Personal details stolen from Kent Police automobile
|
Date Reported:
6/18/10
Organization:
Kent Police (UK)
Contractor/Consultant/Branch:
None
Location:
Victims:
Undisclosed
Number Affected:
Undisclosed
Types of Data:
"confidential personal information"
Breach Description:
"Kent Police have been rapped over the knuckles after confidential documents were swiped from an officer's car."
Reference URL:
KentOnline
ComputerWeekly
Report Credit:
KentOnline
Response:
From the online sources cited above:
The Information Commissioner's Office (ICO) has found Kent Police in breach of the Data Protection Act.
Documents containing confidential personal information were stolen from a police officer's car while it was parked overnight at a residential address.
[Evan] The documents were stolen from the "boot" of the policeman's car. We call it trunk here in the U.S.
The information was passed to a local police station after being found the following day in a nearby street by a member of the public.
An ICO investigation found that the officer had not used his secure briefcase to transport the papers, nor had he been provided with a secure storage facility at his home.
The investigation concluded that Kent Police's policies and procedures regarding the transportation and storage of personal information away from the office needed to be improved.
[Evan] These policies and procedures need to be improved almost everywhere we (FRSecure) look. I'll mention just a bit below.
Adrian Leppard, temporary chief constable of Kent Police, has now signed a formal undertaking to ensure that staff whose roles require them to have access to confidential information outside the office are provided with secure transportation and storage facilities.
The policies covering the transportation, storage and use of personal and protectively marked information will also be clarified, and all staff will be made aware of their requirements.
"It is essential that police forces ensure the correct safeguards are in place when storing and transferring personal information, especially when it concerns highly confidential information," said Sally-anne Poole, enforcement group manager at the ICO.
A lack of awareness of data protection requirements can lead to personal information falling into the wrong hands, she said.
Commentary:
Data classification, information labeling & handling, and training & awareness all play a big role in preventing breaches like this. Like almost everything in information security, acceptable practices and processes need to find their roots in policy. Does you organization have a Data Classification Policy? Does your organization have an Information Labeling and Handling Policy? How about an Information Security Training and Awareness Policy? If not, we need to start there.
Data Classification policies are much easier to write then they are to implement. At a minimum, this policy should document data classification levels (typically at least three); such as "Confidential", "Internal", and "Public", roles and responsibilities; such as "Data Owner", "Data Custodian", and "Data User", required protections for each classification level, and references to other supporting policies; such as Information Labeling & Handling Policy and Encryption Policy. It's really much simpler than it may appear, but like I said, implementation can be tricky. Anyway, I'm not going to bore you with more details here. If you want to know more, shoot me an email or something.
Past Breaches:
Unknown
Posts Atom 1.0
Comments