ICO fines police force, as US health insurer coughs up $1.5m

The Information Commissioner's Office (ICO) issued its first monetary penalty to a police force after papers containing sensitive information were discovered on a street in Blackpool.

The fine of £70,000 was issued to Lancashire Constabulary after a missing person's report of a fifteen-year-old girl was discovered by a member of the general public. The document included details of the girl's age, address, contact information and sexuality, in addition mentioning that she had previously been sexually assaulted. Personal details in the case of 14 other individuals, including the girl's original attacker, were also included inside the report.

The ICO reported that the report had previously been utilized by an officer seeking to locate the missing youth and is assumed to were left in a police vehicle, where it lay undiscovered for several days. It's then believed the report fell out of the automobile, when it was utilized by one more officer to wait the scene of an incident; it was discovered by a member of the general public at the next day.

The ICO's investigation found that the constabulary didn't record when sensitive personal information was taken outside of the police station and that officers weren't supplied with secure bags for storing personal information, and received no specific training on easy methods to protect hard-copy documents outside the station.

Steve Eckersley, head of enforcement on the ICO, said: “The proven fact that information as sensitive as this may go missing without anybody realising is incredibly worrying, and shows that Lancashire Constabulary didn't have the required governance, policies and suitable training in place to maintain the non-public information they handle secure.

“While we're pleased that Lancashire Constabulary has agreed to do so to be sure people's information is safe, it is extremely important that police forces have effective data-protection policies in place for electronic and paper-based systems, in the event that they are to function with the trust and confidence of the general public they serve. This includes keeping a record of where personal information is being stored and used.”

In the usa, the dept of Health and Human Services Office for Civil Rights has fined Tennessee-based medical insurance provider BlueCross BlueShield $1.5m, after a theft through which hard drives containing health information on multiple million customers were stolen.

According to Knoxville's knoxnews.com, BlueCross BlueShield said the hard drives were stolen from a knowledge-storage closet at a former call centre. The 57 hard drives, stolen in 2009, included customers' names, Social Security numbers, diagnosis codes, dates of birth and health-plan identification numbers.

The US Department of Health and Human Services Office for Civil Rights said the corporate "did not implement appropriate administrative safeguards to adequately protect information" on the facility and didn't have adequate  access controls. BlueCross BlueShield has agreed to a 450-day corrective action plan to handle gaps in its HIPAA compliance programme.

Since the theft, the corporate said that it has spent nearly $17m in its investigation, notification and protection efforts. Tena Roberson, deputy general counsel and chief privacy officer for BlueCross, said in a press release that it has "worked diligently to revive the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to confirm their information is safe always".

Chris McIntosh, CEO of ViaSat UK, said: “This loss features a painful lesson, not only for BlueCross, but for the million-plus customers whose personal data have been taken. Data should not be assumed to be safe: whether on a CD, a memory stick, a laptop or a server, it is going to be protected to the very best level possible to bypass punishments comparable to this.

“Organisations inside the UK may ask how this affects them, however the lessons are clear. First, while the usa Office for Civil Rights clearly currently has the ability to impose larger fines, the UK's ICO continues to be champing on the bit to do so against any organisation guilty of an identical transgression, with the financial and reputational damage that suggests.

“Second, BlueCross has admitted to spending nearly $17m on its notification, investigation and protection efforts because the original loss. This dwarfs the federal fine and shows quite clearly that the genuine costs of a knowledge breach will far exceed an easy one-off penalty.”