Lincolnshire poachers

Dark times in the Fens, as Lincolnshire County Council finds itself in the grip of diabolical cyber-blackmailers who demand £1,000,000 to release the local authority from the grip of a terrifying new strain of virus that has locked up all their files. As ever, it’s unwise to judge the outcome before all of the details are in, but Lincolnshire’s story has some interesting aspects. One element seems to go in Lincoln’s favour: this is “zero-day malware“, the first time that the particular infection has been detected. This obviously would make it harder to defend against, and in any case the Council is “confident it had appropriate security measures in place“.

The Council’s chief information officer Judith Hetherington-Smith reassured residents with the claim that they were “absolutely looking after their data and it hasn’t been compromised”. This implies that no personal data has been compromised, but this can’t be entirely squared with some of Hetherington-Smith’s other comments. For example “Once we identified it we shut the network down, but some damage is always done before you get to that point – and some files have been locked by the software” Right, so there’s some damage then? “A lot of the files will be available for us to restore from the back-up.” A lot of them but not all of them? What about the ones that aren’t available?

That back-up is interesting, in the light of the fact that “People can only use pens and paper, we’ve gone back a few years.” An inherent part of information security is business continuity, ensuring that even if something falls over, the place can keep running. I’m running a course this week for people responsible for risk-managing big information systems, and the client has specifically asked me to emphasise the need for business continuity to be built in. The whole point of this is not to be knocked back to the pen and paper age – I heard a report on Radio 4 that Lincolnshire’s social workers had not had access to systems for several days, which means those charged with protecting the most vulnerable in Lincolnshire don’t have access to information they need to do their job. If this information isn’t “compromised“, then I don’t know how else you would define it. It’s a catastrophe. Rather than attempting to reassure (I’m amazed that no-one has said that they take Data Protection very seriously), the council needs to explain why they are offline for days without a back-up that allows essential systems to keep running.

But the most interesting part of the story, and the element that is most crucial for deciding whether Lincolnshire has breached the Data Protection Act is how the infection got into their systems in the first place. Forget the eye-catching ransom demand, the terrifying challenge of the previously unseen virus, forget even the question of why the Council has no alternative option when attacked than blindness and pens & paper. How did it happen, you cry? How did these cunning cyber-ninjas drip their deadly poison despite all of Lincolnshire’s “appropriate security measures“?

Somebody opened an email. 

I don’t know how good Lincolnshire’s technical security is: however sceptical I might be,  there may be good reasons why they could not mirror their systems or back them up in such a way that they could not be restored more quickly. Nevertheless, everything that the Council has said or done since the incident, even if their claim that no data has been compromised is true (I don’t believe them, but OK), is irrelevant. The fundamental question is why their staff are capable of falling victim to the dumbest, most basic security attack known to humankind. I just hope they don’t get any emails about the frozen bank accounts of the late Dr Hastings Kamuzu Banda. The Lincolnshire incident was entirely, wholly preventable, and they have to explain both to the Information Commissioner and to the fine folk of Lincolnshire why they allowed this to happen.

I have said it a thousand times, and here I am saying it again. An incident is not a breach. In order to have complied, Lincolnshire’s “appropriate security measures” have to include regular training and reminders, specifically warning about threats like malware in emails. Managers have to regularly check how their staff are working and whether they are following the clear, widely disseminated procedures and policies that would be necessary in order to comply. Audits would have to be in place, and the individual systems that Lincolnshire has had to switch off should have been assigned to named asset owners, who are responsible for actively assessing risks entirely like this one, and putting measures in place to keep them running even in the face of attacks.

If the person who opened the email has not been trained, reminded and appropriately supervised, this whole incident is Lincolnshire County Council’s fault and they should be taken to task for it. It doesn’t matter how sophisticated the software was, how unexpected Lincolnshire might be as a target: THEY LET THE BURGLARS IN. All the warm words about what happened after that, even if they’re all true, make no difference to this basic fact. You may say that an organisation can’t prevent human error, but that’s nonsense. Training, reminders, appropriate supervision and picking the right people in the first place massively reduce human error. Everything that happens afterwards is damage limitation: either Lincolnshire did what was required beforehand, or it’s a breach.

Whoops!

Yesterday, after at least a year of pondering it, the Information Commissioner asked the Universities and Colleges Admissions Service (UCAS) to sign an undertaking, agreeing to change the way in which they obtain consent to use students’ data. The data is obtained as part of the application process and subsequently used for marketing a variety of products and services, and UCAS has agreed to change its approach. It’s important to note that this is an undertaking, so UCAS has not been ordered to do anything, nor are there any direct consequences if they fail to do what is stated in the undertaking. An undertaking is a voluntary exercise – it is not served, it does not order or require, it simply documents an agreement by a Data Controller to do something.

Aspects of the story concern me. The ICO’s head of enforcement is quoted as saying: “By failing to give these applicants a clear option to avoid marketing, they were being unfairly faced with the default option of having their details used for commercial purposes” but given that the marketing was sent by text and email, the opportunity to “avoid” marketing is not what should have been in place. If UCAS wanted to sell access to university and college applicants, they needed consent – which means opt-in, not opt-out. As the undertaking itself points out, consent is defined in the EU Data Protection Directive as freely given – an opt-out cannot constitute this in my opinion. If you think that an opt-out does constitute consent, try transposing that thinking into any other situation where consent is required, and see how creepy your thinking has suddenly become. Consent should be a free choice, made actively. We should not have to stop commercial companies from texting and emailing us – the onus should be on them to make an attractive offer we want to take up, not on consumers to bat away their unwanted attentions.

It’s entirely possible that the ICO’s position on consent is better expressed in the undertaking itself, but here we have a little problem. At least when it was published yesterday, half of the undertaking was missing. Only the oddly numbered pages were published, so presumably the person who scanned the document had a double-sided original and didn’t notice that they had scanned it single-sided. The published document also included one page of UCAS’ covering letter and the final signed page of the undertaking, which the ICO never normally publishes. This mistake reveals some interesting nuggets that we wouldn’t normally know, from the trivial (the Chief Executive of UCAS signed the undertaking with a fountain pen, something of which I wholeheartedly approve) to the potentially significant (the covering letter sets out when UCAS might divert resources away from complying with the undertaking).

But that’s not the point. The point is that the ICO uploaded the wrong document to the internet, and this is not the first time it has happened. I know this because on a previous occasion, I contacted the ICO to tell them that they had done it, and many people on my training courses have also seen un-redacted enforcement and FOI notices on the ICO website. The data revealed in the UCAS case is not sensitive (although I don’t know how the UCAS Chief would feel about her signature being published on the internet), but that’s not the point either. The ICO has spent the last ten years taking noisy, self-righteous action against a variety of mainly public bodies for security slip-ups, and the past five issuing monetary penalties for the same, including several following the accidental publication of personal data on the internet.

The issue here is simple: does the ICO’s accidental publication of this undertaking constitute a breach of the 7th Data Protection Principle? They know about the risk because they’ve done it before. Have they taken appropriate technical and organisational measures to prevent this from happening? Is there a clear process to ensure that the right documents are published? Are documents checked before they are uploaded? Does someone senior check whether the process is being followed? Is everyone involved in the process properly trained in the handling of personal data, and in the technology required to publish documents onto the web? And even if all of these measures are in place, is action taken when such incidents are identified? If the ICO can give positive answers to all these questions, then it is not a breach. Stuff happens. But if they have not, it is a breach.

There is no possibility, no matter how hilarious it would be, that the ICO will issue a CMP on itself following this incident, although it is technically possible. What should happen is that the ICO should quickly and effectively take steps to prevent this from happening again. However, if the Information Commissioner’s Office does not ask the Information Commissioner Christopher Graham to sign an undertaking, publicly stating what these measures will be, they cannot possibly speak and act with authority the next time they ask someone else to the same. Whether they redact Mr Graham’s signature is entirely a matter for them.

UPDATE: without acknowledging their mistake, the Information Commissioner’s Office has now changed the undertaking to be the version they clearly intended to publish. One wonders if anything has been done internally, or if they are simply hoping that only smartarses like me noticed in the first place.

Crazy Naked Girls

There’s little to like about the voyeuristic coverage of the theft of images of famous women. Whether it is the feverish frottage of the mainstream press (which largely boils down to LOOK AT ‘EM ALL, IMAGINE ‘EM ALL NAKED, NNNNNNNNGGGGGG!!!!!) or the inevitably crass victim blaming (thank you, Ricky Gervais, for The Office and for absolutely nothing else), it’s all depressing.

The data protection strand in all this hasn’t been much better. Mobile devices are not a safe place to store sensitive data (true). The cloud is – in Graham Cluley’s immaculate phrase – just someone else’s computer (true). But too many security commentators have, perhaps unwittingly, aligned themselves with a ‘They asked for it’ line of thinking. A popular analogy is the one about burglary or car theft (this is an example from 2011). Apparently, you can’t complain if you leave your valuables on the front seat of your car and somebody steals them, and the same goes for pictures of your bits and the internet. In other words, the thinking is more or less that if Jennifer Lawrence is silly enough to take pictures of herself naked, she was basically asking for them to be stolen. For me, this is too close to the mentality that blames rape victims for being drunk, rather than rapists for being rapists. Friends, I blame the rapists.

Taking pictures of oneself is normal for most people, not just actresses – I am odd because I don’t do it, but if I was good looking, I probably would, all the time. It must be great to be extraordinary, and to enjoy being extraordinary. It’s too easy to be holier-than-thou and say that the violated only have themselves to blame. The victims made these images for themselves or they made them for someone else specific. They did not make the images for the media, or for the voyeurs who stole, sold or search for them. Anyone who handles or seeks them out violates the subject’s privacy, is a criminal and should be treated as such. The victims did nothing remotely scandalous or reprehensible – indeed, they did nothing that is anyone else’s business but their own. They probably didn’t do a privacy impact assessment before taking the pics, but that’s because they’re human beings and not data controllers.

The car analogy doesn’t work because mobile phones and the internet are not immediately understandable physical objects and spaces. When you leave your laptop on the passenger seat of your car, you can turn around and see the laptop sitting there. The risk is apparent and obvious. There’s a striking moment in Luc Besson’s current film ‘Lucy’ where Scarlett Johansen can see data streams soaring out of mobile phones across Paris, and navigates her way through them. We don’t see data like this. Few understand how the internet actually works (I’ve met a lot of people who think cloud storage means that data is floating in the air like a gas). We don’t see the data flowing or spot the footprint it leaves behind. We don’t know where the data ends up and the companies we use don’t tell us. We use unhelpful misnomers like ‘the cloud’ when we mean ‘server in a foreign land’. Many people don’t know how their phones work, where their data is stored, how it is copied or protected, or who can get access to it. This should be the problem that the photo hack alerts us to.

It’s possible that some people would change the way they used technology if they fully understood how it works, but that should be their choice, based on clear information provided by the manufacturers. At least one of those affected has confirmed that the images of her are quite old, so we can’t even judge the situation on what we know now. If taking the pics was a mistake (and I don’t think I’m entitled to say it was), it was a mistake made possibly years ago.

I don’t think people understand where their data is or how it is stored. Rather than wagging our fingers at the victims of a sex crime, anyone involved in data protection and security should concentrate on educating the world about the risks. I think the big tech companies like Google, Apple and Facebook would be uncomfortable with this idea, which is why security and sharing are presented as such tedious, impenetrable topics. They don’t want more informed use of their services, they just want the data like everyone else. The defaults for sharing and online storage, for location and tracking, for a whole variety of privacy invasive settings should be set to OFF. Activities involving risk should be a conscious choice, not an accidental side effect of living in the 21st century.

Red tape

Dark times on the Wirral, as confidential memos about web filtering fly around, suggesting skullduggery on the corridors of Council power. The headlines are remarkable: “Confidential memo tells shocked Wirral councillors their emails are being read by town hall bosses“, which would be quite a thing if it was true. Following the receipt of offensive emails about Hillsborough, the Chief Executive of Wirral Council suggested that the Council could filter the emails out so that councillors would not receive them. The opposition members worked themselves up into a lather, with one, Councillor Chris Blakeley, declaring: “I think it is outrageous that the council should determine which emails we should receive”. Another, Councillor Lesley Rennie opined “My colleagues and I are absolutely appalled that there could have even been a suggestion that emails from the public could be considered for filtering“.

At the risk of starting another barney in the comments, I don’t think the Council was suggesting anything inappropriate. Whatever you think of Wirral Council (feel free not to tell me), I think it’s likely that the Council was simply offering to block offensive emails, rather than making decisions about which emails Councillors receive. The Chief Executive stated that he had received complaints about the emails, so clearly felt that some kind of response was required. As feelings across Merseyside are still understandably raw over Hillsborough, even if the Council response was inelegant, I can see why the offer was made.

However, the Councillors’ reaction and some of the comments on the Wirral Globe’s story (the commenter ‘2040TIM’ sounds like he knows what he’s talking about), raise an interesting question that I suspect many councils and most councillors have not considered. If you are not a Data Protection nerd or a dedicated council watcher, look away now.

Councillors wear up to three hats in the normal course of their activities. As participants in Council Committees and decision-making, they are part of the Council. For Data Protection purposes, they are covered by the Council’s DP notification and any incident or breach involving them would be the Council’s problem. Hat number 2 comes with membership of a political party. They may sometimes receive personal data from their party for campaigning purposes. In this scenario, the party is responsible for Data Protection. The strangest hat is the one they wear as constituency representatives. Here, neither the council nor the party is responsible. The Councillor is a Data Controller in their own right.

Much of the controversy about Councillors and Data Protection revolves around the technical issue of notification (still often called ‘registration’, despite that term belonging to the 1984 Act), and in particular who pays for it. Some councillors notify, some don’t. One Wirral blogger was told by a councillor that notification was ‘a load of tosh‘, which is an odd way for an elected representative to describe a legal requirement. Some councils pay for all of their councillor’s notifications, some don’t. However, despite the fact that numerous councillors across the UK remain without a notification, and despite the fact that the ICO has prosecuted estate agents, bar owners, solicitors and hairdressers for non-notification, no councillor in the UK has ever been prosecuted for non-notification.

The reason for this is probably that by prosecuting an errant elected member, the ICO would be crossing Eric Pickles, the Secretary of State for Communities and Local Government and an opponent of the ‘red tape’ that member notification represents. In 2011, Pickles told Conservative Home that notification for members was a ‘tax on volunteering’. In 2013, he proposed amending the DPA to exempt parish and town councillors from notification altogether (which is a good idea) and allowing councils to make a single payment for all Councillors’ notifications, which is unnecessary given that since the middle of the last decade, the ICO has accepted notification forms for all of a council’s members in one go with a single payment. I know this, because I used to do the notifications for my council’s members.

But this is all a red herring. Notification is an administrative tick-box. Under the 1984 Act, if you processed data electronically, you were covered by the Act and you had to register. If you didn’t process data electronically, you didn’t have to register and you didn’t have to comply. Under the 1998 Act, you have to comply regardless of whether you notify. If you’re exempt from notification, you still have to comply with all other aspects of the 1998 Act. If you refuse to notify, you’re committing an offence, but you still have to comply with all other aspects of the 1998 Act.

Just before Christmas, another Northern Council – Craven Council in the Yorkshire Dales – had a councillor / Data Protection controversy. The Council proposed rolling out iPads to its elected members as part of an upgrade to its IT security. Some councillors objected, and one Independent member was reported as offering “to sign up as his own data handler“, in other words, he was offering to notify as a data controller in order to avoid having the iPad. And so we come to the punchline. The Councillor was already a Data Controller whether he liked it or not. All councillors have to ensure that they are compliant with the DPA for the areas not covered by the Council or their party. Notification – and who pays the £35 – is just about the least significant aspect of this process.

For one thing, Councillors are Data Controllers for any equipment, any email account, any electronic system that they use to communicate with their constituents. The Council is their Data Processor in this context. Buried deep in the back of the Data Protection Act are surprisingly specific requirements for the relationship between a Data Controller and Data Processor – there must be a contract made or evidenced in writing, security guarantees given by the processor (the Council) to the Controller (the Councillor), and a reasonable check that the contract is being complied with. In other words, if the Wirral Councillors up in arms about what may or not be happening to their emails have not obtained a written contract from Wirral, ensuring that Wirral will act only on their instructions when handling their constituency correspondence, the Councillors are in breach of the Data Protection Act. The Council – as a data processor – is not.

It goes further. Councillors should clearly inform their constituents about the way in which their data is used. They should respond to subject access requests. The Wirral Councillors are upset about what they believe is happening to their Wirral.gov.uk email addresses, but many Councillors use Hotmail or Yahoo mail for constituency business, or at the very least have all of their Council emails auto-forwarded to an outside account. This carries both security risks that might breach the 7th DP principle, but also raises the spectre of the 8th Principle, which governs how to transfer information outside the European Economic Area (many web-based email providers use servers outside Europe).

Many senior Council officers and IT and DP specialists will weep at the thought, and I can think of one or two who will give me a smack for bringing it up. But Councils cannot dictate to their Councillors. It is clearly logical for Councillors to use systems and kit provided to them by the Council, but ultimately, they are responsible for a big slice of the data that they use as part of their work and it’s their decision. The Council is a processor, a service provider. Sticking with the robust corporate system is a reasonable idea, but they can work outside of it and if they do, Councillors are wholly responsible for what happens. In the meantime, any Councillor planning to kick up a fuss about emails or iPads or anything else should remember that if something goes wrong, the Council has a get-out-of-jail-free card for non-Council business. Perhaps they should be more shocked about that.

This is not fine

The Chief Executive of Brighton and Sussex University Hospitals NHS Trust has come out fighting. Having just received a record £325,000 civil monetary penalty for DPA breaches, Mr Duncan Selbie has declared that he doesn’t understand what is going on, and he will appeal the CMP forthwith. There is a small part of me that hopes he is right. If I ever get my wish to retire to the Flanders countryside to run a microbrewery, first brew out of the garage will be one called Schadenfraude. The spectacle of the ICO enduring an epic reversal would not be unenjoyable.

Mr Selbie may miss the Tribunal as he is leaving the Trust to take over a new quango called Public Health England (one can only hope he maintains the same high standards in his new role). Meanwhile, someone else will presumably step up to refute the ICO’s case with a fully-worked out contract signed by the Trust and its contractors, setting out exactly what security measures they were to employ, and how they deal with subcontractors. They will thrill the Tribunal with records showing that they knew exactly who the chap who spirited 252 hard drives out of his premises was, that their tight security was foxed only by means of a Mission Impossible rope trick, and the precision with which the Trust checked how their requirements were being carried out will make passing watchmakers weep with envy.

On the other hand, if the defence really is the current line of A Big Boy Did It And Ran Away, one can only fear for Selbie and the Trust’s brass neck when the scrap metal thieves get wind of it. For the record, when this one is resolved, my money is on the Information Commissioner popping corks from bottles called I Told You So.

The facts in the notice are these – and unless Brighton disputes them, they should follow their own corporate rules (two of which are ‘lead not blame’ and ‘solve not excuse’) and just pay the fine. The contract between Brighton and their main contractor SHIS had expired. In any case, it did not set out security requirements that SHIS have to follow, and does not prevent SHIS from using a subcontractor. Brighton apparently did not even know that SHIS used one. This suggests that when he came into their premises and took away at least 252 hard drives, Brighton did not know that he was a subcontractor – in a sense, they did not know who he was when he was in their building, taking away their patients’ precious data. No alarm bells range when the subcontractor was willing to dispose of thousands of hard drives unpaid. Even when the breach was first pointed out to them, the Trust was unable to recognise its true scale.

The ICO is not beyond making a mistake. If these are not the facts, they owe Mr Selbie and his Trust an abject apology. But if they are right, Mr Selbie’s claim not to understand why his organisation has been punished is remarkable and worrying. A third party with no contract was able to enter a Trust building and take hundreds of hard drives unnoticed, even though nobody really knew who he was. If the organisation was so reckless with its money, I doubt he would be so bumptious. However, this apparently complacent approach is effectively the same thing. No amount of shroud waving about what they could have spent the penalty money on makes any difference. The cost of avoiding this shambles altogether would have been tiny by comparison. The cost of creating a framework sufficiently robust to prevent the ICO from being able to argue that the incident could have been prevented – even if it had happened – would have been even smaller.

Here’s what they needed to do:

  • Have a clear contract with their contractor, putting them under obligations to look after personal data properly
  • Ensure that the issue of subcontractors was properly dealt with – either forbidding them or requiring any subcontractors to be put under the same obligations
  • Obtain evidence periodically that the above was being complied with

Anybody could have done these things, and every day, thousands of organisations large and small do just that. If they had done these things, the CMP would be misconceived. If they haven’t done these, the incident is appalling and their reaction is even worse. Any attempt to appeal without evidence of the proper contracts and checks in place – especially as an appeal will require them to pay for legal representation and commit further time and resources – would be a scandal.

An organisation must be allowed to defend itself robustly when the ICO comes calling, especially as some of the recent CMPs have focussed on mishaps that could happen in any organisation. I’m not convinced that having work documents in your bag in the pub when it is stolen should carry a £100,000 price tag. I think the Commissioner sometimes hits another CMP target by over-egging the link between an email sent to the wrong place and a missing policy that may not have made any difference. But the account given of Brighton’s apparent inaction distinguishes it from many of the other CMP cases. It’s why the ICO’s blinkered focus on security breaches is sometimes absolutely right.

If these facts are correct, this punishment is entirely justified. It sounds like a systematic corporate failure, not a one-off cock-up, precisely what the CMPs were designed for. Having inadequate contracts that allow uncontrolled strangers able to access the most private and sensitive of health information is very different to sending an email to the wrong recipient. I enjoy a bit of ICO-bashing more than most, but they have it exactly right here. Mr Selbie should show real leadership, by apologising for this shambles and taking his medicine.