British cops fined for losing missing persons report

A regional British police service has been fined £70,000 ($A104,000) for losing a missing person's report.

The first penalty of its kind was handed down by the British Information Commissioner's Office (ICO) after the missing person's report of a 15-year-old girl was discovered by a member of the public.

The document included details of the girl's age, address, contact information and sexuality, as well as mentioning that she had previously been sexually assaulted.

Personal details relating to 14 other individuals, including the girl's original attacker, were also included in the report.

The ICO said that the report had previously been used by an officer trying to locate the missing youth and is thought to have been left in a police vehicle, where it lay undiscovered for several days.

It is then believed the report fell out of the car, when it was used by a different officer to attend the scene of an incident; it was discovered by a member of the public on the next day.

The ICO's investigation found that the constabulary did not record when sensitive personal information was taken outside of the police station and that officers were not provided with secure bags for storing personal information, and received no specific training on how to look after hard-copy documents outside the station.

“The fact that information as sensitive as this could go missing without anybody realising is extremely worrying, and shows that Lancashire Constabulary failed to have the necessary governance, policies and suitable training in place to keep the personal information they handle secure," said Steve Eckersly, head of enforcement at the ICO.

“While we are pleased that Lancashire Constabulary has agreed to take action to make sure people's information is safe, it is vitally important that police forces have effective data-protection policies in place for electronic and paper-based systems, if they are to operate with the trust and confidence of the public they serve. This includes keeping a record of where personal information is being stored and used.”

More crosses

Meanwhile the US  Department of Health and Human Services Office for Civil Rights has fined Tennessee-based health insurance provider BlueCross BlueShield $US1.5m ($A1.42m), after a theft in which hard drives containing health information on more than one million customers were stolen.

According to Knoxville's knoxnews.com, BlueCross BlueShield said the hard drives were stolen from a data-storage closet at a former call centre.

The 57 hard drives, stolen in 2009, included customers' names, Social Security numbers, diagnosis codes, dates of birth and health-plan identification numbers.

The US Department of Health and Human Services Office for Civil Rights said the company "failed to implement appropriate administrative safeguards to adequately protect information" at the facility and did not have adequate  access controls.

BlueCross BlueShield has agreed to a 450-day corrective action plan to address gaps in its Health Insurance Portability and Accountability compliance programme.

Since the theft, the company said that it has spent nearly $US17m ($A16.1m) in its investigation, notification and protection efforts.

Tena Roberson, deputy general counsel and chief privacy officer for BlueCross, said in a statement that it has "worked diligently to restore the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to ensure their information is safe at all times".

Chris McIntosh, CEO of ViaSat UK said the loss was "a painful lesson, not just for BlueCross, but for the million-plus customers whose personal data has been taken".

"Data should never be assumed to be safe: whether on a CD, a memory stick, a laptop or a server, it should be protected to the highest level possible to avoid punishments such as this."

“Organisations in the UK may well ask how this affects them, but the lessons are clear. First, while the US Office for Civil Rights clearly currently has the power to impose larger fines, the UK's ICO is still champing at the bit to take action against any organisation guilty of a similar transgression, with the financial and reputational damage that implies.

He said the $17m expenditure shows "quite clearly" that the cost of a data breach will exceed an one-off penalty.

This article originally appeared at scmagazineuk.com