PL&B UK E-news, Issue 36
24 February, 2005
© Privacy Laws & Business 2005
- Lib Dems accuse rival parties of data protection breaches
- Used hard disks expose confidential data
- Organisations warned over Instant Messaging threat
1. Lib Dems accuse rival parties of data protection breaches
The Liberal Democrats have lodged a formal complaint with the Information Commissionerâ€™s office accusing the Labour and Conservative parties of breaching the UKâ€™s cold calling regulations. The two parties have allegedly been canvassing millions of homes registered onto the Telephone Preference Service (TPS) â€“ a national do-not-call list allowing people to avoid unwanted telemarketing and cold calling.
Liberal Democrat Party Chairman, Matthew Taylor, has asked the Information Commissioner to investigate the allegations and clarify how the TPS rules apply to election canvassing. â€śWe have received a number of complaints from individuals who have signed on to the TPS, but are still receiving unsolicited calls from the Tories and the Labour Party,â€ť said Taylor. â€śThe advice that we have received on several previous occasions is that such phone calls are illegal.â€ť
Under the Privacy & Electronic Communications Regulations, organisations are prohibited from calling phone numbers listed on the TPS register unless they have been given specific permission to do so. Organisations that breach the rules can be fined up to ÂŁ5,000 per violation.
The Liberal Democrats are also setting up a website encouraging people to register complaints against cold call canvassing by political parties. "From today, we will be willing to help voters make complaints,â€ť said Simon Hughes MP, President of the Liberal Democrats. â€śThe Liberal Democrats are the only major party now to respect their wishes,â€ť he added. â€śWe are rigorous about cleansing our phone lists of numbers registered under the TPS systemâ€¦It is time that the other two parties respected the rights of voters and consumers.â€ť
2. Used hard disks expose confidential data
Companies that fail to destroy sensitive information from disused hard disks could find themselves on the receiving end of regulatory action or lawsuits from clients and staff whose data is exposed. A study carried out by the University of Glamorganâ€™s School of Computing has suggested that nearly 50 per cent of organisations are selling on computers with confidential information still attached.
The study, which looked at 92 second hand hard disks purchased via eBay and computer fairs, found whole customer and HR databases, names and addresses, national insurance numbers and corporate financial data.
Under the Data Protection Act, organisations are required to protect personal information from unauthorised access and destroy data that is no longer needed. The security lapses identified in the survey, however, are not necessarily because companies are unaware of their duty to destroy this information, but more their inability to carry out the task properly. Glamorgan Universityâ€™s study found that in around half of the hard disks examined there had been failed - or only partially successful - attempts to remove information.
â€śCompanies have an obligation to dispose of data when it is no longer required,â€ť said
Dr Andy Blyth, head of the universityâ€™s Information Security Research Group, â€śand many of the organisations involved are now launching investigations in to how this information has ended up in the public domain.â€ť
- Unsuccessful attempts had been made to destroy confidential data on 48 per cent of the 92 hard disks studied.
- 51 per cent of the hard disks contained personally identifiable information (including HR/customer databases, contact details, and national insurance numbers).
- 57 per cent of the hard disks contained information that identified the organisations they had come from (these included a financial services organisation, a company from the leisure services industry, as well as schools and universities).
- 20 per cent of the hard disks contained financial information, including sales receipts and profit and loss reports.
3. Organisations warned over Instant Messaging threat
IT analyst group Gartner has warned that vulnerabilities in Instant Messaging (IM) programmes could compromise organisationsâ€™ internal security controls.
The warning follows the exposure earlier this month of a security flaw in Microsoftâ€™s MSN Messenger IM service. Although Microsoft was quick to control the problem, Gartner has stressed that when future vulnerabilities arise, Microsoft and other IM providers may not be able to act as quickly or effectively.
The increasing use of IM applications across enterprises, said Gartner, means organisations need to implement appropriate policies. â€śIM is so widely used that most enterprises have no idea how many IM clients are installed on their systems or how much IM traffic passed over their networks,â€ť said Senior Gartner analyst, Lawrence Orans. But blocking the use of IM, he added, may be impractical. â€śIM is now so popular that it is rapidly becoming unrealistic to block IM traffic entirely. In many cases, one or more business units can make a compelling case for the need to use IM.â€ť
Instead, organisations are being advised to adopt one of three options: implement an enterprise wide IM solution, deploy a solution that enables controls to be placed on publicly available IM programmes, or adopt both solutions.