Back in September, I prefaced a breach post involving the U.K.’s Crown Prosecution Service with the comment, “This is one of those really terrible breaches that are the stuff of nightmares.”
It appears the Information Commissioner’s Office concurred, as CPS has been fined £200,000 after laptops containing videos of police interviews were stolen from a private film studio. The interviews were with 43 victims and witnesses. They involved 31 investigations, nearly all of which were ongoing and of a violent or sexual nature. Some of the interviews related to historical allegations about a high-profile individual.
Although the firm responsible for editing the videos was neither named nor fined, previous media coverage referenced on this site disclosed the name of the firm.
In September, I had written:
The computers were recovered and supposedly had not been accessed, but this was an extremely serious breach and raises obvious questions about not only what security protections the firm had in place, but the extent to which the Crown Prosecution Service (CPS) had written security measures into any contract with the firm, and whether CPS monitored the firm for compliance with any security protocols.
Not surprisingly, those issues were the basis for the penalty. The ICO’s investigation, summarized in the monetary penalty notice, revealed that CPS had no provisions in place concerning the security measures to be taken by the firm and did not monitor the firm for security of the sensitive data.
The bottom line is that given the highly sensitive nature of these interviews and the potential for great distress, CPS should have known that the DVDs with interviews should have been delivered or transported in encrypted form. They should have had a contract with the service provider that outlined physical and technical security safeguards at the provider’s location, and they should have monitored for compliance.
As a side note, I find it interesting that the ICO is now using a rationale similar to our FTC when it comes to determining whether a breach is likely to call “substantial” harm or injury. The ICO’s notice explains (in Paragraph 38) that even if the risk to any one individual is less than substantial, the cumulative impact when you consider the number of individuals would be “substantial.”