Yet again, data breaches are in the spotlight. The Information Commissioner’s Office (ICO) made its first round of data breach fines last week, effectively giving the Data Protection Act (DPA) “teeth.” The ICO showed that its bite lives up to its bark, penalizing a local council and an employment services firm to the tune of a combined £160,000.
But, future fines are largely avoidable, if organisations adhere to security best practice. For a data breach to attract financial penalty, the ICO must be satisfied that a serious breach is likely to cause “damage or distress” and that it was either “deliberate” or “negligent” and that the organisation “failed to take reasonable steps to prevent it.”
Information has become the lifeblood of organisations and it must be managed properly. To avoid further data breach fines, organisations need clear guidelines in place to determine how sensitive information is used.
Symantec offers a four-step guide to avoiding further data breach fines.
1. Develop and enforce a robust security policy that includes:
- Tight governance regarding use of customer data – it should not physically leave the premises unless absolutely necessary
- Use strong encryption appropriately for data that does have to leave the premises
- Restrict access to customer data only to those staff for whom it is essential
- Ensure that confidential data cannot be copied on to portable media such as USB sticks or CDs
- Monitor information leaving via email and websites for appropriateness
- Implement user education and awareness programmes within organisations, to reinforce the importance of protecting sensitive information
2. Protect and manage all PCs, laptops and servers. Maintain active, up-to-date antivirus, spyware and firewall protection.
3. Create strong passwords for all systems and hardware. Use at least eight characters with a combination of numbers, letters and punctuation marks and don’t use the same password which is active on other accounts.
4. Don’t forget non-electronic security.
- Shred any documents that contain identifying information before disposing of them
- Don’t leave financial documents and sensitive information in an unsecure environment and limit access to facilities
- Regular education of employees can help improve awareness of appropriate behaviour
It’s clear that data breaches are not going away. And it’s more important than ever that organisations follow best practice to secure their sensitive information. As the ICO’s actions prove, organisations that get it wrong will pay dearly.
Jamie Cowper is a data protection specialist at Symantec.Tags: data breach, encryption