Commentary on the need for better data protection and cyber-security training
Today’s top opinion: Tony Travers: Anti-development lobby could thwart new homes
Howls over housing cash: Mayors call for ‘new approach’ to distributing housing funds
The latest job news: Northants borough appoints permanent chief
One of the more interesting aspects of last week’s indictment by US special counsel Robert Mueller was the news that personal data stolen through massive security breaches had been used to subvert the very pillars of democracy itself.
Russian hackers had taken the personal information and banking details of thousands of citizens and used it to post fake advertising and open social media accounts.
And in the UK, one Facebook policy director admitted to Parliament that Facebook was aware it was facilitating illegal political advertising funding from outside the UK – possibly through hacked accounts.
But what has this to do with local government?
Chief executives and senior managers were warned last November about the threat of cyber attacks on their council and the damaging impact it can have on residents and a local authority’s reputation.
A new report published today has found that councils have been hit by dozens of major personal data breaches in the past five years – with possibly horrendous results for society’s most at-risk.
Councils hold a lot of personal data – everything from personal addresses to the details of children who have been referred to social services. Yet the people in charge of this data are often not routinely trained in computer security as a matter of routine, or even urgency.
This is important, as a London-based consultancy reported last year that 90% of cyber attacks were down to human error. Risk management, insurance brokerage and advisory company Willis Towers Watson found that organisations are exposed to cyber risk “even with state-of-the-art IT approaches”.
Historically, local authorities have faced massive fines from the Information Commissioner for major breaches of the Data Protection Act. Of course, the biggest contributing factor has not been a collapsing IT structure or outdated malware protection software, but rather that more commonplace source of frustration – human error.
Last August, Plymouth City Council launched an internal investigation after 218 residents were unknowingly made party to each other’s e-mail addresses through a council tax reminder. One employee had inadvertently sent out an e-mail with the addresses in the “cc”, not “bcc” entry.
And in the same month, Nottinghamshire CC paid out £70,000 in fines after the personal details of 3,000 vulnerable elderly residents were left in an open document on the council’s website.
Jennifer Krueckeberg, the lead researcher for the Big Brother Watch report published today, said: “We are shocked to discover that the majority of councils’ data breaches go unreported and that staff often lack basic training in cyber security. Local authorities need to take urgent action and make sure they fulfil their responsibilities to protect citizens.”
The report found that many of the councils’ data breaches were never reported externally to the Information Commissioner (ICO) – a crime under EU and UK law. And as of last week an advisory body to the European Commission ruled any breach must also be reported to the individuals affected.
The Article 29 working party has added a requirement for organisations to put in place technology that detects breaches and then informs anyone involved.
Or in the original French, as per the EU’s data protection law: data controllers should “inform promptly the supervisory authority and the data subject”.
But none of this makes a jot of difference until the core underlying problem is addressed – that council employees will err and err again – and the only apparent solution is more and better training.
By Robert Cusack, reporter