According to the ICO  the  records were stolen during a burglary after a social worker employed by the  Borough of Barnet took the papers home from work.

The documents  listed the names, addresses and dates of birth of  vulnerable children and included references to their sexual activities.

The material was stored with an encrypted computer in a laptop bag which was taken during the burglary.

The council lost an unencrypted device in a previous burlary,  which contained personal data. This was stolen from the home of another Barnet council employee. The ICO investigation in this case,  found the council failed to take appropriate organisational measures against the accidental loss of personal data held on paper records.

“Although the council had an information security policy and some guidance for staff on handling sensitive papers, the measures failed to explain how the information should be kept secure,” the ICO found.

Simon Entwisle, the ICO’s director of operations, said: “The potential for damage and distress in this case is obvious. It is, therefore, extremely disappointing the council had not put in place sufficient measures in time to avoid this second loss. While we are pleased that Barnet Council has now taken action to keep the personal data they use secure, it is vitally important that organisations have the correct guidance in place to keep sensitive paper records taken outside of the office safe. This includes storing papers containing sensitive information separately from laptops.

While the council introduced a paper-handling policy following the first theft, this policy was not in place at the time of the second loss.”

The solution allows enterprises to create granular policy controls for content inspection, real time alerts and role-based workflow for supervisory review, logging and archiving. For organizations in regulated industries, including financial services, legal and healthcare, this is a critical step to reduce risk and ensure corporate compliance with regulatory, legal and corporate governance rules.

Collaboration tools, such as SharePoint, are changing the way enterprises conduct business, enabling the rapid creation and distribution of content and materials inside and outside organizations. Extending SharePoint features to monitor and manage publishing activities with contextual capture of content along with the creation of custom policies can help ensure compliance with corporate governance requirements and industry-specific regulations.

The Actiance platform provides robust security-enhanced compliance and management capabilities across a wide range of communication and collaboration systems. Enterprises can apply tailored polices and controls to comply with specific industry regulation, corporate governance, or legal-hold.

The platform also offers proactive features to monitor activity, including real-time alerts based on content detected and role-based reviews that include search capabilities and workflow review. Actiance users can both lower the costs needed to comply with regulatory, legal and corporate governance rules, as well as simplify policy control for the platform.

The fine was issued after a sensitive report was sent to the wrong person. According to the ICO, the error occurred when a letter containing a detailed psychological report of a mental-health patient had been sent to another former patient with a similar name.

A consultant emailed his letter to a secretary for formatting, but did not include sufficiently clear identifiers for the secretary to select the correct patient. The doctor had also used the spellings of both patients’ names in his email.

Further investigations revealed that neither the consultant nor the secretary had received any data protection training from the data controller, and that practices such as those that led to this incident were widely followed by clinical and secretarial staff within the organisation.

ABHB has signed an undertaking to ensure all staff are made aware of and  trained on the organisation’s policies on storage and use of personal data and  that there is appropriate and regular monitoring of compliance with policies on data protection and IT security, and that new checking processes are introduced across all sites to confirm a patient’s identity before personal information is sent out.

Stephen Eckersley, the ICO’s head of enforcement, said: “The health service holds some of the most sensitive information available. The damage and distress caused by the loss of a patient’s medical record is obvious, therefore it is vital that organisations across this sector make sure their data protection practices are adequate.

“Aneurin Bevan Health Board failed to have suitable checks in place to keep the sensitive information they handled secure. This case could have been extremely distressing to the individual and their family and may have been prevented if the information had been checked prior to it being sent.

“We are pleased that the board has now committed to taking action to address the problems highlighted by our investigation; however, organisations across the health service must stand up and take notice of this decision if they want to avoid future enforcement action from the ICO.”

Read the full ICO report on this data breach

The details were accessible all day to anybody logging on to the site and were available on the section in which commemorative medals, with individual race times inscribed, could be ordered.

Nick Bitel, the chief executive of the London Marathon, said: “We apologise for this error, and are grateful to the BBC for bringing it to our attention.

“We immediately made sure that the glitch was corrected.

“We do not believe that this has led to a substantial number of individuals’ details being accessed by members of the public.”

Read the full BBC report on this data breach.

The ICO was informed by the Council in May 2011 that a briefcase, containing documents to be used for initiating court proceedings, had been stolen from a social worker’s house during a burglary. These contained the sensitive personal data of 18 individuals which outlined details of neglect and requested the removal of the children from their parents’ care.

The social worker had asked for permission to take the reports home in order to continue work on them, and this was authorised by the relevant manager, in accordance with the Council’s procedures.

At the time of the incident, the employee’s manager had received the relevant training, but the social worker had not. The authority had a policy in place but this didn’t relate to the handling of paper documents while working from home.

Stephen Eckersley, the ICO’s Head of Enforcement said:

“Local authorities must recognise that social workers are handling some of the most sensitive information available. The fact that this information often relates to vulnerable young children means it is all the more important for these organisations to provide staff with adequate training and guidance on how to keep this information secure.

“While Leicestershire County Council already recognised the risks associated with home working and had produced guidance for their staff, the guidance did not explain how papers containing personal information should be kept secure.

“We are pleased that the Council have now committed to taking action to protect the personal information they handle and will extend its training programme to cover all staff who are regularly required to take this information outside of the office.”

Leicestershire County Council have committed to amending their existing policies to include detailed guidance relating to the security of paper documents while working from home, training staff on these amended policies, putting appropriate monitoring in place to ensure compliance, and implementing other security measures to ensure personal data is protected.

The ICO was informed by a member of the public in September last year that the personal details of individuals registered for an online competition on the company’s website, were accessible. These included names, addresses and dates of birth, along with contact information. The ICO’s investigation found that the measures in place at the time of the incident were not sufficient to detect that a Web design error had been made by a third party developer.

Stephen Eckersley, the ICO’s Head of Enforcement said:

“It is vital that, as ever-increasing amounts of our personal information are collected online, companies have the necessary safeguards in place to keep this information secure.

“We are pleased that Toshiba Information Systems (UK) have committed to ensuring that any changes to applications on their website are thoroughly tested by both the developer and themselves, in order to keep the personal information they are collecting secure. We would urge other UK organisations with interactive websites to make sure they have suitable checks in place before collecting peoples’ details online.”

Toshiba Information Systems’ (UK) commitment to take action to keep the personal data they handle secure includes the introduction of appropriate and proportionate data security testing on relevant Web applications before they are launched.

Article Source: ICO

The one device contained data relating to approximately 600 maternity patients, while the second contained the names and dates of birth of 30 children and full audiology reports for a further three children.

In the first instance, an employee downloaded the data to a personal memory stick to do some work at home. Due to not having received up-to-date information governance training, the employee was unaware that an encrypted device issued by the data controller should have been used.

The Information Commissioner’s Office (ICO) said in these incidents, the data was put at unnecessary risk by it not being encrypted, but both devices were later found and it is unlikely that they were readily accessible during the time they could not be located.

Read the SC Magazine article

New business efficiencies, infrastructure scale, and cost savings are being driven by virtualization and cloud services adoption, but this changing paradigm has challenged organizations to make the move to the cloud securely and smoothly, without disruption to their business, and without compromise to the protection of their sensitive data.

SafeNet’s focus on data-centric data protection and solutions that seamlessly extend trust from the data center to the cloud helps organizations remove the challenges that can often stall cloud deployments. SafeNet has been placed in the Leader’s Quadrant of the Gartner Magic Quadrant for Authentication. We have the broadest and strongest portfolio in the industry, as well as one of the largest global authentication footprints. Cryptocard has been placed in the Visionary’s Quadrant of the Gartner Magic Quadrant for Authentication, and they’re known for their product innovations, including one of the most advanced authentication-as-a-service offerings for both enterprises and service providers. SafeNet’s strength in data protection combined with Cryptocard’s innovative and flexible cloud architecture will now deliver secure, flexible, and cost-effective on-premise and authentication-as-a-service solutions to our customers worldwide.

Together, SafeNet and Cryptocard now offer the most complete solution available for strong authentication and access control, delivered both on premise and from the cloud, enabling organizations to:

• Increase flexibility and future-proof their strategy with the broadest range of authentication methods, form factors, and delivery models
• Reduce management time with full automation and seamless integration, including flexible migration from existing authentication solutions
• Reduce cost and optimize resources with a full range of software options, “zero touch” user self-service, and low “per user, per month” pricing options

This acquisition extends SafeNet’s leadership in authentication, supports our vision for delivering data protection both to and from the cloud, and changes the way organizations can deploy and manage their authentication strategies and platforms today and into the future. The addition of Cryptocard’s authentication-as-a-service capabilities will help customers around the world accelerate deployment of authentication solutions with even greater flexibility and lower cost to the business.

See the SafeNet Press Release on this acquisition

The council recognised that many employees use their own devices, at least some of the time, for work and tested a range of MDM solutions, with the ability to manage and secure multiple devices being a key requirement.

Read the full article here

The breached credit card processor was compromised between January 21 2012 and February 25 2012. VISA and MasterCard have warned that full Track 1 and Track 2 data was taken. This information could be used to counterfeit new credit cards. It is not yet known which U.S processor is the source of the breach or how many cards were affected.

Read more about this here