ICO takes firms to task over lax data controls

[Jake Kouns <jkouns () opensecurityfoundation org>]

The Information Commissioner's Office (ICO) has hauled electronics
retailer DSG International over the coals for allowing sensitive
customer data to be dumped in a skip next to one of its PC World
stores.

The ICO said that DSG has been found in breach of the Data Protection
Act after customers’ credit details were found by rubbish collectors.

John Browett, chief exec at DSG Retail, said it was company policy to
send data in sealed documents to a facility for secure shredding, but
conceded that the firm would now need to carry out a review of both
security procedures and staff training.

Mick Gorrill, head of enforcement at the ICO, said: “Any organisation
collecting and holding personal information needs to ensure that
information is kept and disposed of safely and securely. This is an
important principle of the Act. Staff need to be aware of policies and
it is essential they receive appropriate training.”

Dixons was not the only firm to incur the wrath of the ICO, with the
Yorkshire Building Society also getting a tongue-lashing after an
unencrypted laptop containing personal information was stolen from one
of its offices.

The laptop was recovered two days later, and a forensic investigation
found that none of the data had been accessed. However, the ICO said
the building society was lucky not to have suffered a serious data
breach given that the passwords to the machine were left with it in an
unlocked desk.

“It is extremely concerning that an unencrypted laptop containing
large amounts of personal data was left unsecured overnight, together
with details of its passwords," said Gorrill.

"What’s more, the fact that the employee did not require all the
information to carry out the task in hand created an unnecessary risk
which could easily have been avoided; employees should only have
access to information that is abso lutely vital to work which is being
carried out."

Some commentators will be urging the ICO to get tougher on these kinds
of incidents. Although it now has the power to fine organisations up
to £500,000, the ICO has been reluctant to do so.

This is in stark contrast to the FSA, which this week fined Zurich
Insurance a record £2.3m after a data breach.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php