Outsourcing security weakness for Sweden’s driver and vehicle data
First publishedin ITS International
Police vehicle and driver details could have been put at risk
The security of driver and vehicle data hit the headlines this summer in Sweden and its authorities are still dealing with the fallout. David Crawford reports.
epercussions from Sweden’s vehicle data outsourcing scandal continue to reverberate. Transportstyrelsen, the government’s transport agency, came under fire this summer for risking the personal security of over five million motorists by failing to implement full security checks on personnel in other countries to whom individual work packages could be subcontracted.
Back in April 2015, the agency signed a US$100 million outsourcing agreement with IBM Sweden to manage the country’s vehicle registration and driver’s licence databases, which contain details of the individuals concerned. The deal, which lasts until 31 October 2020 (with scope for renewal) only required the company to ensure the quality and security of the agency’s relevant networking, hardware and program operations. It did not impose a requirement for all overseas subcontractors’ personnel to be vetted by the Swedish authorities.
Some media reports have suggested that the at-risk data also included details of military vehicles and even of the country’s entire transport infrastructure. While stressing that the agency has been “deliberately careful” in describing what may have comprised, a spokesperson told ITS International that military and infrastructure information was not included. Police vehicle and drivers’ licence details were, however, among the files outsourced to IBM.
It is common industry practice for IT contractors to assign work packages to, for example, other group companies, subsidiaries or support centres that are located in foreign countries. Benefits can include economies of scale, round-the-clock availability and the scope for calling in qualified experts as needed.
IBM Sweden routinely adopts this procedure and there is no suggestion of any failure on its own part. Lennart Malm, spokesperson for IBM told ITS International: “We will continue to assist the Swedish Transport Agency, and to meet the responsibilities of our contract, at the Agency’s direction.”
The issue came to light during an investigation by Säpo, the Swedish security police, which began soon after the start of the contract – though it did not become widely known until later. The probe revealed that, during the procurement process Maria Ågren, the agency’s then director-general had failed fully to observe data protection legislation enshrined in three Swedish parliamentary acts. She had also bypassed the agency’s own internal guidelines.
The result was that not all the operational technicians, outside as well as inside the country, who could have been involved in implementing the outsourcing had received full, standard Swedish government background security checks. It is not illegal in the country to place data services with contractors elsewhere, but this has to be subject to appropriate clearances.
The director-general was accordingly fined and then sacked in January 2017 for failing to take the necessary precautions. At the same time, there were reports that Transportstyrelsen had also failed to implement the full personnel security checks needed in a further outsourcing – of the maintenance of its firewalls and communications networks - to an East European company. But Transportstyrelsen told ITS International that none of its operations are currently being handled there.
Retired Swedish cybersecurity expert and police consultant Bengt Erik Angefelt, told the New York Times that he blames the crisis on “pressures to cut costs. It’s expensive to hire your own personnel. To do security checks on personnel in other countries is difficult - but necessary.” There was also reported to be pressure on the time available to implement the outsourcing.
In a statement in July, new Transportstyrelsen director-general Jonas Bjelfvenstam said he took the criticisms very seriously. “We have no indications that data was disseminated improperly. But, given that the agency handles crucial information which affects citizens, companies and other authorities, nothing else than full compliance with regulations is acceptable.”
He added a reassurance that all the relevant equipment, programs and data had remained in Sweden during the outsourcing. Meanwhile, work to ensure that only fully security-cleared staff who have been submitted to background control are involved is under way and due to be completed “during autumn 2017.”
Among intermediate stages achieved in a crisis action plan, drawn up before the affair became public, only formally approved handlers have been entrusted with the administration of servers since May 2016; the storage of data since June 2016; and the administration of networks since July 2016.
Throughout this summer and autumn, the country’s minority centre-left coalition government has wrestled with the fallout. In May, Säpo had warned that increased digitisation was making Swedish national and governmental agencies progressively more vulnerable to threats, following a series of investigations the previous year during which a number of state agencies came under scrutiny.
In response to Transportstyrelsen’s problems becoming public, prime minister Stefan Löfven sacked his home affairs and infrastructure ministers, the ones most closely concerned.
Regarding the international implications of data exchanges, a spokesperson for Säpo told ITS International: “Naturally we cooperate with the security services of other countries, but we cannot give any details on how or in which specific cases.”
At European level, Transportstyrelsen is a member of EUCARIS (the European car and driving licence information system), a continent-wide collaboration of national agencies created to enable data exchanges on vehicle registration, driving licences, traffic and parking violations and accompanying personal data. Quizzed by ITS International, operations manager Herman Grooters said the issue would be on the agenda for EUCARIS’s October 2017 general assembly in Prague. “We will ask our Swedish colleagues for their comments and, based on these, may consider further action.” There will be no public statement after the event.
EUCARIS uses a closed and encrypted EU network for the cross-border transfer of data between individual states. Each state is “fully responsible for the secure storage of the transferred data and the legitimate use of the information,” says Grooters. Compliance with EU data protection regulations is a condition of EUCARIS membership. The organisation works with EU member states in evaluating the data information chain via questionnaires and site visits, which cover the issues of personnel screening and non-disclosure procedures.
The Fédération International de l’Automobile (FIA) umbrellas 245 motoring organisations in 143 countries. Director-general of Region 1 (Europe, the Middle East and Africa) Laurianne Krid told ITS International: “We and our member clubs hope that this case can be resolved effectively and efficiently, and serve as an example for other governments and the EU of the importance of ensuring data security.”
In a recent article in the daily Svenska Dagbladet, Swedish FIA member club Kungliga Automobil Klubben stated: “The authorities must do more to guarantee the security of motorists. Even before the leak, vehicle registration data was openly available – which we see as a major risk. Motorists must have the capability to control and own their own data”.
ITS International also invited expert legal comment from Barry Jennings, a specialist in IT and outsourcing with international lawyers Bird & Bird. He told us: “Most outsourcing providers operating global services will look to retain the freedom to subcontract services within their group. But customers will usually insist at the very least on full transparency as to what these entities are; what services they are providing; and what data they will need access to.
“[Information] related to individuals is governed by data protection laws, where requirements are more developed. Protection of non-personal data has typically been addressed contractually through obliging outsourcers to comply with security policies.
“The prevalence of cloud services now means that it is increasingly possible to access data from different locations without it being stored or hosted locally. However, data protection laws also cover access to personal data – even if it is on a view-only basis – so it has become more common for data processing arrangements within outsourcing deals to have specific security provisions for data hosting and transmission/access.
“Ultimately, the laws all require operators to put in place appropriate technical and organisational measures. The question of what is ‘appropriate’ is dependent on the dataset in question, and the answer will change over time as the state-of-the-art evolves. An important consideration in long-term outsourcing deals is - who bears the costs of keeping security at the ‘appropriate’ level?”
Bird & Bird has contributed a chapter on ‘Structuring a Multi-Jurisdictional Outsourcing Deal’ to Outsourcing 2017, published by International Comparative Legal Guides. This can be downloaded free at https://iclg.com/practice-areas/outsourcing/outsourcing-2017/structuring-a-multi-jurisdictional-outsourcing-deal
The book is available at https://iclg.com/practice-areas/outsourcing/outsourcing-2017