Top IT data security threats revealed and what organisations must do to stop them

The Information Commissioner’s Office (ICO) has published a security report, “Protecting personal data in online services: learning from the mistakes of others”, providing best practice on how to avoid eight common IT security vulnerabilities that most frequently lead to data security breaches. The flaws include poor password storage, poorly designed networks in inappropriate locations, a lack of protection from structured query language (SQL) injection, poor decommissioning of old software and failing to update software. The report makes a number of recommendations including hashing and salting passwords, creating a well-designed security architecture, being aware of all of the components of a service to ensure that they are fully decommissioned and implementing a software updates policy.

Updating software has become even more urgent since Microsoft stopped supporting its Windows XP operating system and the uncovering of the security flaw, Heartbleed. The ICO says that all organisations should have a basic understanding of these types of threats and that, while the report is aimed at data protection officers and senior managers, IT security professionals may also find it of use.

Anyone who processes personal information must comply with eight principles of the Data Protection Act. The seventh data protection principle imposes data security obligations on organisations and the ICO can issue fines of up to £500,000 for serious breaches of the Data Protection Act.

Recent fines include the £200,000 penalty issued to the British Pregnancy Advice Service after the details of service users were compromised due to the insecure collection and storage of the information on their website, and the £250,000 fine issued to Sony Computer Entertainment Europe after the company failed to keep its software up to date, leading to the details of millions of customers being compromised during a targeted attack on the Sony PlayStation Network Platform.

European Court rules that Google must remove links to personal information upon request

On 13 May 2014 the Court of Justice of the European Union (ECJ) ruled that Google is a “data controller” within the meaning of the Data Protection Directive 1995 [DPD] and as such it must remove references to an individual’s personal data where it is inaccurate, inadequate, irrelevant or excessive.

The consequence is that, while the internet remains a virtual library of information about everything, the index to this information can be edited on request, so that personal data cannot easily be found.

The case concerned Mr Costeja González who claimed that, when someone searched for his name on Google, the results included links to pages on the Spanish newspaper’s website La Vanguardia. Those pages referred to a real-estate auction organised following attachment proceedings for the recovery of social security debts owed by Mr González. Mr González said that the attachment proceedings had been fully resolved for some years and that therefore the reference to them in the Google results was out of date and irrelevant.

The ECJ held that Google as a search engine provider is the “data controller” in respect of the locating, indexing, storing and making available of information accessible on the internet, and that under the DPD Mr González has a right to rectification, erasure or blocking of that information, and a right to object to the processing of the information in certain circumstances. This has been termed a “right to be forgotten”.

The ECJ’s decision has sent shock waves through the online community as rights of privacy appeared to trump rights of free speech. This has led to accusations that the decision encourages individual reputation management, re-writing history and, ultimately, censorship.

However, the ECJ made it clear that while Google’s commercial interests in processing the information will not, as a rule, override an individual’s rights to privacy, a balancing of the individual’s rights and the interests of other internet users in accessing that information must be carried out. The interest in the public being able to access the personal information may override the individual’s interest in cases where the individual plays a prominent role in public life and being able to access the information is “in the public interest”.

The Information Commissioner has welcomed this decision as upholding the data protection rights of individuals. However, Google is now faced with an onslaught of requests to remove information. It is placed in the invidious position of having to act as judge and jury and balance the interests of the individual as against the public interest.

In a speedy response to the Court ruling, Google have created an online “Search removal request” form. When requesting a removal you have to explain how the web page in the search results is “irrelevant, outdated, or otherwise inappropriate”.

Google do not welcome being an arbiter of public opinion and indicate that they may seek guidance from the ICO as to how to apply the ruling. Also, Google may tell source websites that the link to the information has been removed (if it is); as can happen when a person takes legal action for defamation, there is a risk that seeking the remedy will attract more attention to the issue than might otherwise have been the case.

It remains to be seen whether Google will decide that it is easier to grant requests which appear to be genuine or to refuse requests unless and until a court order is obtained or further guidance issued by the data protection regulators. Questions remain as to what liability a search engine may face if it decides not to remove a link which a court later decides it should have removed.

Whatever the case, the ECJ decision to enforce a “right to be forgotten” is far-reaching and will continue be a key issue over coming months, not only for search engines but also for social media platforms and others who host content which includes personal data. It also highlights the direction of travel and focuses attention on the proposed new EU Data Protection Regulation, which has for some time included a specific “right to be forgotten” (re-branded in the latest draft as a “right to erasure”). Ironically, with this decision, the ECJ has found that this “right to be forgotten” – which for some time has been proposed and debated as a new development in data protection laws – already existed under the out-dated but still in force 1995 Data Protection Directive.

The Google request form can be accessed here.