Leicester City Council data breach
Leicester City Council inadvertently disclosed details of "hundreds, potentially thousands" of vulnerable people.
The data breach involved sending a spreadsheet to 27 companies while getting tenders to transport people in care or with special needs.
The original e-mail containing a 23MB spreadsheet called “Taxi Tender Live v 3” contained passenger information. All companies were asked in a recall e-mail to delete the e-mail and then delete the e-mail from the Deleted Items folder and not open or read it.
For some children this included information on care arrangements to protect the child from harm – so this disclosure is particularly worrying. Each of the firms is under contract with the Council. This may give the council more leverage with the firms than sending to members of the public.
Our comments
Over half of the breaches reported to the Information Commissioner in the three months to September 2017 involved some form of human error. Examples included failure to redact, but a quarter of breaches still involve posting or e-mailing to the wrong recipient.
Councils protectively mark sensitive information to help prevent these kinds of errors.
A file containing hundreds or thousands of personal records should be marked as RESTRICTED. This reflects the high degree of inconvenience, embarrassment or distress that would be caused to the individuals by its disclosure. Individual Council policies can vary, but the transmission of a RESTRICTED file normally requires signed authorisation from the asset’s owner. Clearly the process broke down in this case.
Avoid turning a DP crisis into a PR disaster
Crisis management is an important part of a CISO’s role – not least because you cannot prevent human error. Given that some 51% of data breaches are still down to human error, the numbers aren’t going to get better any time soon.
- INVESTIGATE the disclosure. It is essential you manage by fact but you also need to move quickly. You need to focus on the information disclosed and who is affected. Now is not the time to look at what went wrong or who was responsible. That will come later, for now you don’t have the luxury of time.
- PROTECT the individuals. You need to consider what steps need to be taken to minimise the impact of the disclosure. It may not be sufficient to send a recall e-mail requesting the information be deleted 24 hours after the event. In this case phone calls and a follow-up visit to the recipient firms was not out of the question as there were only 27 of them. It would have demonstrated they were taking things seriously.
- COMMUNICATE, but get your facts right! This may include responding to enquiries from the press or social media. Until you have solid, watertight figures you should avoid reporting numbers. It will simply undermine your credibility when you inevitably end up revising them – whether up or down.
Changes under GDPR
- Contact the ICO within 72 hours of a data breach.
- In many cases you will need to contact the individuals affected as well.
- There are special restrictions on protecting information belonging to children.
- Fines will rise from a maximum of £500k to €20 million or 4% of annual turnover.
Human error makes up 51% of UK data breaches July – September 2017
- E-mailing the wrong recipient – 14.6%
- Posting / faxing to the wrong recipient – 12.8%
- Failure to redact data – 10.3%
- Data left in an insecure location – 5.7%
- Failure to use blind carbon copy in e-mails – 4.8%
- Insecure disposal of paperwork – 1.7%
- Verbal disclosure – 1.5%