What Price, Privacy?

October 15, 2014

At IP Expo last week in London, the inventor of the World Wide Web, Tim Berners-Lee, outlined his vision for the future of the web, and data ownership in his keynote speech.

internet, web commerce, ecommerce, internet, future, connectivity, global connectivity, data sharing, data

© Victoria – Fotolia.com

Over the past few years there have been numerous concerns about big data and its use. Tim Berners-Lee argues that whilst he is perfectly happy for his personal data to be used by professionals where it is of benefit to him or mankind (e.g. healthcare professionals in a road traffic accident), this does not apply to commercial organisations for the purposes of targeted marketing. Tim argues that the owners of personal data are the data subject, not large corporations, and that we should have a say how it can be used and where it can be sold or merged with other data sets.

Others take a different view. An interesting panel discussion with Raj Samani, Andrew Rose & Josh Pennell ensued later in the conference. There was disagreement amongst these panelists whether the ‘reputational damage’ argument regarding data loss actually meant anything these days to organisations, since data breaches are seemingly ubiquitous and those outside the industry, especially the Facebook generation, simply don’t care if their personal data is lost. Time will tell if there is long-term damage to Target, for example from their breach, although early indications appear to show that the share price of Target has mostly recovered.

Earlier in the month, Raj Samani had argued in a webcast to Forbes, that as a consumer, he gives consent for his personal data being used and shared when he signs up for services, and that most consumers will happily do so, given there is consent, perceived value and transparency. After, all, services such as Twitter and Facebook are free for the end-user to use. Raj does concede however, that the terms and conditions are rarely clear, being large legal documents, and that few end users will actually read them. There rarely is effective transparency in these cases, if end-users do not realise what they are signing up to.

How Tim’s proposal might work in practice would be to change legislation and afford personal data the same status as copyrighted data: use and context requires specific owner consent and re-use requires a royalty paid to the data subject. It may also solve the forthcoming conundrum about the “right to erasure” in the new EU Data Protection legislation: if I ask to be removed from one database, in theory the deletion should cascade into third party databases, where the data had been sold on. It would also take away some of the burden from over-worked regulators like the ICO, who are severely under-resourced.

I’m sure many organisations will say such a model is unworkable, but it may just make organisations think about how and where they use our personal data, especially if over-use of personal data directly affected bottom line via royalty payments. 40 years ago, in the Cold War era, if you had suggested an interconnected network of disparate computers upon which banking, finance, government, education, retail and leisure all relied on, which would become both ubiquitous and intrinsic to our daily lives, the idea would probably have been dismissed as the work of science-fiction and unworkable. Yet in 2014, we rely upon the internet to sustain all these things and more. Our industry needs such radical thinking today for a new model of data protection.

Phil Stewart is Director, Excelgate Consulting


2011: The Year that News Made the News

December 15, 2011

2011: A year that started with the continued aftermath of the WikiLeaks saga, and ended with the Leveson Inquiry investigating the phone hacking scandal in the UK. Along the way many big names saw data breaches in 2011 including Citibank, Epsilon Marketing, RSA, Google, and Sony.

News in the News

2011 was the year that the news made the news. We started the year talking about classified information finding its way into the press and ended the year with an inquiry into the press. Alleged offences under section 55 of the Data Protection Act are at the heart of the phone hacking scandal.
Image: © Claudia Paulussen - Fotolia.com

Back in January Excelgate reported that following the ongoing WikiLeaks saga, it was necessary to have a coordinated global response across governments if a repeat of such a massive leak of classified material was to be avoided.  The industry is just coming to terms with the ramifications of WikiLeaks, and at the East West Institute in London in June, it was recognised that there needs to be greater co-ordination in the future, not just between technical and legal practitioners and politicians, but also across geographies in drafting new data protection and privacy legislation in the future.

2011 saw the launch of some new standards and assurance schemes in the UK. In March, ISSA UK launched ISSA 5173 – a new security standard aimed at improving information security for small and medium-sized enterprises. I’ve been involved in the formation of the standard since the foundation of the workgroup back in 2010, and in the collation of feedback since the publication of the draft standard in March. To date feedback has been overwhelming positive, as well as being well received by the IT press. 2012 will see the publication of a series of guidance documents to accompany the standard. 2011 also saw the launch of CESG’s Commerical Product Assurance, the replacement product assurance scheme for CCTM for security solutions in the UK public sector. It aims at providing two levels of assurance for security solutions depending on where the proposed solution is to be used. This should open up the market for the relatively closed space of IL3 (for example local authorities) by encouraging competition and innovation in this space.

August saw the rioting across London and other parts of the UK. Social media was widely reported to have been used by some rioters in coordinating some of the riots. As reported in June, the misuse of social media comes in a number of forms: from criminal acts to damaging reputations – both corporate and private. In November, speaking at the London Conference on Cyberspace, The Foreign Secretary, William Hague, whilst warning against the dangers of government censorship with regards to the use of social media, did state that global, coordinated action is needed to deal with social media misuse and cyber attacks. In short he said “that behaviour that is unacceptable offline is also unacceptable online, whether it is carried out by individuals or by governments.”

The Levenson Inquiry, investigating the culture, practice and ethics of the press started its formal evidence hearings in November. At the heart of the phone hacking scandal is that somewhere along the chain personal data was potentially procured illegally. The What Price Privacy? report of 2006, published by the Information Comissioner’s Office already highlighted there was widespread abuse of the Data Protection Act in the UK and recommended a custodial sentence for Section 55 offences. As reported in my interview with Christopher Graham in August, the Information Commissioner will continue to push for custodial sentences for the most serious offences.

The message of the What Price Privacy?  report has somehow become lost and focused on journalists rather than the illegal trade in personal data. I certainly don’t want to see restrictions placed upon a free press: this is the foundation of any democracy. Wrong-doing and fraud should be exposed. There is already a large carve-out of exceptions in the Data Protection Act for journalistic purposes. The trade and procurement of personal data is already illegal, however, and in my view the law is not being enforced severely enough – either in severity of sentence for the most serious cases, or in the number of prosecutions.

I have been impressed with the ICO’s response to date with regards to education and the issuing of fines. They have taken a very reasonable position: that people need education as to how to comply with the Data Protection Act. It would indeed be foolish to adopt a mass fining policy of organisations when the powers of the ICO to issue a monetary penalty notice only came into effect in April 2010. On the other hand, April 2012 will mark the second anniversary of this and to continue indefinitely in this mode would be, in my opinion, be a mistake. I certainly don’t want to see a situation where every single human error results in a fine from the ICO. The Data Protection Act is now, however, a 13 year-old piece of legislation, and organisations have now had two years to ensure they comply with the law in this regard. If HMRC operated on a mainly notice to improve basis, I’m fairly sure we’d see a significant decline in tax revenues (i.e. non-compliance). They don’t however, and operate a sliding scale of penalties depending upon the severity of mistake/ non-compliance. For mistakes on VAT returns, for example, penalties are categorised as follows:

  • Careless : you failed to take reasonable care
  • Deliberate: you knowingly sent HMRC an incorrect document
  • Deliberate and concealed: you knowingly sent HMRC an incorrect document and tried to conceal the inaccuracy

In each category there is also a sub-category: promoted and unprompted (i.e. HMRC discover the discrepancy or you notify HMRC of it). The fines vary from 100% of the tax due for deliberate and concealed and prompted to 0% for careless and unprompted. I’d like to see a similar sliding scale defined for data protection offences and then these enforced, since I simply don’t believe there has only been 7 serious data protection offences in the UK since April 2010. I’ve come across more than that myself this year alone, ranging from the potentially criminal to the careless error.

I’ve also, over the course of 2011, become convinced of the need for a mandatory data breach notification laws for the UK, as is already the case in some US states. The naysayers are already out in full force in the UK, saying the UK doesn’t need another piece of legislation regulating business. It is worth bearing in mind that this legislation originated in California – that US state well-known for over-regulating businesses and stifling innovation -not! Similarly, the criticism of data breach notification laws is not based upon any real-world experience. A study from the University of California-Berkeley of views from CISOs in the US, showed that data breach notification laws has put data protection and information security firmly into the public eye, and actually fostered dialogue in some cases between the consumer and data controller regarding their data. It also empowers consumers to protect themselves, either by asking awkward questions of their data controllers or by simply shopping elsewhere. We need this raising of awareness and dialogue in the UK too. Why should we either trust or trade with an organisation that doesn’t safeguard our privacy?

Phil Stewart is Director, Excelgate Consulting & Secretary & Director, Communications for ISSA-UK


The Insider Threat

September 5, 2011

Last month the Information Commissioner, Christopher Graham, gave an interview to the ISSA, ahead of his address to the ISSA later this week, and looks at how most data breaches start with an employee from within the organisation:

In 2006, the ICO uncovered the organised and illegal trade of confidential personal information in the report, What Price Privacy? How widespread do you believe this problem is today in the UK?

“I’ve described it as a modern scourge. The headlines, both in 2006 and more recently, have all been about the behaviour of the press, but I think it goes much further … Basically we’ve got pretty systematic trashing of our rights under the Data Protection Act.  My predecessor, in flagging the blagging, made the case for a much stronger penalty that would act as a deterrent but also send a very strong signal that data protection offences are not a victimless crime. It’s very important now that parliament gets on and activates section 77 of the Criminal Justice & Immigration Act 2008 which allows for the custodial penalty of up to 6 months in a magistrates court and up to 2 years in the crown court, but has not been commenced. It wasn’t commenced because of a stand-off between the politicians and the press.  I think we can now get through that, because the terms of the debate have changed a bit.  This isn’t something that should wait for the Leveson Inquiry because frankly it isn’t about newspapers – it’s about debt recovery, claims management companies, matrimonial disputes, child custody battles, you name it.”

Yes, I remember when you became Information Commissioner in 2009, at a Parliamentary select Committee you re-iterated the need for a custodial sentence for convictions under section 55 of the Data Protection Act.

“Indeed, I did.  I didn’t get very far, though, because basically the politicians and the press had agreed this was going to be a sort of Sword of Damocles hanging over the press and if they misbehaved then it would be activated. I think the whole point was the 2006 report – yes, it talks about the behaviour of the tabloid press because the particular private investigator that the ICO raided, that was his main line of business.  But that’s  not what all the report was about. The idea that you don’t have to take any action against staff in NHS walk-in centres selling information to claims management companies because of some arcane dispute about investigative journalism is clearly nonsense. I didn’t get very far two years ago but I’m determined to go on pushing. There’s the human factor in all of this. We can have wonderful systems and policies for data protection and data security, but if the men and women on the ground don’t take it seriously and don’t think it matters – none of those systems are going to work. A small fine in a magistrates court is simply not a deterrent. I think understanding that you might go to prison is more like it, but it also enables the courts to look at the whole range of possible penalties which might be somewhere between a small fine and the threat of going to prison or having a community sentence.”

I noticed that in the ICO’s latest annual report – you mentioned the NHS – as an organisation they had the largest number of data breaches

 “They are about the largest organisation so I’m not surprised by that – they are quite good at reporting breaches, it’s part of their procedure. I recently met with the chief executive of the National Health Service,  Sir David Nicholson.  We had a very good, workmanlike discussion. There’s a lot of change in the NHS and that makes for a particularly dangerous time but you’ve got to distinguish between the trucks and the tracks. We’re much better at thinking about the trucks: these are the great security initiatives and projects. The tracks are the routine: the day-to-day. My experience of a lot of organisations, not just the NHS, is that the messages haven’t got down to the grassroots. Data protection is seen as the sole concern of a few geeks, and as a result terrible things happen.  People have heard the messages but haven’t internalised them. Every week I’m dealing with laptops going missing, not encrypted; portable devices and papers left on the bus; sensitive files dumped in a skip. In the health service of course by definition the information is almost certainly going to be sensitive information so we’re working very closely with the NHS so that they can get the big things right – summary care records etc, but they can also get the smaller things – which actually aren’t that small – such as persuading the receptionist in the GP surgery you don’t give things out over the phone just because somebody rings you up and sounds persuasive.”

What can be done in the health sector and other sectors to generate a culture where data protection becomes second nature, rather than seen as an annual event, or a burdensome task?

“I think organisations both in the public sector and the private sector have so much at stake in terms of their reputation, which of course in commercial terms you can put a value on, and in the public sector it’s all about the threat of reversing all the work that’s gone into citizen engagement.  The fact that it’s a real issue at the top of the organisation means that the message then needs to be taken to the whole organisation: it’s not just something of peripheral concern. Yes, it’s about training, but then it’s about auditing, it’s about going back and making sure people are practising what they know they are supposed to be doing – it’s about mainstreaming the whole thing. It should be absolutely part of the performance review system. We shouldn’t have the situations we’ve had over the past few years or so where people dealing with very sensitive information are treating it in such a cavalier way.  Our first civil monetary penalty was imposed on Hertfordshire County Council where they’d faxed highly sensitive court papers in a child welfare case to what they thought was Watford County Court but unfortunately it wasn’t and they’d got the number wrong. You wouldn’t do that if you were thinking about what the material was you were handling, that it was very sensitive, personal information about vulnerable children, so faxing wasn’t a very good idea anyway. You needed to have made sure you had got the right fax number, and that someone was waiting for the fax at the other end and that you didn’t just have finger trouble and were about to send it elsewhere. The civil monetary penalties which we’ve had at [the ICO’s] disposal since April of last year have certainly had a sobering effect and made people sit up and take notice. We’ve only imposed 6 of them – we’re not trigger happy – but it’s certainly made it very real to organisations who have focused on the reputational damage – being hit with a penalty.”

Following the use of social networking sites such as Twitter to reveal the details of super-injunctions earlier this year, the Prime Minister has called for a review of Data Privacy legislation in the UK. Will the ICO be contributing to the work of any new parliamentary committee in shaping any new data privacy legislation?

“Well, the Data Privacy legislation will be reviewed anyway in the context of the European Directive – that’s a process that’s going ahead. The Commissioner Viviane Reding is leading that process and the ICO is very much engaged with our European colleagues in the Article 29 working party – we’ve been inputting into that study. We expect to see a draft of a directive in about November and then the legislative process will follow. In a few years’ time there will be changes to data protection law, because the directive on which it’s based will have changed. We don’t think there is much wrong with the principles, but we’re looking for legislation that is much more modern and realistic in terms of what actually happens in the world of global information exchange.”

 

The legislation has been behind the technology in terms of usage of it, hasn’t it?

“Absolutely. It’s very important that Brussels produces a legislative proposal which is reasonably future-proof – if you get the principles right then the principles can take the technological changes on board. If you’re overly prescriptive then you’ll come up with something that is highly relevant for 2013 but by the time it comes into law it’s probably outdated because of all of these other developments. The ICO, working with anyone who will listen to us, is stressing the accountability principle – that the legal responsibilities lie with the data controller, and that the role of the data protection authority is to regulate that relationship and intervene as and when necessary on the basis of risk, rather than pretend the data protection authorities can be like some latter day King Canute holding back the waves, and let’s not kid ourselves that no information moves across borders without some tick in the box from the Data Protection Authority. The current Directive, of course, is pre-cloud, but it ought to be clear that’s it’s a very outdated text that doesn’t take into account the realities of the modern world.”

Would you like to see greater powers for the ICO, such as the power to audit an organisation to investigate a serious data breach?

“We gained some extra powers under the Coroner’s & Justice Act, and we have found that doing consensual audits is going really well, more in the public sector than the private sector. We can run the ruler over a company’s compliance which can then be a badge of pride: “we’ve been checked over by the ICO”. There are powers to compulsorily audit government departments. I will go as far and as fast with the existing powers that I’ve got, but if I come to the conclusion that I’m not able to get anywhere-  that I can‘t audit  organisations – then I will certainly return to the Secretary of State. I can get warrants – I signed a warrant today. It would be more satisfactory to require an audit, probably as part of an undertaking to improve.”

At a recent ISSA chapter meeting, one speaker remarked that social engineering over the phone is often the seed for an attacker that allows them  either to guess a password or a weakness in a system or a process to exploit.  Many of the data breaches we have touched on this afternoon all start from an internal employee in an organisation. Do you think we are doing enough to educate employees in organisations to create a security culture?

“No I think we’re not and you absolutely put your finger on it when, in relation to this row about hacking, you have to ask the question: ‘how is it possible for the phones to be hacked?’ and the answer is: somebody has blagged, which they shouldn’t have done. That gets us back to section 55 of the Data Protection Act – it’s just too easy to blag and the penalty isn’t very impressive if you get caught. So I believe very strongly we’ve got to push for that [a custodial sentence] and I’m trying to get the politicians to see that this is something we need to do anyway – it’s going to take some time. Frankly we can’t wait [for the Leveson Inquiry] . We’ve got information leaking from databases, every day – and not, as I said earlier, to journalists particularly – because information is valuable and it’s making people a lot of money.  That’s the root of our problems – so if we’re concerned about cyber security then getting these basic things right is absolutely essential, and members of staff in all organisations need to see the connection between something which seems to them as a bit naughty, but not terribly bad, and the terrible things that happen as a result.”

Christopher Graham – thank you for your time this afternoon and we look forward to your address at the ISSA next month.

 

The Information Commissioner, Christopher Graham, was talking to Phil Stewart, Director, External Communications, ISSA UK. Christopher Graham will be addressing the ISSA at their next meeting on 8th September 2011 in London.