Lincolnshire poachers

Dark times in the Fens, as Lincolnshire County Council finds itself in the grip of diabolical cyber-blackmailers who demand £1,000,000 to release the local authority from the grip of a terrifying new strain of virus that has locked up all their files. As ever, it’s unwise to judge the outcome before all of the details are in, but Lincolnshire’s story has some interesting aspects. One element seems to go in Lincoln’s favour: this is “zero-day malware“, the first time that the particular infection has been detected. This obviously would make it harder to defend against, and in any case the Council is “confident it had appropriate security measures in place“.

The Council’s chief information officer Judith Hetherington-Smith reassured residents with the claim that they were “absolutely looking after their data and it hasn’t been compromised”. This implies that no personal data has been compromised, but this can’t be entirely squared with some of Hetherington-Smith’s other comments. For example “Once we identified it we shut the network down, but some damage is always done before you get to that point – and some files have been locked by the software” Right, so there’s some damage then? “A lot of the files will be available for us to restore from the back-up.” A lot of them but not all of them? What about the ones that aren’t available?

That back-up is interesting, in the light of the fact that “People can only use pens and paper, we’ve gone back a few years.” An inherent part of information security is business continuity, ensuring that even if something falls over, the place can keep running. I’m running a course this week for people responsible for risk-managing big information systems, and the client has specifically asked me to emphasise the need for business continuity to be built in. The whole point of this is not to be knocked back to the pen and paper age – I heard a report on Radio 4 that Lincolnshire’s social workers had not had access to systems for several days, which means those charged with protecting the most vulnerable in Lincolnshire don’t have access to information they need to do their job. If this information isn’t “compromised“, then I don’t know how else you would define it. It’s a catastrophe. Rather than attempting to reassure (I’m amazed that no-one has said that they take Data Protection very seriously), the council needs to explain why they are offline for days without a back-up that allows essential systems to keep running.

But the most interesting part of the story, and the element that is most crucial for deciding whether Lincolnshire has breached the Data Protection Act is how the infection got into their systems in the first place. Forget the eye-catching ransom demand, the terrifying challenge of the previously unseen virus, forget even the question of why the Council has no alternative option when attacked than blindness and pens & paper. How did it happen, you cry? How did these cunning cyber-ninjas drip their deadly poison despite all of Lincolnshire’s “appropriate security measures“?

Somebody opened an email. 

I don’t know how good Lincolnshire’s technical security is: however sceptical I might be,  there may be good reasons why they could not mirror their systems or back them up in such a way that they could not be restored more quickly. Nevertheless, everything that the Council has said or done since the incident, even if their claim that no data has been compromised is true (I don’t believe them, but OK), is irrelevant. The fundamental question is why their staff are capable of falling victim to the dumbest, most basic security attack known to humankind. I just hope they don’t get any emails about the frozen bank accounts of the late Dr Hastings Kamuzu Banda. The Lincolnshire incident was entirely, wholly preventable, and they have to explain both to the Information Commissioner and to the fine folk of Lincolnshire why they allowed this to happen.

I have said it a thousand times, and here I am saying it again. An incident is not a breach. In order to have complied, Lincolnshire’s “appropriate security measures” have to include regular training and reminders, specifically warning about threats like malware in emails. Managers have to regularly check how their staff are working and whether they are following the clear, widely disseminated procedures and policies that would be necessary in order to comply. Audits would have to be in place, and the individual systems that Lincolnshire has had to switch off should have been assigned to named asset owners, who are responsible for actively assessing risks entirely like this one, and putting measures in place to keep them running even in the face of attacks.

If the person who opened the email has not been trained, reminded and appropriately supervised, this whole incident is Lincolnshire County Council’s fault and they should be taken to task for it. It doesn’t matter how sophisticated the software was, how unexpected Lincolnshire might be as a target: THEY LET THE BURGLARS IN. All the warm words about what happened after that, even if they’re all true, make no difference to this basic fact. You may say that an organisation can’t prevent human error, but that’s nonsense. Training, reminders, appropriate supervision and picking the right people in the first place massively reduce human error. Everything that happens afterwards is damage limitation: either Lincolnshire did what was required beforehand, or it’s a breach.

Red tape

Dark times on the Wirral, as confidential memos about web filtering fly around, suggesting skullduggery on the corridors of Council power. The headlines are remarkable: “Confidential memo tells shocked Wirral councillors their emails are being read by town hall bosses“, which would be quite a thing if it was true. Following the receipt of offensive emails about Hillsborough, the Chief Executive of Wirral Council suggested that the Council could filter the emails out so that councillors would not receive them. The opposition members worked themselves up into a lather, with one, Councillor Chris Blakeley, declaring: “I think it is outrageous that the council should determine which emails we should receive”. Another, Councillor Lesley Rennie opined “My colleagues and I are absolutely appalled that there could have even been a suggestion that emails from the public could be considered for filtering“.

At the risk of starting another barney in the comments, I don’t think the Council was suggesting anything inappropriate. Whatever you think of Wirral Council (feel free not to tell me), I think it’s likely that the Council was simply offering to block offensive emails, rather than making decisions about which emails Councillors receive. The Chief Executive stated that he had received complaints about the emails, so clearly felt that some kind of response was required. As feelings across Merseyside are still understandably raw over Hillsborough, even if the Council response was inelegant, I can see why the offer was made.

However, the Councillors’ reaction and some of the comments on the Wirral Globe’s story (the commenter ‘2040TIM’ sounds like he knows what he’s talking about), raise an interesting question that I suspect many councils and most councillors have not considered. If you are not a Data Protection nerd or a dedicated council watcher, look away now.

Councillors wear up to three hats in the normal course of their activities. As participants in Council Committees and decision-making, they are part of the Council. For Data Protection purposes, they are covered by the Council’s DP notification and any incident or breach involving them would be the Council’s problem. Hat number 2 comes with membership of a political party. They may sometimes receive personal data from their party for campaigning purposes. In this scenario, the party is responsible for Data Protection. The strangest hat is the one they wear as constituency representatives. Here, neither the council nor the party is responsible. The Councillor is a Data Controller in their own right.

Much of the controversy about Councillors and Data Protection revolves around the technical issue of notification (still often called ‘registration’, despite that term belonging to the 1984 Act), and in particular who pays for it. Some councillors notify, some don’t. One Wirral blogger was told by a councillor that notification was ‘a load of tosh‘, which is an odd way for an elected representative to describe a legal requirement. Some councils pay for all of their councillor’s notifications, some don’t. However, despite the fact that numerous councillors across the UK remain without a notification, and despite the fact that the ICO has prosecuted estate agents, bar owners, solicitors and hairdressers for non-notification, no councillor in the UK has ever been prosecuted for non-notification.

The reason for this is probably that by prosecuting an errant elected member, the ICO would be crossing Eric Pickles, the Secretary of State for Communities and Local Government and an opponent of the ‘red tape’ that member notification represents. In 2011, Pickles told Conservative Home that notification for members was a ‘tax on volunteering’. In 2013, he proposed amending the DPA to exempt parish and town councillors from notification altogether (which is a good idea) and allowing councils to make a single payment for all Councillors’ notifications, which is unnecessary given that since the middle of the last decade, the ICO has accepted notification forms for all of a council’s members in one go with a single payment. I know this, because I used to do the notifications for my council’s members.

But this is all a red herring. Notification is an administrative tick-box. Under the 1984 Act, if you processed data electronically, you were covered by the Act and you had to register. If you didn’t process data electronically, you didn’t have to register and you didn’t have to comply. Under the 1998 Act, you have to comply regardless of whether you notify. If you’re exempt from notification, you still have to comply with all other aspects of the 1998 Act. If you refuse to notify, you’re committing an offence, but you still have to comply with all other aspects of the 1998 Act.

Just before Christmas, another Northern Council – Craven Council in the Yorkshire Dales – had a councillor / Data Protection controversy. The Council proposed rolling out iPads to its elected members as part of an upgrade to its IT security. Some councillors objected, and one Independent member was reported as offering “to sign up as his own data handler“, in other words, he was offering to notify as a data controller in order to avoid having the iPad. And so we come to the punchline. The Councillor was already a Data Controller whether he liked it or not. All councillors have to ensure that they are compliant with the DPA for the areas not covered by the Council or their party. Notification – and who pays the £35 – is just about the least significant aspect of this process.

For one thing, Councillors are Data Controllers for any equipment, any email account, any electronic system that they use to communicate with their constituents. The Council is their Data Processor in this context. Buried deep in the back of the Data Protection Act are surprisingly specific requirements for the relationship between a Data Controller and Data Processor – there must be a contract made or evidenced in writing, security guarantees given by the processor (the Council) to the Controller (the Councillor), and a reasonable check that the contract is being complied with. In other words, if the Wirral Councillors up in arms about what may or not be happening to their emails have not obtained a written contract from Wirral, ensuring that Wirral will act only on their instructions when handling their constituency correspondence, the Councillors are in breach of the Data Protection Act. The Council – as a data processor – is not.

It goes further. Councillors should clearly inform their constituents about the way in which their data is used. They should respond to subject access requests. The Wirral Councillors are upset about what they believe is happening to their Wirral.gov.uk email addresses, but many Councillors use Hotmail or Yahoo mail for constituency business, or at the very least have all of their Council emails auto-forwarded to an outside account. This carries both security risks that might breach the 7th DP principle, but also raises the spectre of the 8th Principle, which governs how to transfer information outside the European Economic Area (many web-based email providers use servers outside Europe).

Many senior Council officers and IT and DP specialists will weep at the thought, and I can think of one or two who will give me a smack for bringing it up. But Councils cannot dictate to their Councillors. It is clearly logical for Councillors to use systems and kit provided to them by the Council, but ultimately, they are responsible for a big slice of the data that they use as part of their work and it’s their decision. The Council is a processor, a service provider. Sticking with the robust corporate system is a reasonable idea, but they can work outside of it and if they do, Councillors are wholly responsible for what happens. In the meantime, any Councillor planning to kick up a fuss about emails or iPads or anything else should remember that if something goes wrong, the Council has a get-out-of-jail-free card for non-Council business. Perhaps they should be more shocked about that.

Once more unto the breach, dear friends

For some time, the Information Commissioner’s Office has advised organisations of all shapes and sizes to indulge in the masochistic activity of ‘breach notification’. Though taken to absurd levels of hair-shirtery in the NHS and some councils, the belief that any attention-grabbing data-related cock-up must automatically be reported to the ICO is widely held. I offer a modest prize for anyone can find me the interview in which Christopher Graham – earlier in his tenure – mistakenly claimed that breach notification was mandatory. I sometimes cause a frisson in training sessions when I quietly suggest that there is no such obligation, and on one memorable occasion, I was even shouted at by an angry Data Protection Officer who had just told his employer that they were obliged to report. My advice, gentle reader, is that if you think that reporting an incident to the ICO will improve your compliance with the Data Protection Act, do it at once. If you want to report it because someone else will, that’s as good a reason as any. But don’t do it because you have to. Because you don’t.

Everyone who has been on one of my training courses on Data Protection in the past few years has heard me make the same point – an incident and a breach are not the same thing. Sometimes a breach leads to an incident, but it’s perfectly possible to have one without the other. This shouldn’t be a revelation to anyone who has read the Civil Monetary Penalties Code, but the recent First Tier Tribunal decision on Scottish Borders Council’s appeal against a £250,000 CMP suggests that some people in a certain Cheshire village may have got some things jumbled up.

The thing that makes self-reporting really stupid is also the answer to why Scottish Borders succeeded. According to the Tribunal, there was a serious breach of the DPA principles, in that Borders did not have a contract that was fully compliant with principle 7. This is a breach of the DPA that hundreds, if not thousands of Data Controllers are guilty of (tell me that your employer isn’t). Many of these contracts cover information more sensitive and more potentially damaging than the Borders data.

The ‘trigger incident’ is intriguingly described at the outset of the decision:

Outside Tesco in South Queensferry there are some bins for recycling waste paper. They are of the “post box” type. On 10 September 2011, a member of the public found that one of the bins was overflowing.

In the bins were pension records that should have been shredded by Borders’ contractor, but were not. The Council had a decades-long relationship with the contractor, and so perhaps could be forgiven for thinking that all was well. In any case, pension records in an overflowing recycling bin is not a breach of the Data Protection Act: the breach is not having the correct contract. I don’t think that the ICO fully appreciates this distinction, but more importantly, the Tribunal doesn’t think so either. Paragraph 45 of the decision quotes the ICO CMP notice on the contravention, and then says that it “is not particularly easy to follow and seems to be focussed on the trigger incident rather than the contravention”. The Deputy Information Commissioner, David Smith, is also described several times as being focussed on the papers in the bins, rather than the breach that led to this happening. Distracted by records somewhere they shouldn’t be, the ICO failed to make the link between breach and harm. Conjecture about the local press printing extracts of the pension records and scaremongering about the risk of identity theft cuts no ice – the Tribunal identifies a breach that should be put right, but not the likelihood of harm that justifies a CMP.

If the Tribunal decision is correct, where is the logic in incident reporting? If the Tribunal is correct that Borders had not complied with Principle 7, that would be true if there had been no incident. The breach would still have occurred, even if Tesco had emptied that recycling bin more often, or if the contractor had chosen an emptier recycling bin. The incident is a MacGuffin. Hitting Borders with a CMP was incorrect because the breach itself did not warrant it. There will be many other contracts out there with the same problems, but with substantial damage or distress much more likely to occur e.g. those covering the handling of credit card details or witness protection (damage) or sexual health information or gender reassignment (distress). Equally, a CMP is only appropriate for egregious breaches. Some organisations can be pushed onto the right course via an Enforcement Notice and some will willingly sort themselves out as soon as they realise what they’re doing wrong with no further action. The ICO shouldn’t back away from enforcement – I still think there should be more of it. But it should get the balance right between these three approaches, and it should not enforce against what it seems to perceive as softer targets like councils in the hope that bigger and more powerful Data Controllers in Government and the private sector will fall into line. It would make more sense to target a few whales rather than constantly netting the minnows.

The current guidance on the ICO website is entitled ‘Notification of data security breaches to the Information Commissioner’s Office’. For reasons best known to its author, it begins “The Data Protection Act 1998 (the DPA) is based around eight principles of ‘good information handling’.” I don’t know why ‘good information handling’ is in quotation marks (who originally said it?), and I don’t know what the ICO wants to make the Act’s legal obligations sound like nice things it would be nice if nice people could do. But the guidance is not about breaches. It is about the reporting of incidents – the ICO wants to know about incidents involving

exposure to identity theft through the release of non-public identifiers, eg passport number

and

information about the private aspects of a person’s life becoming known to others, eg financial circumstances.”

These are terrible examples – a passport number isn’t enough to commit identity ‘theft’ (I’m using quotation marks because you can’t steal a person’s identity, although you can commit fraud using someone else’s identity). Meanwhile, your financial circumstances being known to others is a remarkably trivial example of what might be considered to cause “detriment”. It doesn’t take a genius to work out why the ICO lost their case if this nonsense is what they’re working to. The document contains no rationale for why the ICO should be told about random incidents, nor any explanation of why they want to be told only about issues (tangentially) related to Principle 7. This focus on incidents is an ineffective way to encourage compliance anyway, as it hoodwinks organisations that haven’t had an incident into thinking that they are compliant. I don’t doubt that an incident often provokes an organisation into taking action but the message that incidents = non-compliance (and the reverse) is nonsense. Data Controllers should be complying in the first place, not waiting for the other shoe to drop.

If the ICO wants to operate a system of ‘security breach’ notification, this guidance (and the wider strategy) has to change. The emphasis on incidents and losses and thefts must go. Instead, the ICO should demand to be informed  whenever Data Controllers find a contract that does not put the processor under an obligation to act only on their instructions. They should expect to be told about every delayed or non-existent programme to encrypt mobile devices that store potentially damaging data. Shoddy business continuity plans, non-functioning back-ups, fly-by-night contractors, unlocked doors, untrained staff, everything that is actually a contravention of the Seventh Principle should be reported.

And while we’re at it, let’s remember my new initiative: “PEOPLE OF THE INFORMATION COMMISSIONER’S OFFICE, CAN I INTEREST YOU IN THE OTHER PRINCIPLES?’ What is so special about the seventh principle? Why is lost data so much more unforgivable than old information or inaccurate information. The ICO should be asking Data Controllers to tell it about the databases that cannot delete records and throw up old data unbidden, the ignored retention policies that result in inappropriate information forming part of decisions, the inaccuracies that lead to financial loss and disadvantage, the CCTV in toilets, the unjustified secret use of information, the processing of data without a condition, and the sharing of personal data with non-EEA contractors without adequate protections. In the past few days, the Telegraph has reported a potentially massive breach of the fourth DP principle, with apparently widespread, damaging effects. But despite doubtless real distress experienced by many people (as opposed to the entirely imaginary damage attributed to Borders), the ICO will almost certainly not take action against the BBC over TV Licensing. They definitely do not publish guidance demanding that damaging inaccuracies are dutifully self-reported.

I have no doubt that quite a few of the Data Controllers impaled on the business end of an ICO CMP were guilty of a serious breach of one of the principles that was likely to cause substantial damage. Especially after the Borders decision, I am equally convinced that some of them were not – it is not only Borders who have been unfairly treated. But in any case, the CMP list is not the roll-call of the biggest, most damaging DPA breaches in the UK. It represents a haphazard collection of Data Controllers unlucky enough to experience a trigger incident and – in many cases – naïve enough to report it to the ICO. More serious breaches, likely to or actually resulting in real harm, have gone unpunished and will continue to do so until the incident obsession is set aside.

After this decision, the ICO can no longer simply grab headlines by punishing the hair shirt / bad luck brigade. It must find some more rigorous, equitable way to enforce the DPA, or go back to farting out undertakings and wringing its hands. If it continues to focus on incidents, Borders’ success will not be the last.