IT systems left unsupported create risk of data breach, warns watchdog

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.out-law.com/en/articles/2014/april/it-systems-left-unsupported-create-risk-of-data-breach-warns-watchdog/


The Information Commissioner's Office (ICO) has warned businesses to ensure
that the personal data they are responsible for is not left exposed to
security vulnerabilities in IT infrastructure.

The warning has been issued as Microsoft brought to an end the "extended
support" it offered for its Windows XP and Office 2003 products on 8 April.
The Crown Commercial Service has announced that it has signed a deal with
Microsoft to "maintain critical and important security updates" for the
software on behalf of all public sector organisations in the UK over the
next year.

"It is important to remember that this is not a unique situation," Dr Simon
Rice, the ICO's technology group manager, said. "Organisations regularly
end support for their older products. And those with supported systems
still need to be vigilant, as vulnerabilities will be discovered over time."

"As a responsible data controller, it is your organisation's responsibility
to make sure you have the measures in place to keep people's details safe.
Anyone using either of these two products must consider their options and
ensure that personal data is not unduly placed at risk. Failure to do so
will leave your organisation's network increasingly vulnerable over time
and increases the risk of a serious data breach that your actions could
have prevented," he added.

Under the Data Protection Act (DPA) data controllers are required to take
"appropriate technical and organisational measures" to ensure against the
"unauthorised or unlawful processing of personal data and against
accidental loss or destruction of, or damage to, personal data". Businesses
that fail to meet this standard risk being fined up to £500,000 by the ICO
if there is a serious personal data breach.

The ICO confirmed to Out-Law.com that, in the case of a data breach
stemming from an unsupported IT system, the length of time that that system
has been left without upgrades would be a factor in determining whether and
to what extent businesses would be subject to enforcement action under the
DPA.

"If a data breach occurred that could have been prevented had the
organisation been using a supported system then we would take this into
account when deciding whether further action was required," an ICO
spokesperson said. "Unsupported systems become more insecure as time
passes, so we would also need to consider the length of time an
organisation has been using an unsupported system and the reasons why as
part of our decision making process."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!