The UK's Information Commissioner's Office (ICO) publishes details of its prosecutions, monetary penalties, undertakings and enforcement notices.
This week, two additional undertakings were published:
- Brecon Beacons National Park Authority for disclosure of personal data via its web site in two separate cases (undertaking, 18th April 2012)
- Toshiba Information Systems UK Ltd for unrestricted access to the personal data of 20 customers on its web site over a two-month period (undertaking, 17th April 2012)
The Toshiba incident is interesting because it specifically mentions lack of access control and the weakness of insecure direct object references. There's a good write-up about the Toshiba issue on the Web Application Security - From the Start blog.
The other most recent ICO actions relating to web sites (rather than paper, laptops, USB devices, email, fax, etc) were:
What can we learn about the ICO's specific expectations for organisations' online application compliance with the seventh data protection principle to protect against unauthorised and unlawful processing, accidental loss, destruction, and/or damage? The enforcement notices above suggest:
- There must be a policy for processing of personal data and staff must be made aware of it and given training which is monitored (Durham University)
- There must be a policy for the retention, storage and use of personal data and staff must be trained how to follow the policy (Brecon Beacons NPA)
- Publication of information must not contravene any relevant legislation regarding information disclosure (Brecon Beacons NPA)
- Some personal data (organisation dependent) must never be published on a website (Durham University)
- Access to personal data must require authentication and must have adequate authorisation checks (Brecon Beacons NPA, Toshiba, Dumfries and Galloway Council)
- Security of personal data must be considered when selecting suppliers of services (Andrew Jonathan Crossley/ACS Law)
- Third parties involved with developing/maintaining/operating web sites must be made aware of their requirements and responsibilities for protecting personal data (CEOP/SOCA)
- Contracts with third parties must define data protection responsibilities (CEOP/SOCA)
- There must be regular checks to ensure web sites remain secure, and any potential weaknesses must be identified very promptly (CEOP/SOCA)
- There must be measures in place, appropriate for the potential harm that could occur, to prevent accidental personal data loss (Andrew Jonathan Crossley/ACS Law)
- The risk to online systems must be re-assessed as threats change (Andrew Jonathan Crossley/ACS Law)
- Compliance with data protection and IT security policies must be verified and monitored (Durham University, Dumfries and Galloway Council)
- Expert advice must be sought when large amounts of personal data are being stored, processed or transmitted online (Andrew Jonathan Crossley/ACS Law)
- The findings of audits and security reviews must be assessed by management and implemented or the risk formerly accepted (Dumfries and Galloway Council, CEOP/SOCA)
- There must be technical measures to detect authorisation failures (Toshiba)
We can also draw additional expectations from the ICO's Data Sharing Code of Practice section on security. Those might be summarised as:
- Technical security measures must be appropriate for the system in use and the type of data held and processed (Data Sharing Code of Practice)
- When data encryption is used, it must be selected, implemented and managed appropriately (Data Sharing Code of Practice)
- The most common security risks must be identified (Data Sharing Code of Practice)
- There must be suitable access control (authentication, authorisation and session management) with appropriate assignment of privileges based on a "need-to-know" basis (Data Sharing Code of Practice)
- Information in transit must be protected (Data Sharing Code of Practice)
These are just my own interpretation and of course. They will not be all the ICO's expectations, but are the ones which we are now aware of. Additionally, data in online applications may also be exposed in related processes (often email, or transfers between systems, and during development, testing and operation where data may exist on paperwork, in mobile devices and in archives & backups). Examine the other enforcement notices for the ICO's expectations in these other channels.
If you want to keep up-to-date with application (and other) data loss incidents that subsequently lead to regulatory action in the UK (typically by the FSA or ICO), use Breach Watch. For further afield, the Web Hacking Incident Database (WHID).