Infosecurity-Magazine.com reports on an insider breach where the consequences just don’t seem severe enough. The breach occurred on April 28, 2011, and was prosecuted by the Information Commissioner’s Office under Section 55 of the Data Protection Act:
When he learned that he was being made redundant from his position as Community Health Promotions Manager at a council-run leisure center, he emailed sensitive medical information on 2471 people to himself to help establish his own new company.
Paul Hedges managed the council-run Active Options GP referral service at the Bitterne Leisure Center, Southampton. This service allowed local GPs to refer patients with certain health conditions (such as obesity, diabetes, arthritis, and cardiac and mild mental health issues) to the leisure center for fitness training. The process required the transfer of some medical notes from the GP to the leisure center.
[…]
Yesterday at West Hampshire Magistrates Court he was fined £3,000 and ordered to pay a £15 victim surcharge and £1,376 prosecution costs. Information Commissioner Christopher Graham used the incident to press his campaign for tougher sanctions. “This case shows why there is a need for tough penalties to enforce the Data Protection Act,” he said. “At very least, behavior of this kind should be recognized as a ‘recordable offense’ which it isn’t now. For the most serious cases the current ‘fine only’ regime will not deter and other options including the threat of prison should be available. The necessary legislation for this is already on the statue book but needs to be activated.”
[…]
Dan Worth of V3 also reports on the case. The Information Commissioner’s Office press release on the case can be found here.
Over here, this would be one of those “exceeding authorized access” charges, I think. Certainly, criminal charges could be brought here, and I would have liked to have seen criminal charges with possible jail time in this U.K. case, as this is theft of sensitive information for purposes of financial gain. I agree with the ICO that just financial penalties aren’t enough to deter.
In this case, the ICO did not find fault with Southampton Council, as reported by Infosecurity Magazine:
In this instance, an ICO spokesman told Infosecurity that it considered that the council had taken adequate precautions to protect the data, including limiting access to those with a ‘need to know’. Hedges, however, had that need for access, and the ICO decided that it was his illegal act rather than any negligence on the part of the council that was to blame.
What are the boundaries here, though? Should a data controller like the council have no responsibility for preventing an insider breach other than issuing login credentials to those authorized to access a database? I realize this happened in April 2011, but should councils be expected to have protections in place that would prevent the extraction of data via email attachments to employees’ personal email accounts? What’s reasonable to expect of data controllers?