UK Council Fined £120,000 for Privacy Breach
Sensitive information was mistakenly sent, unencrypted, to the wrong person.
The UK Information Commissioner's Office (ICO) recently announced that the Stoke-on-Trent City Council has been fined £120,000 for e-mailing sensitive information on a child protection legal case to the wrong person.
"The 11 emails, sent on 14 December 2011, were intended for a lawyer working on the case but ended up being sent to another email address due to a typing mistake," writes ZDNet's Sam Shead. "The female solicitor realised her error when she spoke to the barrister, who told her that he had not received any emails from her on that day. In addition, the data was not sent over a secure network or encrypted, as required by the council's own guidelines. "
"If this data had been encrypted then the information would have stayed secure," Stephen Eckersley, head of enforcement at the ICO, said in a statement. "Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure."
"In a statement to IT Pro, the council said it has now introduced a secure remote access system for staff working from home and added encryption to all of its portable devices," writes IT Pro's Caroline Donnelly.
"The case presents an interesting example of how important encrypted email is, even if there's no deliberate attacker trying to intercept messages," writes The Register's Bill Ray. "Privacy advocates have long argued that routine encryption of all messages would be to the benefit of all, comparing our existing email systems to a postal service comprised entirely of postcards, but lack (or proliferation) of standards and the desire for simplicity has stymied any such development."