On 2nd February 2015, the ICO published its decision to fine online holiday insurance company Staysure £175,000, after the company’s IT security failings let hackers access over 100,000 customers’ personal data, leading to more than 5,000 cases of credit card fraud. The ICO found that Staysure had no policy in place to maintain its IT security systems and had therefore breached the seventh principle of good information handling, stated in Schedule 5 of the Data Protection Act 1998 (DPA), namely that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
In publishing this decision, the ICO referred to its May 2014 report entitled "Protecting personal data in online services: learning from the mistakes of others". The report investigated what, at that time, were the most common IT security failings that resulted in data breaches investigated by the ICO. Although the technology of IT security hazards has developed at a dizzying pace in the intervening year, and the IT security failings referred to in the Report seem to be largely common sense, it is nevertheless worthwhile checking that your IT strategy is, at a minimum, equipped to deal with these issues:
1. Software bugs. Failing to apply security updates can result in software becoming more vulnerable over time. If developers of software discontinue technical support, harmful software bugs can arise. It is important to pick the appropriate update for a particular hardware asset and ensure all assets are covered by the updates.
2. Structured Query Language (SQL) injection flaws. SQL is a code injection technique whereby attackers can access personal data by taking advantage of errors in coding of web applications. The attacker injects instructions into a database to allow them to gain access. The instructions are written in SQL. To mitigate this problem, source codes must be carefully developed and maintained for any application utilised, either externally or internally. If your company code is internally developed and maintained, take extra care to uphold coding standards by implementing appropriate training to avoid SQL injection.
3. Running more services than necessary. Avoid running any unnecessary services to reduce the risk of attackers compromising personal data. An example of a high risk service is telnet, which the ICO says should be avoided where possible. Carry out regular screenings to check for any services that have become unnecessary and decommission any IT services that become obsolete as soon as possible to reduce the risk of an attack on the personal data held on that system. These older or temporary services are often the most susceptible to attackers when they become forgotten and no one checks for risks at all. Diarise checks to disable services once they become unnecessary.
4. Failing to decommission hardware and systems appropriately. All components of a service should be decommissioned, not just the main element. Also always double check that the system has in fact been disabled. All hardware should be disposed of by a member of staff with a suitable level of authority and know how to do so, and/or specialist asset disposal companies should be used where appropriate. If devices are recycled all personal data should be effectively removed beforehand.
5. Weak passwords. The age-old vulnerability of any IT system. An attacker who knows or can easily guess a user's password can impersonate that user and gain access to a system (and often several systems, if the same password is used for other systems, as is often the case). Users should only be allowed by their organisations to choose "strong" passwords including, for example, uppercase and lowercase letters, numbers and symbols and they should be prompted to refresh these at reasonable intervals. Companies should ensure that they do not use default passwords, usernames and other credentials where possible that can be easily found or guessed by attackers. It is good practice not to hard-code any credentials into any software or transmit the credentials in plain text, as the credentials could then become easily accessible by attackers and the personal data stored compromised. A password authentication service may also be appropriate in some cases to add a further layer of protection. Poor password handling is often only considered after a data breach, when it is too late.
Other methods for strengthening passwords include “hashing” and “salting”:
The target converts a password into a hashed value and only the hash value is stored in the security system. When the user later enters their password, this hash value is newly calculated and compared against the stored hash. Only if these values match can the user be authenticated.
Salting is a string of random data unique to each user. It is stored alongside the hash and the password such that when a user enters his or her password, that password combines with the stored hash and the new hash and only then can the user be authenticated.
6. Incorrectly configured Encryption Schemes. Secure Sockets Layer and Transport Layer Security were recommended to encrypt communications across the internet. Encryption schemes pose IT security risks where they are configured incorrectly. A user must ensure that they are using the most up to date version to maximise security. Further, digital certificates are issued to users of the schemes and therefore the validity of the certificate should always be ascertained to ensure that organisation has control of the domain name for which the certificate is issued.
7. Poor system design. Inadequate security architecture leads to data leaks. To overcome this failing, the ICO recommended segregation of production, development and testing environments, as well as segregation of functions. Separate environments can result in personal data storage being protected from security breaches if the security of the environment is compromised. Segregated functions help a company ensure that there is no direct access by the public to personal data functions compared to functions that are more exposed to the public. Mechanisms such as firewalls and internal routers can be utilised to control access between segments to ensure that there is no unauthorised access to sensitive information. Differing internal policies within these different segments can then be tailored to best protect the personal data in each segment. Regular off-site and on-site backups can also help protect against data loss or damage.
8. Incorrect storage of personal data. If documents containing personal data are allowed to be left in places accessible by the public then there will be a breach. Personal data should be identified as personal data and kept in an electronic location only accessible by those specifically authorised. In particular, web servers should only expose data that is intended to be exposed and, where necessary, kept private. Clear company policies should be in place regarding where personal data should be stored and processed and training on these policies is crucial.
If one was to consider a further IT failing, given IT developments since May 2014, it would no doubt be companies failing to carry out proper due diligence and audits on third party cloud service providers to whom services are increasingly being outsourced.
Under section 4(4) of the DPA, a data controller is under a duty to comply with the data protection principles in relation to all personal data with respect to which he is the data controller. If this duty is breached, the Commissioner may impose monetary penalties on the data controller under section 60 of the DPA and those penalties are about to shoot up to €100million or 5% of annual worldwide turnover. Directors can also be held personally liable if they contributed to the breach.
An effective and meaningful IT security policy is one that is constantly under review so that it can adapt to the latest threats that are relevant to the sectors in which the business operates and the range of functions which it performs. Still, the above points are a helpful checklist of the minimum that any company should be considering in connection with its IT strategy and incorporate its training programmes and policies to protect the storage of personal data.