An incident is not a breach (and vice versa)

There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don’t know. But there are also unknown unknowns. There are things we don’t know we don’t know.”

Donald Rumsfeld gets a lot of flack, much of it deserved. However, this quote is often cited as an example of ponderous waffle, despite the fact that it clearly encapsulates a useful idea. You don’t know the full extent of your own ignorance, and that can be a big risk.

David Smith, one of the two Deputy Information Commissioners (the other is his non-identical twin brother Graham*), recently made some comments to Public Finance magazine in which he opined that ‘It appears that local government hasn’t attached the same degree of seriousness to addressing the security of personal information [as other parts of the public sector].’ Certainly, if you believe the evidence of the Information Commissioner’s own Civil Monetary Penalties, Mr Smith is quite right. Of the fourteen CMPs issued so far, only two have been for the private sector and one for the police; the other eleven are all councils, and in the main, council social care departments. “That the majority of fines issued so far have been levied on local government showed it was a ‘serious problem’, Smith said.” Are we saying that the rest of the world has no problems at all with data security? This is marvellous news, especially as Smith was telling us in 2010 that the NHS was responsible for a third of all ‘data breaches’.

Obviously, the ICO should deal with data security breaches (‘data breach’ is a meaningless phrase) firmly and unsentimentally. I was one of the people who said that they lacked the guts to fine anyone for anything, and I am happy to be proved emphatically wrong. However, Smith’s scapegoating of local government as a whole (something he and others previously did to the NHS) is unfair and unwise. Where is the evidence that their action is representative of the problem?

This verdict on councils is based on reported incidents. If the ICO thinks they’re told about all data security incidents that happen in the UK, they’re wrong. I worked for an organisation that had a major security breach when a laptop was stolen. We reported it. While being mildly roasted by the press and given a nasty suck by the watchdog (these were the halcyon pre-CMP days), I was contacted for advice by lawyers and DP officers in a dozen organisations, all with similar incidents to deal with. Even back then, when the ICO favoured name-and-shame undertakings over Enforcement Notices, several of them gambled on keeping quiet and seeing if the ICO found out. They didn’t. There were, in Rumsfeld terms, many unknown unknowns.

Even before the consequences of a security breach was a £100000+ Civil Monetary Penalty, incidents were covered up for fear of the bad publicity. Reader, this still happens. I’ve never worked in an organisation that more people working on DP compliance than they do on PR. Anyone who thinks that incidents are more likely to reported in these times of CMPs and austerity-choked budgets should be kept away from scissors, never mind enforcement powers.

Correspondence sent to the wrong place will inevitably be reported because the recipient knows what has happened and has nothing to lose in reporting it. In the incident I worked on, had we pretended that the laptop in question was encrypted, or had no personal data on it, nobody would have known, least of all the ICO. While the introduction of CMPs has raised the stakes, any organisation could be forgiven for doing a risk assessment – risk of being found out vs. cost of CMP and bad publicity. I hear that the ICO says that not reporting is an aggravating factor in the scale of the CMP – but how are they going to find out if the data controller doesn’t own up, especially if the incident is a theft? Do they get many breach notifications from burglars and opportunist thieves?

And there’s even more to think about. The ICO’s CMPs are not issued because of incidents. The theft of a laptop is a criminal act by a third party; the sending of an email or fax to the wrong destination is a mistake made by one person. If you read the CMP notices (and I recommend that you do), you see that they are issued because of structural failings in the Data Protection framework for each organisation. Data Controllers get a penalty because people who handle personal data routinely were not trained; procedures were unclear or not properly communicated; adequate security measures – e.g. encryption, proper contracts – were not put in place. The incident is evidence of the breach, but there are dozens of incidents that result in no further action because adequate measures are in place. The DP measures are the key.

All of the CMP recipients breached the DPA by not taking appropriate measures, especially if you include training staff as an essential measure. Obviously, I think it is, but more importantly the ICO does too. However, the CMP recipients are also unlucky because they had an incident. Thousands of Data Controllers have the same DP problems and are just fortunate one of their twerps hasn’t sent post or email to the wrong place.

Allow me to develop this a little: answer the following questions about the organisation you work for (in your head will do):

  • Do you have clear policies and procedures covering the safe and secure handling of all your personal data in and out of the office?
  • Have these been communicated to all staff, and can you prove that they have read and understood them?
  • Have you implemented all of these policies?
  • Do you check that all necessary measures are being carried out?
  • Have you trained all staff who handle personal data?
  • Do you take action when your policies are breached?

If you answered no to any of the questions, you’re in CMP territory. All it takes is an incident. How did your employer do?

The ICO’s approach is logical – if your bad practice leads to a serious incident, that’s when the CMP is justified. Many organisations sort out DP proactively, because it’s the right thing to do, or because they’d prefer to spend money on prevention than reaction. However, we all know of organisations that routinely make a mess of security, privacy and Data Protection – look at this from yesterday. How the ICO can take action against organisations with less visible but still shoddy practice is a hard question to answer. Data controllers who don’t meekly report their failings, or who get lawyered-up and put up a fight are probably a nightmare to deal with, but that’s what the ICO should be talking about. There are two huge unknown unknowns – the number of organisations with unreported incidents, and the number of organisations with terrible practice but no incidents. The ICO should not ignore these in favour of bashing the sectors that it does know about.

I’m biased. I enjoyed working for councils and I enjoy working with them now. And I don’t think the ICO does anything as well as it could or should – many disagree with my negative take. But unless David Smith has concrete evidence that there are underlying structural problems in local government that aren’t present elsewhere, his comments are a bit rentaquote. Is the ICO really certain that they’re not just taking action against the known knowns? Moreover, do David Smith’s comments risk making many other sectors feel complacent that because they’re not losing stuff, everything is fine? Compliance is the presence of a proper DP framework, not the absence of incidents. That’s a crap headline, but it’s the only message that the ICO should be giving out.

* Graham Smith and David Smith are not non-identical twin brothers.

Trackbacks

  1. […] notice of intent to serve an MPN. It was also, I should acknowledge, anticipated by observations by Tim Turner and Andrew Walsh, both former ICO employees). However, the FTT do stress that although this case […]

%d bloggers like this: