where internal problems may lie and in avoiding potentially costly litigation or bad publicity as a result of the actions of a few individuals. Datonomy provides the following information for the benefit of both the whistleblower, the whistleblowee (person reported) and the recipient of the sound of the blown whistle (employer). As always, comments -- and any (anonymous) examples from personal experience -- are extremely welcome.

What is whistleblowing?

Whistleblowing is, broadly speaking, where employees report unlawful or unethical conduct within their organisation. Many jurisdictions, including the UK, have specific statutory protection for employees who report such conduct, either using the organisation's internal reporting procedures or through an external regulatory body. Companies are under an obligation not to obstruct employees from reporting misconduct and to ensure that such reporting is reliable.

How to blow the whistle in the UK

Employees in the UK are afforded protection for whistleblowing under the Public Interest Disclosure Act 1998 (PIDA). Since PIDA does not offer absolute protection, employees must ensure that they comply with the procedures set out in PIDA if they choose to blow the whistle.
A protected disclosure must qualify as such and relate to one of the following failures:

(i) a criminal offence;

(ii) the breach of a legal obligation;

(iii) a miscarriage of justice;

(iv) a danger to any individual's health or safety;

(v) damage to the environment; and

(vi) deliberately covering up information in relation to (i) to (v).

The relevant failure can have occurred outside the UK and it does not matter if non-UK law applies to the failure in question. There are no specific restrictions on the subject matter of the disclosure, so long as it qualifies under one of the above headings.

Disclosures are only protected if they are made to an appropriate party. Whistleblowers are protected if they make disclosures in good faith (i) to their employer either directly or via an internal procedure, or (ii) to another person whom they reasonably believe to be solely or mainly responsible for the failure which is the subject of the disclosure.

Whistleblowers may also make disclosures to a regulatory body that is prescribed by the Secretary of State; however, in order to obtain protection they must satisfy the higher criteria of reasonable belief that the information disclosed is substantially true and that it points to one or more of the relevant failures. A whistleblower's belief doesn't need to be correct as long as it is honestly held. Anonymous reporting is permitted, provided that its use is proportional.

Exclusions

Certain types of disclosure are excluded, for instance, disclosures subject to legal professional privilege or those which are prohibited under the Official Secrets Act.

How is the whistleblower protected?

Employees who make "protected disclosures" under PIDA can claim unfair dismissal if their contracts are terminated due to the disclosures. These employees are also afforded protection from any other detriment which may result, including barriers to promotion, or failure to provide training opportunities. This means that if you are not an employee of the company (e.g. your employer is an agency), it is still possible to claim for "other detriment".

An individual who is dismissed or suffers detriment can bring a claim before an employment tribunal. There is usually a three month limitation period within which to bring an unfair dismissal claim.

Whistleblowing and Data Protection Compliance

The ICO has not issued any guidance in relation to whistleblowing. Employers must however ensure that they comply with their data protection obligations when they receive complaints containing personal data. Employers are not required to set up a special procedure for handling whistleblowing complaints and individuals do not have to make a disclosure via a grievance procedure. Employers should notify employees about how they will process personal data received in connection with whistleblowing complaints.

A person accused by a whistleblower has a right of access to the whistleblowing report in order to correct or delete inaccurate data. Retention of data related to whistleblowing complaints must be proportional to the purpose for which the data is collected.

Cross-jurisdictional whistleblowing

Many companies operate in a number of jurisdictions, and the interplay between the duty to provide certain fixed whistleblowing procedures (which may extend to all jurisdictions in which a company is based) and local data protection laws can be uncomfortable. Multinational companies should review the legal position relating to whistleblowing and associated issues in other jurisdictions.

This datonomite firmly believes in the importance of individuals being able to raise their concerns about the ethical conduct of their organisation without fear of recrimination and hopes that many of her readers will consider how whistleblowing could ultimately benefit their organisation.

Written by Rosie; posted by Jeremy

Monetary penalties: ICO publishes guidance; fines go live 6 April

The ICO has confirmed that new powers to impose fines of up to £500,000 for serious breaches of the DPA will come into force on 6 April. And the Commissioner has said he will not hesitate to use them for the most serious cases. Responsible data controllers who follow good data protection practice should have nothing to fear, however. The Commissioner's Office has published statutory guidance explaining how it will use its new powers, and how to stay out of trouble!
The new powers are to be found in the recently added section 55A of the DPA (introduced by section 144 of the Criminal Justice and Immigration Act 2008) and will apply to serious breaches of the Act which are likely to cause substantial damage or distress, and which are committed deliberately or recklessly.
As well as explaining the procedural aspects of the new sanction, the guidance includes a section on the circumstances in which the Commissioner would consider it appropriate to issue a monetary penalty notice (for example, in the topical context of security breaches). This incorporates practical illustrations of each of the key elements of the section 55A test. There is also guidance on the factors the ICO will take into account when determining the amount of the penalty.
For responsible data controllers, the guidance is in effect a handy checklist of all the good practice measures to have in place to avoid incurring a fine.
(Datonomy is pleased to see its earlier prediction (about the go live date for the fines) confirmed – although given that 6 April is one of the Government's twice yearly "red tape" days, that bit wasn't exactly rocket science!)

The ideal credit search system: the search continues

In the UK the House of Commons Treasury Committee has reported the findings of its recent inquiry into the adverse effect of consumer credit searches. These include recommendations which, if implemented, could significantly change the way lenders conduct credit searches on potential borrowers.

The Committee inquiry into credit searches originated from fears that consumers, by shopping around for credit (especially unsecured credit), were unknowingly building up credit application searches on their credit reference files, making it harder for them to obtain further credit. This inquiry, which is part of a wider review on the impact of the banking crisis on the consumer, seeks to balance (i) the public interest in preventing fraud and protecting consumers from reckless lending with (ii) the need to "ensure that the market is subject to the disciplines of informed consumer choice". The report states that the Committee had not been presented with unequivocal evidence that application search data is necessary for loan providers, given that on their own admission, providers use over 400 indicators.

Representatives of a range of interested parties submitted evidence. These included the British Bankers' Association, the Finance and Leasing Association, credit reference agencies and the Information Commissioner's Office (ICO).

The Treasury Committee's biggest concern was the effect of the use of credit searches on market mechanisms, given that the ability of consumers to shop around is an important means for assessing the market (a "key discipline on providers"). The OFT is now asked to examine this area.

A number of other recommendations focused on data protection concerns:

• In light of evidence of inaccuracies on consumers' credit records, the ICO should consider whether further assurances should be sought that data quality and data correction systems at credit reference agencies comply with the Data Protection Act (potentially by means of an independent audit).

* the ICO should also consider whether it is fair that credit reference files contain details of consumer application searches made when the files were demonstrably incorrect;

• the ICO and the OFT should consider whether the £2 fee required for a consumer to receive his or her statutory credit file should be scrapped in order to increase take-up;

• The Committee noted that the evidence suggested that the usefulness of the application credit search information diminishes with time, and recommended that the ICO examine whether the current 12 month period for storing search data conforms with the principle that information must not be kept longer than necessary;

• the ICO should examine whether a cut-off point exists beyond which the impact of search data on consumers' risk profiles is so weak that storing would be unfair, and that it should examine the information presented in statutory credit reports and provide guidance on how best to ensure that such information is understood by consumers.

The Report concluded that various methods should be considered for reducing the adverse effects of the use of credit application search data in credit reference files, saying that the OFT should examine this area in its wider assessment of the credit market. There was some evidence of the industry itself developing solutions to the problem, for example a system developed by Confused.com which reduced the number of searches on consumer's credit reference files by educating consumers on the credit options most appropriate to them. The Report welcomed such developments and urged industry participants to examine such systems and to share good practice where possible.

Also, the OFT is to release guidance this month on irresponsible lending, which will refer to the need for lenders to undertake a credit reference search.

The Report, including the evidence, can be viewed here.

Written by Peter Clyde, posted by Jeremy

TACHOnet to foil drivers with dual identities

Commission Recommendation of 13 January 2010 on the secure exchange of electronic data between Member States to check the uniqueness of driver cards that they issue was published this morning on the website of the Official Journal of the European Union. The object of this Recommendation is the TACHOnet messaging system, which enables information relating to long-distance drivers to be shared between Member States via a digital tachograph system which allocates a driver card to each driver. According to the recital to the Recommendation,

"(6) It is desirable that issuing authorities have effective processes and procedures in place to properly manage data about the issuance of tachograph cards in general, and driver cards in particular.

(7) Member State issuing authorities should be able to check quickly, and reliably exchange, information about issued driver cards, and thereby prevent drivers being in possession of more than one valid driver card.

(8) It should be possible for the responsible national authorities to verify during road side checks whether a driver is in possession of a driver card and to check the validity status of a given driver card".

Enthusiasts can read about the data protection aspects of TACHOnet here.

We Know Where You Live: Privacy Implications of Location-Based Services

"Rafa Benitez has this morning explained why he continues to play the rotation system. He says it’s to the keep the burglars guessing who’s at home or who’s in the team." Anon.

The ability to know where someone is at all times, or to make your own whereabouts publicly known via a social network is fraught with potential privacy issues.

This blog entry discusses the explosive growth of geo-location data and associated services powered by the widespread integration of GPS technologies into mobile phones raises privacy issues that include problems of anonymisation, consent and data sharing. The full article on which this entry was based is available to PLC subscribers here.

What do we mean by geo-location data services? These can be anything from the Tom-Tom GPS app on your mobile phone to specific services such as Whrrl and Google Latitude which allow users to broadcast their current location to online networks from their mobile phones. There has also been talk that the government is looking to utilise this technology to impose road charges on users based on their exact journeys in an effort to ease congestion.

So what are the issues with geo-location? There is the obvious potential for both stalking and burglary if a user's exact location can be ascertained. As a case in point, and to explain the opening quote further, the homes of Liverpool football players were burgled so often when they were playing away matches in the Champions League that one bookmaker, admittedly in rather poor taste, even decided to open a book on the next Liverpool player to be burgled whilst playing. Research has also shown that, even if a user takes steps to anonymise their location, it is relatively simple to reverse engineer geo-location data and to combine it with publicly available information in order to identify individual users.

Despite the potential privacy issues, there is no doubt that geo-location services could be an enormously useful tool – for example to enable employers to identify the whereabouts of their employees who are based in the field.

What should be done? Datanomy agrees with the PLC article that two things should happen to reduce privacy issues with geo-location services. Firstly, service providers should be pro-active about educating users of the privacy risks in using geo-location services. Although this may sound counter-intuitive from the business's perspective, by making customers aware of the risks from the outset and by allowing users to adapt their privacy settings to suit their personal preferences the business will build customer confidence in the service being provided. For services of this nature the main risks should be presented in short, easily digestible, bites rather than included in a lengthy privacy policy which, frankly, most users tend never to read.

Secondly, if the geo-location industry wants self-regulation and not more legislation, it will need to be pro-active about establishing a code of practice to set sensible standards for the handling of users' personal data, perhaps supported by a new industry body created with the aim of promoting the safe and sensible use of geo-location services.

NOTE: This blog is a summary of a PLC article. The full article is available on PLC and, if you are a paid subscriber of PLC, can be accessed here.

The London Datastore: potential problems?

The Guardian reports that the Mayor of London, Boris Johnson, is today launching the London Datastore, a website hosting hundreds of sets of data, including previously unreleased information, about the capital, as part of a new scheme intended to encourage people to create "mashups" of data to boost the city's transparency and accountability.

The London Datastore will be fully open from 29 January. The UK government is reportedly working on a similar site, data.gov.uk, which is also expected to be unveiled this month under the auspices of Tim Berners-Lee. Says the article:

Johnson has been a strong advocate of open data, having campaigned in 2008 on the promise that he would introduce crime maps, despite misgivings of some senior police officers. The Metropolitan Police did however quickly implement crime mapping in London, following the lead that had already been set by a number of other police forces around the country.

In a statement, Johnson said: "... I firmly believe that access to information should not just be the preserve of institutions and a limited elite. Data belongs to the people, particularly that held by the public sector, and getting hold of it should not involve a complex routine of jumping through a series of ever decreasing hoops ..."

The datasets that will be available include attainment, pupil number and schools data; fire incidents, ambulance rates, crime rates; carbon emissions, floorspace, vacant commercial offices, industrial stock data, abandoned vehicles, recycling rates, waste data, waste re-use centres, fly tipping rates, alcohol indicators, abortion rates, hospital waiting lists and admissions, excess winter deaths - and many dozens more.

Datonomy looks forward to learning about the London Datastore's data protection policy, particularly with respect to any data which is generated by bodies over which London's governance has no immediate and direct control.

Scanners "a virtual strip search" -- and no code of conduct yet

Writing yesterday in ComputerWeekly.com ("Department of Transport works on body scan code of practice"), Ian Grant reported on the lack of current government plans to store body scans of air passengers, in the wake of concerns that processing and storing images could breach the privacy of individuals. The Department of Transport is quoted as saying that all images will be deleted as soon as each subject is cleared for take-off, and the department is developing a code of practice for airport operators so as to ensure passenger privacy.

Over in the USA the American Civil Liberties Union claims that the black and white scans "amount to a virtual strip search", since they reveal, among other things, the subject's genitalia and any implants. Says the UK's Department of Transport:

"There are obviously privacy issues related to the use of the scanners. One of the items in the code would be to block the person reading the scan from seeing the person being scanned during the operation".

Datonomy wonders how long it will be before plans to delete images of safe passengers are jettisoned since the comparison of 'before' and 'after' scans of individuals might reveal grounds for raising a fresh suspicion or confirming a previously-held one.

Another data protection breach - 2009 ends in the same way it began!

During the Christmas period most people invariably experience the sensation that, with hindsight, their credit cards have been exposed a little too much for their liking. According to a report in the Lancashire Evening Post this week (click here), consumers who use MBNA credit cards may have another reason to worry about their credit cards, aside from the usual fears about excessive Christmas spending. This is because the personal details of thousands of MBNA customers have apparently fallen into criminal hands after a Preston based contractor of MBNA had a laptop stolen with unsecured cardholder data stored on the machine.

The company confirmed that customer information had been "compromised" at one of their vendors earlier this month but claimed that stolen information did not contain any PIN numbers. Despite this, the fear is that criminals could use the data for identity theft, a prime reason behind why MBNA has offered customers who are affected, a year's free access to the "CreditExpert" credit monitoring service from Experian, which monitors for fraudulent transactions and aims to prevent and address identity fraud.

As 2009 draws to a close Datonomy can't help but reflect on the fact that it is again reporting on the news of another data protection breach, a topic that has been much discussed over the past year. Indeed, we first posted on the issue during the first week of January 2009, when we reported on the Welsh Assembly's admission that it had recorded 16 data-sensitive documents lost or stolen in the preceding three years (click here).

With the Ministry of Justice's current public consultation on the introduction of stricter penalties on data protection offences closing in January next year, Datonomy wonders whether 2010 will prove to be a year for greater personal data security.

Merry Christmas and a Happy New Year to all our readers!

Written by Greg; posted by Jeremy