With all the news about the PSNI data breach this week, I was reminded of something that happened many years ago, when I worked in-house at a housing association; an executive director emailed me about a news story and asked me the question “this couldn’t happen here, could it?”
A housing association had suffered a large data breach.
This executive clearly hoped, even expected, me to say “no, of course it couldn’t happen here, we’re safe as houses” (pun intended.)
But I couldn’t say that without lying!
Instead, my answer was along the lines of:
“Yes, it could definitely happen here! We’ve been lucky so far that we’ve not had a similar data breach, and we should continue to improve our data protection processes to strengthen our defences.”
When GDPR was on the horizon, countless consultants were shouting “FINES, FINES, FINES!” to scare clients and potential clients into complying (or at least buying the consultants’ services.)
Since then however, the fines in the UK have been nearly non-existent, and the ICO now tends to only give out reprimands.
So executives and senior leaders could be forgiven for thinking – fleetingly! – that data breaches aren’t the big deal they once worried they were.
PSNI Data Breach
Until they hear news like this week’s data breach at the Police Service of Northern Ireland (PSNI), and the cyber attack at the Electoral Commission.
Granted, the identity of PSNI Officers is likely to be more sensitive and dangerous in the wrong hands than data about your customers or colleagues, on the whole, but that certainly doesn’t mean that you shouldn’t worry about breaching your own people’s data.
Apart from the harm that definitely could come to individuals if their data is leaked – risk of fraud, scams, harassment, and the worry and stress that goes along with those problems – organisations should be aware that customers and employees are likely to raise complaints and queries, make Subject Access Requests, and lose trust in the organisation, for starters.
What can we learn from the recent data breaches in the news?
I’m not a technical person, so I can’t pretend to understand how the Electoral Commission data was accessed by what’s been described as “Hostile Actors”.
But I can understand how the PSNI data came to be inadvertently shared in response to a Freedom of Information Act (FOIA) request. And I’m sure anyone working in Information Rights will feel the same.
We understand the pressure of responding to requests, the time limits, the lack of support, the stress of it all, that the junior member of staff quite likely experienced.
In contrast, quoted in The Guardian, Sammy Wilson, a Democratic Unionist party MP, said “questions have to be asked about how come the police in Northern Ireland do not have a process which ensures that information such as this is checked, rechecked, filtered out before it ever gets made public.
“That’s not the job of some lowly police officer or administrative officer within the PSNI. That’s a job which should be carried out and responsibility held for by senior police officers, right up to the head of police, because of course he will be the one who sets the policy.”
I’ve heard and seen similar comments from other people in the last couple of days too, from people who don’t work in Information Rights / FOIA.
In my experience, contrary to what Sammy Wilson said, responding to FOIA often is the job of an administrative officer.
I’d be interested to hear about your experience too – does it align with mine, that FOIA requests, and similar, are often delegated to admin and junior roles?
Knee-jerk reaction to PSNI data breach
If so, I can tell you one thing that won’t prevent similar breaches in future – banning spreadsheets and only sending out pdfs in response to FOIA requests!
This knee-jerk reaction, that doesn’t actually help (and could even be a breach of the FOIA requirement to share data in a reusable format) is what has been announced as “immediate steps to remedy” the issue.
Northern Ireland’s Chief Constable Simon Byrne told a press conference, as quoted in Belfast Live: “For what we understand has caused the breach we have taken immediate steps to remedy that, so in effect in future nothing else will be issued on a spreadsheet, it will go in a PDF format so that it can’t link to another part of information.”
Sadly, this displays a lack of understanding of how pdfs work, and of the fact there’s obviously a bigger problem here. As former senior PSNI officer told the Belfast Telegraph “a data breach so catastrophic can’t be blamed on a single member of staff, it’s a systemic failure, it shouldn’t be possible this can happen by a ‘slip of a pen’ so to speak”.
Being prepared for, and responding to, data breaches
How should corrective actions be identified, instead of a knee-jerk reaction, and what else should all organisations have in place to both prevent and respond to data breaches?
Being prepared for cyber-attacks, and other data breach incidents (as well as many other types of risk) should include the following steps:
Risk assessing and planning for likely incidents.
Recognising – being able to recognise a breach has occurred as soon as possible.
Reducing the risk – by containing the incident and taking mitigating actions.
Reporting as appropriate – including to customers and colleagues, as well as the appropriate authorities.
Reviewing – how well the incident was handled, and what can be learned for future.
At the Review stage, it’s important not to rush this. Instead, carefully reconstruct what happened in the run-up to the breach, and keep going back in time, until you’ve asked “how did that happen?” around 5 times.
For example, if someone made a simple mistake, the answer shouldn’t be simply “human error” and your corrective action shouldn’t be simply “remind everyone to be more careful”.
Ask how the person came to make a mistake – were they rushing or stressed for a reason you can track back? Was there a lack of appropriate tools available, or a lack of robust processes?
Once we have identified a few “layers” of causes of the breach, we can start to consider what actions can be taken to prevent something similar, actions that are both proportionate and effective. I’m pretty sure that if this was followed for the PSNI breach, we wouldn’t end up with a simple “replace spreadsheets with pdfs!”
Data Management Strategies
We’ll be exploring ideas for Data Management Strategies at our very first conference, The Hive Live on 25th September.
The event is for everyone working with data (i.e. everyone!) not just Data Protection professionals. As the Housing Ombudsman stated in the Spotlight on KIM report ‘senior leaders [need to be] clear about the importance of Knowledge and Information Management (KIM), and their standards and expectations.’
The Hive Live aims to bring Data Protection professionals and experts in other areas of business together, instead of working in silos, in a day of sharing knowledge, listening, learning, planning, and meeting friends old & new, in the interactive & engaging sessions.
Find all the details here: The Hive Live; Blocker to Builder
If we’re not already connected, please do find me and follow me in all the usual places using the links below.