According to the ICO, the council lost its USB stick in May after the device was used to store financial accounts and has not yet been recovered. Information on the stick included residents' names and addresses, as well as details of payments to the council.
The ICO's investigation found that the council's data protection practices were insufficient and that it failed to make sure that the USB sticks provided to employees were encrypted. The council also failed to provide its staff with proper data protection training.
As part of its censure process, the ICO has required the council to make the required improvements to its security policies by March of next year, at which stage it will check to ensure the improvements have been implemented.
Commenting on the saga, Sally Anne Poole, the ICO's enforcement group manager, said that the incident could have been easily avoided if adequate security measures had been in place.
"Our investigation uncovered a number of failings at Rochdale, that's why we will follow up with the council, to ensure they're doing everything they can to prevent this type of incident happening again", she said.
Computer Weekly quotes Christian Toon, head of IT security with Iron Mountain, as saying that this was not an isolated incident - other public sector organisations have recently been found guilty of being in breach of the Data Protection Act.
“Information on the move outside the company is at risk unless it is properly encrypted and protected from human error", he told the IT paper and newswire, adding that this requires more than just technology, as it requires the development and active implementation of robust information management policies, supported by staff training and self-regulation.
According to Grant Taylor, vice president of Cryptzone, he noted that it could have easily been prevented, as controlling data on USB sticks can easily be achieved using a combination of encryption, backed up by enforced security policies to ensure data compliance.
“Using this belt-and-braces approach means you have policy enforcement software allied with a secure USB stick environment where data has to be moved using this type of hardware. You can also allow controlled access to the data on secure remote basis”, he said.
“Taking a centralised secure silo approach to data leak prevention is actually the preferable methodology, as it's perfectly possible to have multiple storage systems across different offices, where a large number of employees require access to a constantly updated file database. But whichever security methodology is used, the important thing to realise is that these systems are now easy-to-use and transparent as far as the end user is concerned”, he added.
Taylor went on to say that the Rochdale council data loss is quite significant as it amounts to 8.7% of the 206,000 population of the city, although with just over 10,000 employees, the council clearly has a large number of staff handling a lot of data on a daily basis.
This does not excuse the loss of an insecure USB stick however - or the fact that the data was outside the control of the council's security envelope - making the incident a double breach of the council's security rules, he explained.
What I find amazing is that the USB stick was used to store the financial accounts of the council, suggesting that residents' names and addresses, along with details of payments to and by the council, says Taylor.
“The only saving grace here is that details of the resident's bank accounts were not stored on the USB stick, as otherwise you would be handing a identity theft kit on an electronic plate to cybercriminals, which, at current rates, would be worth around £12,000 on the cybercriminal carder and allied data exchange forums”, he said.
“It saddens me to hear that the investigation by the ICO found that Rochdale council's data protection practices were insufficient and that it failed to make sure that memory sticks provided to staff were encrypted. This is all about manager and user education, so it's clear that we, as an IT security industry, need to redouble our efforts on the security education front”, he added.