From April 2013 until the 30th June 2015, Royal & Sun Alliance Insurance Plc (RSA), contravened the Data Protection Act (DPA) after failing to ensure that an on-site storage device was securely protected.
The network-attached storage device (NAS) in question was stolen by a member of staff or a contractor with permitted access to the data server room. The device, although password protected, was not encrypted and contained personal data amounting to more than 75,000 names, addresses and various bank details.
The Information Commissioners Office (ICO) fined RSA the amount of £150,000 on January 10th 2017 for this data breach. In their official statement, it was ruled that “RSA failed to take appropriate technical and organizational measures against the unauthorized or unlawful processing of personal data in contravention of the seventh data protection principal at part I of Schedule 1 of DPA… In particular; RSA did not encrypt the datasets prior to loading them on the device”
The ICO actively names and shames any organizations found to be in contravention of the Data Protection Act, and have since December 1st 2016 handed out fines totalling more than £300,000.
What is data loss and what are the differences with a data breach?
A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service.
Data loss, therefore, is a type of data breach and specifically relates to a scenario where data is lost, stolen or destroyed due to neglect or failure.
What are some of the legal implications of a data breach?
There are a number of tools available to the ICO for taking action to change the behaviour of organizations and individuals that collect, use and keep personal information. They include criminal prosecution, non-criminal enforcement and audit. The ICO also has the power to serve a monetary penalty notice to a data controller.
The ICO can issue undertakings committing an organisation to a particular course of action in order to improve its compliance. Monetary penalty notices can require organizations to pay up to £500,000 for serious breaches of the Data Protection Act.
A data loss such as hardware failure or theft is difficult to predict so there are steps that every organisation should take to ensure they can successfully recover from one of these scenarios.
- Ensure personal data is encrypted.
- Have an encrypted off-site backup copy of personal data.
- Manage security credentials for all staff and contractors who can access personal data.
- Ensure processes are in place to track who is accessing personal data.
How can Redstor help mitigate the risk of data loss?
At Redstor, we understand the importance of data security, we have been supporting organizations in this area for almost twenty years. In addition to this, in over 10 years of supporting an Online Backup Service, Redstor have never lost data or suffered a security breach on any of our platforms.
Our Backup Solution, Redstor Backup Pro, uses Advanced Encryption Standard (AES) with a 256-bit key length. Data is encrypted throughout the backup process and remains encrypted in our highly secure UK based data centres. The encryption keys are provided and managed by the end user, ensuring that you remain in control of access to your data.
Living and breathing Information Security at Redstor ensures that our customers remain data compliant in whatever industry they may be operating. Our internal Information Security subject matter experts continually review the security landscape and take action where required. We publish articles in this area too, encouraging our existing and prospective customers to keep ahead of the game.
Redstor are open to audit and interrogation from our existing and prospective customers, and we are able to provide access to all our ISO9001 and ISO27001 processes online should you wish to verify these.