Security Experts:

UK City Hit With £120,000 Fine For Failing to Encrypt Email

Stoke-on-Trent City Council (UK) has been smacked with a £120,000 fine for failing to secure sensitive information that was being transmitted electronically. The data, child protection documents, was accidentally delivered to a person not related to the case, and wasn’t properly encrypted the Information Commissioner’s Office (ICO) said, posing a significant breach of the Data Protection Act.

The incident occurred last December, when 11 emails related to a child protection case were sent by a solicitor to the wrong email address. The emails contained sensitive information related to the care of a child and information related to the health of two other adults and two other children. The emails should have been sent to Counsel instructed on a child protection case.

“If this data had been encrypted then the information would have stayed secure. Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure. It is particularly worrying that a breach in 2010 highlighted similar concerns around encryption at the authority, but the issue was not properly resolved,” said Stephen Eckersley, Head of Enforcement at the ICO.

As a result, the Stoke-on-Trent City Council was fined £120,000 for breaching the council’s own guidance, which confirmed that sensitive data should be sent over a secure network or encrypted. Making the situation worse, subsequent investigation into the matter revealed that the council had failed to provide the legal department with encryption software and knew that the team had to send emails to unsecure networks. This is in addition to failing to offer proper training on the use of encrypted communications and encryption software.

“The council has now introduced new measures to improve the security of information sent electronically, as well as signing a legal notice to improve the data protection training provided to their staff. This should limit the chances of further personal information being lost,” Eckersley added.

Earlier this month, Greater Manchester Police paid £120,000 after a thief took a USB drive containing personal information from an officer’s home. It was later learned that officers normally used unsecured USB drivers to store and transport sensitive information, a fact that David Smith, the ICO’s director of data protection, said sends a “shiver down the spine.”

Subscribe to the SecurityWeek Email Briefing
view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.