The UK Crown Prosecution Service has been fined £200,000 by privacy watchdog the Information Commissioner’s Office (ICO) after laptops containing highly sensitive videos of police interviews were stolen while under its care.
The interviews with 43 victims and witnesses corresponded to 31 investigations, most of which were ongoing and related to violent or sexual crimes, the ICO revealed in a statement.
Some were related to “historic allegations against a high profile individual,” it added.
The videos were being edited by a Manchester-based firm for use in criminal proceedings but stolen from a residential flat being used by that company as a studio.
The laptops were recovered eight days later, the burglar apprehended, and it’s not thought anyone viewed content on the password-protected machines.
However, the videos weren’t encrypted and the CPS had been negligent by failing to ensure the laptops were stored in a safe location.
“Handling videos of police interviews containing highly sensitive personal data is central to what the CPS does. The CPS was aware of the graphic and distressing nature of the personal data contained in the videos, but was complacent in protecting that information,” said ICO head of enforcement, Stephen Eckersley.
“The consequences of failing to keep that data safe should have been obvious to them.”
As if that weren’t enough, the ICO found out that the CPS, which has been using the same editing company since 2002, would regularly send unencrypted DVDs to the studios by courier, contravening the Data Protection Act.
Norman Shaw, CEO of mobile security firm ExactTrak, claimed the breach wasn’t surprising given the CPS’s poor track record on data protection.
“Nothing has been learned from previous breaches and the victims in these cases have undergone additional stress because of a complete lack of competence by those in charge at the CPS. Heads need to roll on this one,” he added.
“Are these prosecutions now dead because the evidence has been tainted? Can these unfortunate victims sue for the excessive stress caused? Perhaps they should receive some of this £200,000 fine.”
Chris McIntosh, CEO of security firm ViaSat UK, argued organizations should always assume the worst when it comes to data security—that they’ve already been breached.
“Indeed, there is a strong case for strengthening the Data Protection Act to make encryption of all personal data both mandatory and enforceable, with real punishments for those who fail to follow the guidelines,” he added.
“The EU Data Protection Regulation could go some way to providing this, but what we should really be aiming for [is] a world where the CPS is punishing organizations for failure to protect data, rather than the other way round.”