2011: The Year that News Made the News

December 15, 2011

2011: A year that started with the continued aftermath of the WikiLeaks saga, and ended with the Leveson Inquiry investigating the phone hacking scandal in the UK. Along the way many big names saw data breaches in 2011 including Citibank, Epsilon Marketing, RSA, Google, and Sony.

News in the News

2011 was the year that the news made the news. We started the year talking about classified information finding its way into the press and ended the year with an inquiry into the press. Alleged offences under section 55 of the Data Protection Act are at the heart of the phone hacking scandal.
Image: © Claudia Paulussen - Fotolia.com

Back in January Excelgate reported that following the ongoing WikiLeaks saga, it was necessary to have a coordinated global response across governments if a repeat of such a massive leak of classified material was to be avoided.  The industry is just coming to terms with the ramifications of WikiLeaks, and at the East West Institute in London in June, it was recognised that there needs to be greater co-ordination in the future, not just between technical and legal practitioners and politicians, but also across geographies in drafting new data protection and privacy legislation in the future.

2011 saw the launch of some new standards and assurance schemes in the UK. In March, ISSA UK launched ISSA 5173 – a new security standard aimed at improving information security for small and medium-sized enterprises. I’ve been involved in the formation of the standard since the foundation of the workgroup back in 2010, and in the collation of feedback since the publication of the draft standard in March. To date feedback has been overwhelming positive, as well as being well received by the IT press. 2012 will see the publication of a series of guidance documents to accompany the standard. 2011 also saw the launch of CESG’s Commerical Product Assurance, the replacement product assurance scheme for CCTM for security solutions in the UK public sector. It aims at providing two levels of assurance for security solutions depending on where the proposed solution is to be used. This should open up the market for the relatively closed space of IL3 (for example local authorities) by encouraging competition and innovation in this space.

August saw the rioting across London and other parts of the UK. Social media was widely reported to have been used by some rioters in coordinating some of the riots. As reported in June, the misuse of social media comes in a number of forms: from criminal acts to damaging reputations – both corporate and private. In November, speaking at the London Conference on Cyberspace, The Foreign Secretary, William Hague, whilst warning against the dangers of government censorship with regards to the use of social media, did state that global, coordinated action is needed to deal with social media misuse and cyber attacks. In short he said “that behaviour that is unacceptable offline is also unacceptable online, whether it is carried out by individuals or by governments.”

The Levenson Inquiry, investigating the culture, practice and ethics of the press started its formal evidence hearings in November. At the heart of the phone hacking scandal is that somewhere along the chain personal data was potentially procured illegally. The What Price Privacy? report of 2006, published by the Information Comissioner’s Office already highlighted there was widespread abuse of the Data Protection Act in the UK and recommended a custodial sentence for Section 55 offences. As reported in my interview with Christopher Graham in August, the Information Commissioner will continue to push for custodial sentences for the most serious offences.

The message of the What Price Privacy?  report has somehow become lost and focused on journalists rather than the illegal trade in personal data. I certainly don’t want to see restrictions placed upon a free press: this is the foundation of any democracy. Wrong-doing and fraud should be exposed. There is already a large carve-out of exceptions in the Data Protection Act for journalistic purposes. The trade and procurement of personal data is already illegal, however, and in my view the law is not being enforced severely enough – either in severity of sentence for the most serious cases, or in the number of prosecutions.

I have been impressed with the ICO’s response to date with regards to education and the issuing of fines. They have taken a very reasonable position: that people need education as to how to comply with the Data Protection Act. It would indeed be foolish to adopt a mass fining policy of organisations when the powers of the ICO to issue a monetary penalty notice only came into effect in April 2010. On the other hand, April 2012 will mark the second anniversary of this and to continue indefinitely in this mode would be, in my opinion, be a mistake. I certainly don’t want to see a situation where every single human error results in a fine from the ICO. The Data Protection Act is now, however, a 13 year-old piece of legislation, and organisations have now had two years to ensure they comply with the law in this regard. If HMRC operated on a mainly notice to improve basis, I’m fairly sure we’d see a significant decline in tax revenues (i.e. non-compliance). They don’t however, and operate a sliding scale of penalties depending upon the severity of mistake/ non-compliance. For mistakes on VAT returns, for example, penalties are categorised as follows:

  • Careless : you failed to take reasonable care
  • Deliberate: you knowingly sent HMRC an incorrect document
  • Deliberate and concealed: you knowingly sent HMRC an incorrect document and tried to conceal the inaccuracy

In each category there is also a sub-category: promoted and unprompted (i.e. HMRC discover the discrepancy or you notify HMRC of it). The fines vary from 100% of the tax due for deliberate and concealed and prompted to 0% for careless and unprompted. I’d like to see a similar sliding scale defined for data protection offences and then these enforced, since I simply don’t believe there has only been 7 serious data protection offences in the UK since April 2010. I’ve come across more than that myself this year alone, ranging from the potentially criminal to the careless error.

I’ve also, over the course of 2011, become convinced of the need for a mandatory data breach notification laws for the UK, as is already the case in some US states. The naysayers are already out in full force in the UK, saying the UK doesn’t need another piece of legislation regulating business. It is worth bearing in mind that this legislation originated in California – that US state well-known for over-regulating businesses and stifling innovation -not! Similarly, the criticism of data breach notification laws is not based upon any real-world experience. A study from the University of California-Berkeley of views from CISOs in the US, showed that data breach notification laws has put data protection and information security firmly into the public eye, and actually fostered dialogue in some cases between the consumer and data controller regarding their data. It also empowers consumers to protect themselves, either by asking awkward questions of their data controllers or by simply shopping elsewhere. We need this raising of awareness and dialogue in the UK too. Why should we either trust or trade with an organisation that doesn’t safeguard our privacy?

Phil Stewart is Director, Excelgate Consulting & Secretary & Director, Communications for ISSA-UK

Twitter Tourettes

June 15, 2011

Twitter celebrated its fifth birthday earlier this year. It has revolutionised the way people interact in the 21st century: being at the heart of both revolutions across the Middle East and the centre of a media and legal maelstrom in the UK regarding super injunctions. It, along with FaceBook, has become the mode of communication of choice for the “Google generation”. The appetite for both instant news and celebrity gossip have both proved insatiable and brought with it a whole host of dangers to both individual and organisation for the unwary and unprepared.

"Twitter Tourettes" elearning "Social Networking Security" eCourse

Twitter celebrated its fifth birthday on 21st March 2011. Twitter users now send more than 140 million tweets a day.

Twitter Tourette’s, to coin a phrase, is used in this context to describe a phenomenon which has been increasing on the Internet regarding a (seemingly unknown) compulsion to publicise private or inappropriate material online (not to make light of Tourette’s Syndrome, in which 10% of people with Tourette’s swear uncontrollably). Serious thought needs to be given to not only the use of social networking tools within the workplace, but training to employees as to how they use it within their private lives.

High Profile Cases:

Bomb ‘joke’ on Twitter results in conviction under the Communications Act 2003

On 6th January 2010 Paul Chambers, a 27-year old accountant, posted on Twitter a ‘joke’ regarding threatening to blow Robin Hood airport “sky high” . He was arrested at work a week later and subsequently convicted of an offence under section 127 of the Communications Act 2003 (for “sending a public electronic message that was grossly offensive or of an indecent, obscene or menacing character”). Paul was fined £1,000 and lost his job as a result of the tweet, and lost his subsequent appeal against the conviction at Doncaster Crown Court.

Press Complaints Commission rules Twitter messages are “not private”

Sarah Baskerville, a Department of Transport official, filed a complaint to the press regulator, arguing that her tweets regarding comments about being her being hung-over at work were private for her 700 Twitter followers, and not meant for publication in the press (the Daily Mail and Independent on Sunday both reported this story). The Press Complaints Commission ruled that as Twitter was publically accessible and that the potential audience was actually much further than her own followers, (since messages on Twitter can be re-tweeted to others) the publication of the story in the press did not constitute an invasion of privacy.

IT Consultant unwittingly tweets details of the raid on Osama Bin Laden hide-out live

An IT Consultant, Sohaib Athar, living in Abottobad, Pakistan, was the first person to unwittingly tweet about the raid on the hide-out of Osama Bin Laden. He reported live as events unfolded that a helicopter was hovering over Abottobad, followed by a loud explosion. He pondered: “Since Taliban (probably) don’t have helicopters, and since they’re saying it was not “ours”, so must be a complicated situation”. Later that day, after the White House Press conference on the raid, it dawned on him he had tweeted the operation live: “Uh oh, now I’m the guy who liveblogged the Osama raid without knowing it”. Within hours of his initial tweets his followers surged by over 15,000.

European head of Twitter indicates revealing to police details of Twitter users who broke superinjuction

Lawyers acting for a UK Premiership footballer, filed court papers against Twitter and a number of its members last week after they allegedly broke the terms of a “super-injunction” banning publication of details of his private life. Tony Wang, the new European head of Twitter, has indicated that it could give police details of users who broke the gagging order, in line with its global policy for dealing with legal requests. In a statement at the e-G8 forum in Paris, Mr Wang said that it was Twitter’s policy was to comply with local laws to hand over details where it was “legally required” to do so.

South Tyneside Council acts in US Court to reveal identity of Twitter users behind allegedly libellous statements

South Tyneside council went to court in California to request Twitter release details of the identity of five twitter users who were allegedly libelling a number of councillors at South Tyneside Council via Twitter. The “Mr Monkey” blog had made a number of accusations against the council leaders. Council spokesman Paul Robinson has revealed information has been disclosed by Twitter to its lawyers including IP addresses and email addresses.

A Tweet is a publication, not a private message!

Twitter should be regarded as a publishing platform, not a means of private communication. All the examples mentioned illustrate  the dangers of the unguarded use of Twitter and social networking sites, from revealing the details of secret military operations; opening the way for legal action either by defamation or breaking the terms of a gagging order; uncontrolled release of new media into the press; or damage to reputation: corporate or private.

New e-learning Course

Excelgate Consulting has teamed up with Ira Winkler & VigiTrust to provide an e-learning solution training course: Security of Social Networks. The e-learning solutions can be run using a standard web browser and completed in stages at the participant’s pace.

elearning eSec Security of Social Networks

The Security of Social Networking elearning course model: introduction.

Upon completion of the course, your employees will participate in a test to determine their awareness and upon passing the course will generate a certificate. On successful completion of the Security of Social Networks course, users will:

• Be able to distinguish between direct and indirect attacks from hackers and other unscrupulous individuals and how to avoid exposure to them

• Recognise the threats posed by seemingly inconsequential personal or confidential work information and identify the various ways in which criminals may exploit social networks

• Gain a good understanding of the main features of the major social networking sites, and how careless activity can impact negatively on corporate applications and customer sensitive information

The new Security of Social Networks e-Learning course is available now, and a short demo is available here: . Please contact us for further information.