» ICO Where is Your Data?

FTI Buys RingTail (2005)

November 22, 2008 — 585

In Feb 2005 FTI announced the purchase of the review platform RingTail

Annapolis, MD - February 28, 2005

FTI Consulting, Inc. (NYSE: FCN), the premier provider of corporate finance/restructuring, forensic and litigation consulting and technology, and economic consulting, today announced that it has completed its previously announced acquisition of the assets of privately held Ringtail Solutions Group (Ringtail), including its operations in Australia, the United Kingdom and the United States. The purchase price of $35.0 million comprised $20.0 million of cash plus $15.0 million in shares of FTI common stock, plus an earn-out over the next three years based on future performance. The cash portion of the purchase price was financed by FTI from cash on hand and its existing credit facilities.

Source

Tags: FTI, RingTail, E-Discovery

Posted in e-discovery. Tags: ICO. No Comments »

Tool for Converting Load File

November 8, 2008 — 585

IPRo’s tool for converting load files

IConvert™ is a free utility that converts cross-reference files to one or more of the popular litigation support file formats. IConvert also features a built-in verification function to help you ensure the integrity of the files. Using IConvert, you can convert to/from:

DB Textworks
Doculex™ Version 3
Doculex™ Version 5
Documatrix™ (export only)
Introspect (export only)
IPRO Tech LFP
ETech
Opticon™
Ringtail™
Summation®
Trial Director™
Visionary

For example, Summation DII files can be converted to Opticon cross-reference files and vice versa.

http://www.iprocorp.com/IPRO_Demo/iproiconvert.htm

Posted in e-discovery. Tags: ICO. No Comments »

ICO Funding to Increase

October 30, 2008 — 585

The ICO’s budget is to increase from £12 million to £18million, which will allow it to take more enforcement action.

Tags: ICO

Posted in Data Protection Act. Tags: ICO. No Comments »

File Sharing – Where do you stand?

October 25, 2008 — 585

The Current Climate

Earlier this year the UK’s ISPs have hand over information about names and addresses, following court action by those who feel their copyrights have been infringed, e.g the games and music industry.

These companies try and track those using file sharing technologies such as bit torrent or other peer to peer programs. What the investigators end up with is an IP address, e.g they can show that 81.112.50.32 has been sharing specific music files.

As the IP address are, generally, from home users, they only reveal the company providing the line, e.g BT, not the end user.

The IP address does not identify the person who was actually using the IP address at a given time. In addition to this most home IP addresses are also dynamic, which means that different people can have the same IP address at different times.

The only people who can resolve the IP addresses to a given person are the ISPs. E.g BT can identify who had IP address 81.112.50.32 on Saturday 25^th October 2008 and who had it on June 1^st 2008.

The ISP will not provide this information by a simple request, but they need to be compelled by a court order. Which is what happened earlier this year, and thousands of home addresses were resolved from IP addresses, by the ISPs. It is suggested that up to 25,000 home addresses were identified as part of these court orders.

Once the investigators and their employers e.g BPI (British Phonographic Institute), games industry, etc, had identified the home addresses these companies took different actions.

Some companies wrote to the home address trying to “educate” the users. Others wrote, via the solicitor Davenport Lyons, to the registered owners of the IP addresses identified and demanded that the users pay a £600 fine or face additional action.

Where do you stand?

So, the games and music industry is now getting tough. But where do you stand?

Firstly any firm is on a very sticky wicket if they try and issue a fine based purely on an IP address. It is entirely unreasonable to suggest that you can identify a user from a IP address. For example, a house with one computer may have multiple users. A home may have a family computer, the father pays the bill but its the son who is down loading the music (without his father’s knowledge). The father can not be held reasonable for that action any more than he can if his son goes out and steals a car.

Secondly most homes now have multiple computers, and the IP address just shows the house that was down loading music, and not which computer.

Think of a student house with 4 people living in it, one person pays the bill but another person down loads the music, one student can not be responsible for another, just because they live in the same house.

The first and second problem can be combined. E.g a house can have four people living it in, but the girl friend of one of the students stays over regularly and down loads music files, on her account on one of the computers in the house. Can the person who pays the bill in the house really be held responsible for the actions of the partner of a person he lives with? Of course not.

There is then the third option, insecure networks. Most routers come with wireless networks running as default and it is insecure. If your neighbor uses your network to down load music, should you be held responsible for this?

If the UK government cannot maintain control of critical information, how can a home user be expected to secure data?

Can they get more information?

As shown above the IP address is not enough to ensure a conviction/fine, the company would need to gain more information, from investigating the the suspected home computers. This is possible, legally.

A company, e.g BPI, could request an order/warrant to search a suspected house based on the IP address/home address provided previously, and that would could well be reasonable.

If that did occur BPI would need to get the order, then attend the address, make an exact copy of the suspected hard drive(s) and then take the data away for analysis. This sort of operation would be conducted by contractors, so it is entirely technologically and legally possible. But the cost of doing this would be so expensive, probably £10,000s on per address, that it would be cost prohobitaive on a massive scale. But, the BPIs and the like could consider doing this on a selective scale to send out a message – it depends on how much they value their PR.

Is it legal?

Currently the ISPs have passed over the information, via a High Court order, and so it is entirely legal.

There have been no morning raids or Anton Piller orders, at home addresses reported in the press so far, but they would also be legal if they did occur. The ICO has not commented on the issue either, again showing that this is legal in the UK and there is no objection.

However, on 29th January 2008 the European Court of Justice in the case of “Productores de Música de España Promusicae vs. Telefónica de España“ the ECJ stated that the provision of traffic information for civil reasons, i.e resolving the IP address to the home address, was not required by member states, but it could be required if necessary at a national level.

In this case the exact same court procedures started in Spain as they did in the UK: The music industry demanded information on users, from the IP addresses they had collected. The difference is that in Spain the ISP Telefonica refused to do this, stating that this information was there for criminal purposes only. Spain then referred the case to the ECJ for advice.

The ECJ agreed with Telefonica. Sadly the the UK ISPs are not inclined to defend their users as much as the other countries, but if an ISP did decided to make a stand for their users they are almost certain to win following the ECJ ruling.

Tags: File+Sharing, P2P

Posted in UK Law. Tags: ICO, Law. No Comments »

Virgin – Encryption Enforced

October 11, 2008 — 585

Following the loss of data by Virgin in June the ICO has taken enforcement action against Virgin Media.

The ICO has ordered Virgin to encrypt all of mobile devices:

Virgin Media is required, with immediate effect, to encrypt all portable or mobile devices that store and transmit personal information. Further, the company is to ensure that any service provider processing personal information on its behalf must also use encryption software and this requirement has to be clearly stated in all contracts

Source

If only the UK government would be forced to behave in such a manner.

Tags: ICO, Data+Protection, Virgin, Data+Loss

Posted in Data Loss, Data Protection Act. Tags: Encryption, ICO, privacy. No Comments »

Once Bitten Twice Shy?

September 9, 2008 — 585

Data theft occurs all over the world, it is unfortunately a matter of life.

However we should distinguish between “data loss”, when somebody loses/misplaces/gives away the “data theft” and when somebody deliberately defeats systems and takes it. Its the difference between throwing your money out of your window and being burgled.

We should never do the former and try to prevent the latter.

In the UK the government seems to have a very different approach. Don’t do anything about the former and ignore the latter.

In the rest of the world its a very different issue:

In Finland the Government did not provide enough protection of data and as a result worked to make changes, but despite this were still found guilty in the ECHR, and so even more changes are afoot.

The UK is appears to be losing data more often than any other government in the world at the moment.

In Korea when data was stolen the police are immediately called and appear to take action. In the US data theft cases have high profile results and fines handed down, which must have a deterrent effect. In Germany the government conducts investigations to try and find out how much personal data is out there, and then tries to clamp down on the issues.

In the UK data is lost all the time, from the Home Office, the Ministry of Justice, the Ministry of Defense, the NHS, and most famously the HMRC.

Yet, despite all of this, no effective measures have been put in place to deal with this.

The ICO has been pushing for tougher sentences, and for people dealing with data illegally, and Section 55 of the DPA creates a criminal offence of stealing data or being reckless in its loss.

Despite this the government is still losing data all the time, there is a trade in personal data and nobody is getting prosecuted, with the exception of a couple of low level accountants.

How many times do the UK Government need to lose data, fail to protect it, or allow the trade to go unpunished before action is taken?

Certainly more than twice!

Posted in Uncategorized. Tags: Data Loss, Data Theft, ICO, Law, privacy. No Comments »

Certegy Settles Consumer Data Theft Lawsuits

September 9, 2008 — 585

TAMPA – A federal judge has approved a settlement in two class-action lawsuits filed against a St. Petersburg check authorizing company that had more than 8.4 million consumer records stolen and sold to direct marketers.

The settlement provides for a range of credit monitoring services and reimbursement of expenses for those whose identity was stolen. The company, Certegy Check Services, also is reimbursing more than $2 million in legal expenses to the law firms involved in the cases.

William G. Sullivan, a former analyst for Certegy, was sentenced in July to four years and nine months in federal prison for stealing the records. A judge also ordered Sullivan to pay $3.2 million in restitution to Certegy.

A federal prosecutor said at the sentencing hearing that Certegy had to spend $3.2 million to notify the 5.9 million customers whose private financial information was stolen. The victims were in all 50 states, the District of Columbia, the Virgin Islands, Puerto Rico and overseas. Some customers had data stolen that was not deemed to be private financial information.

The class covered by the settlement includes anyone in the United States and Puerto Rico whose credit card, debit card, checking or demand deposit account numbers or other information was included in multiple databases. It excludes anyone who decided to opt out of the settlement after being notified it was pending.

Under the settlement, Certegy is required to pay $2.35 million in attorney fees, costs and expenses. Two representative plaintiffs, Linda Beringer and Dana M. Lockwood, were awarded $500 each. Other named plaintiffs were awarded $250 each.

Certegy Settles Consumer Data Theft Lawsuits.

Tags: Data+Theft

Posted in Data Loss, Data Misuse, US Law. Tags: Data Theft, ICO, Law. No Comments »

Echelon: European Parliment Report

September 8, 2008 — 585

ECHELON, has long been talked about by individuals claiming to know things we don’t know about.

However, in 1999 the BBC reported on its existing, suddenly giving the “black helicopter” type sites credibility.

What is not widely reported is that in July 2001 the European Parliament produced a detailed report into the investigation of Global Interception of Communications.

The report clearly states that ECHELON does exist and is fully working. In one of its opening paragraphs (page 11 of 194) the report states that:

“the existence of a global system for intercepting communications, operating by means of cooperation proportionate to their capabilities among the USA, the UK, Canada, Australia and New Zealand under the UK/USA Agreement, is no longer in doubt;”

It also states that:

“there can now be no doubt that the purpose of the system is to intercept, at the very least, private and commercial communications”

The 194 page report provides numerous documents proving the existence of ECHELON, from papers released by t he Naval Security Group Activity (NAVSECGRUACT), NASA, and the NSA, to comments made by the former head of the Italian Secret Service.

Full Report on the European Parliament Web site

Downloaded copy of report

Tags: ECHELON, Phone+Tapping

Posted in Data Misuse, Mobile Phones, data retention. Tags: ICO. No Comments »

Four Data Protection Myths: ICO

September 3, 2008 — 585

1) Myth – “The Data Protection Act means a company is never allowed to give a customer’s details to a third party”.

Reality – Not True Where an organization is satisfied that as someone asking for information about another person’s account is authorized to access it, the Act does not prevent this. The ICO has produced practical guidance on this

2) Myth – “The Data Protection Act stops parents from finding out their children’s exam results”.

Reality – Not True. The Information Commissioners Office has issued guidance on the publication of exam results.

3) Myth – “The Data Protection Act prevents priests from naming sick parishioners during church prayers”.

Reality – Not True. The DPA is designed, in the main, to cover personal information held electronically. Its not very likely that this information would be stored on the priests computer, or detailed filing system. So it would not be covered by the DPA, and even if it was, as long as the individual was happy for their name to be read out that would be fine.

4) Myth – “The Data Protection Act prevents the releases of offenders’ details to victims”.

Reality: Not True. The Data Protection Act does not stop the police disclosing the relevant details when civil proceedings contemplated (e.g the victim wants to take action against the offenders). While the police need to be careful about what information they do disclose, they have, according to the ICO “received clear guidance from the Home Office on what details can be passed on to victims”.

In the case reported by the Daily Express on the issue the ICO discussed the matter with the police force concerned and the information has since been provided to the owner.

Source

Tags: Data+Protection+Act, Data+Protection+Myths

Posted in Data Protection Act, UK Law. Tags: data protection, ICO. No Comments »

"I" v Finland – Data Protection and Privacy

August 30, 2008 — 585

Results:

On 17^th July 2008, at the ECHR (Strasbourg), in the case “I” v Finland the court found against Finland, and awarded “I” €13,771 in damages and €20,000 in costs. The full court decision, I v. FINLAND, case no. 20511/03, is available here.

Outline of the Case:

The applicant “I”, now 48, stated that her private medical records were accessed by the other people (as a result of which she possibly lost her job as a nurse).

The access was not recorded, as there was no records of this at the time (around 1992)

The Court decided that as the hospital was controlled by the State, and as such Finland was responsible for the actions there. The court also stated that personal information relating to a patient undoubtedly belongs to his or her private life. Therefore Article 8, freedom to a private life, is applicable in this case.

The European Court of Human Rights found that a person’s right to respect for their private life (under the ECHR,) may be breached where the State fails to take appropriate steps to secure data, so that it cannot be accessed improperly.

While Article 8 not means the government must not interfere, but may also have to undertake positive actions to prevent such interference, e.g the adaption of systems/controls to protect data.

In this case there is no statement that there was deliberate and unauthorized access of data, only that there was failure to secure the data appropriately. i.e a breach of Finland’s positive obligations under Article 8. The court found in favour of the Applicant.

Summary: The ECHR found that if personal data is not secured adequately, and the State does not take positive steps to do so (and not just legislation but technical and procedural steps as well), then the state is in breach of Article 8.

Background of the Case:

The claimant “I” was a nurse who worked in Finland, and between 1989 and 1994 she worked on fixed terms contracts in a state/public hospital (i.e working for Finland). However, from 1987 onwards “I” had also been a patient of the same hospital as she had been diagnosed with HIV.

In Early in 1992 the applicant began to suspect that her colleagues were aware of her illness. At that time hospital staff had free access to the patient register which contained information on patients’ diagnoses and treating doctors. Having confided her suspicions to her doctor in summer 1992, the hospital’s register was amended so that henceforth only the treating clinic’s personnel had access to its patients’ records. The applicant was registered in the patient register under a false name. Apparently later her identity was changed once again and she was given a new social security number.

In 1995 the applicant, “I” changed/lost her job as her temporary contract was not renewed.

On 25 November 1996, the applicant complained to the County Administrative Board (lääninhallitus, länsstyrelsen) in Finland, requesting it to examine who had accessed her confidential patient record. Following this request, the director in charge of the hospital’s archives provided a formal statement with the County Administrative Board. The statement said that is was not possible to find out who, if anyone, had accessed the applicant’s patient record as the data system revealed only the five most recent consultations – and this was by department and not a named individual. And even this scant information was deleted when the records were returned to the archives.

Following this investigation the Finnish County Administrative Board decided, on 20 October 1997 that while there should be privacy for the individual the records are not detailed and therefore Board decided that it could not further rule on whether information had been viewed inappropriately. However, it did advise the records should be changed so that access to the files are recorded.

As a result of this, in March 1998, the hospital’s register was amended so that it became possible retrospectively to identify any person who had accessed a patient record.

In 15 May 2000, the applicant “I” instituted civil proceedings against the District Health Authority (sairaanhoitopiirin kuntayhtymä, samkommunen för sjukvårdsdistriktet), which was responsible for the hospital’s patient register at the time of the incident, claiming non-pecuniary and pecuniary damage for the alleged failure to keep her patient record confidential.

On 10 April 2001, the District Court (käräjäoikeus, tingsrätten) rejected the action. The applicant then appealed to the Court of Appeal (hovioikeus, hovrätten), maintaining her claim that the hospital had not complied with the domestic law, in breach of her right to respect for her private life

On 7 March 2002, the Court of Appeal, found against the applicant and ordered her to pay costs for the respondents legal expenses for both the district court and appeals court – 2,000 and 3271 euros respectively.

Following this “I”, then applied to the Finish Supreme Court (korkein oikeus), claiming that there been a violation of her right to respect for her private life. On 23^rd Decemeber 2002 the Supreme Court refused leave to appeal.

Still pursuing the case “I” applied to the ECHR and requested that her name was with held. On 20th June 2003 the president of the Chamber (Nicolas Bratza) agreed to this. On 19^th January 2006 the ECHR decided that there was a case to hear and informed Finland that the ECHR would hear the case.

On 17^th July 2008 the court decided in favour of the applicant “I”.

Tags: Data+Loss, ECHR, Article+8

Posted in Data Loss, Data Misuse. Tags: data protection, ICO, Law, privacy. No Comments »

« Older posts

Where is Your Data? This is the old site

Links