The Crown Prosecution Service (CPS) has been fined £200,000 by the Information Commissioner’s Office (ICO) following the discovery that laptops containing videos of police interviews were stolen from a private film studio.
The interviews were conducted with 43 victims and witnesses. They involved 31 investigations, nearly all of which were ongoing and of either a violent or sexual nature in tone. Some of the interviews related to historical allegations against a high-profile individual.
The videos were being edited by a Manchester-based film company named Swan Films such that they could then be used in criminal proceedings, but an ICO investigation found the videos were not being kept in a secure manner.
The film company used a residential flat as a studio. The studio was burgled on 11 September last year and two laptops containing the videos were stolen. The laptops, which were left on a desk, were password-protected but not encrypted. Further, the studio had no intruder alarm in place and “insufficient” security.
The police recovered the laptops eight days later and apprehended the burglar. As far as the Information Commissioner is aware, the laptops had not been accessed by anyone else.
The ICO has ruled that the CPS was negligent when it failed to ensure the videos were kept in a safe and secure manner and did not take into account the substantial distress that would be caused if the videos were lost.
Complacency in information protection
Stephen Eckersley, head of enforcement at the ICO, commented: “Handling videos of police interviews containing highly sensitive personal data is central to what the CPS does. The CPS was aware of the graphic and distressing nature of the personal data contained in the videos, but was complacent in protecting that information. The consequences of failing to keep that data safe should have been obvious to them.”
Many of the victims were vulnerable and had already endured distressing interviews with the police. In the videos, they talked openly and referred to the names of the offenders.
Eckersley continued: “If this information had been misused or disclosed to others then the consequences could have resulted in acts of reprisal.”
The CPS reported the incident to the ICO and informed the victims and witnesses involved. The ICO received complaints from three affected people.
As part its investigations, the ICO learned that the CPS had been using the same film company since 2002.
The CPS delivered unencrypted DVDs to the studios using a national courier firm. If the case was urgent, the sole proprietor would personally collect the unencrypted DVD from the CPS and take it to the studio using public transport. The ICO found that this constituted an ongoing contravention of the Data Protection Act until the CPS took remedial action following the security breach in September 2014.
Response from the CPS
A CPS spokesperson said: “It is a matter of real regret that sensitive information was not held more securely by our external contractor, and that we, as an organisation, failed to ensure that it was.
“We are grateful that the material was recovered without being accessed by those who stole the computer equipment, but accept that this was fortuitous. It’s vital that victims of crime feel confident that breaches like this will not happen and, following a full review after this incident, we have strengthened the arrangements for the safe and secure handling of sensitive material.”
The CPS’ contract with Swan Films was immediately terminated following the incident and security arrangements across the CPS have been “reassessed” in order to ensure that this type of breach doesn’t happen again.
All areas were asked to identify any locally arranged contracts and several security reviews were conducted across the CPS. Procurement guidance was revised to highlight the importance of information security in all contracts.
“Of all the organisations you’d hope to be on top of data protection, the CPS should rank highly,” urged Chris McIntosh, the CEO of ViaSat UK. “Quite frankly, the fact that part of the justice system could be so complacent regarding data security is worrying indeed.”
McIntosh added: “As this case shows, a large proportion of threats to data don’t just come from shadowy attackers looking to damage organisations. They come from simple human error and a failure to follow Best Practice. Essentially, organisations should always assume the worst with data security. They should take the approach that they’ve already been breached, and make detecting breaches and securing data their top priority. This means an all-encompassing approach towards protection, of which encryption plays a crucial part. After all, there’s always the risk that data will be stolen, but that risk holds much less danger if the data appropriated cannot be accessed.”
In conclusion, McIntosh told Risk UK: “Indeed, there’s a strong case for strengthening the Data Protection Act to make encryption of all personal data both mandatory and enforceable, with real punishments for those who fail to follow the guidelines. The EU Data Protection Regulation could go some way to providing this, but what we should really be aiming for is a world wherein the CPS is punishing organisations for any proven failure to protect data rather than the other way around.”