The Information Commissioner's Office (ICO) has fined two organisations for serious breaches of the Data Protection Act - the first to be issued under new tougher guidelines in the UK.
The security breach at Sheffield-based firm A4e happened in June 2010, after the company issued an unencrypted laptop to an employee in order to do work from home. The laptop was subsequently stolen from the employee's house.
That wouldn't have mattered too much, of course, if the laptop hadn't contained sensitive information. Unfortunately it carried personal data relating to 24,000 people who had used community legal advice centres in Hull and Leicester.
Personal details recorded on the laptop included full names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence.
It is understood that an unsuccesful attempt was made to access the data on the hard drive shortly after the computer was stolen. Quite rightly, A4e reported the incident to the ICO, and subsequently notified the people whose data could have been accessed.
The ICO have now fined A4e a total of £60,000, saying that the data loss could have caused individuals "substantial distress", and admonished them for not putting encryption in place despite knowing the amount and type of sensitive data being held on the laptop.
And that's the point, of course. The entire problem and the subsequent fine was entirely avoidable - if the laptop had been properly encrypted, as Information Commissioner Christopher Graham noted:
"Thousands of people's privacy was potentially compromised by the company’s failure to take the simple step of encrypting the data".
In a separate incident, Hertfordshire County Council has also been fined £100,000 by the ICO after it faxed details of a child sex abuse case to a member of the public.
Both Herfordshire County Council and A4e have apologised for the serious security breaches.
The ICO was granted new powers by the British government earlier this year allowing it to fine companies up to £500,000 for breaches of the Data Protection Act.
More information about the ICO's powers can be found on the ICO's website, where it has published more information on the Data Protection Act.
In addition, Sophos has a number of data protection solutions that can help reduce the risks of your company being the next one making the headlines.
You can read more opinion on this case from Graeme Stewart, who blogs about security in the public sector for Sophos.
Clearly more organisations need to wake up to the danger of data loss - storing sensitive information on an unencrypted laptop is a timebomb waiting to happen. Not only could you put your customers, staff and partners at risk - you could also be putting your company at risk of a substantial fine.
Hmm. We've periodically received misdirected faxes from various courts... criminal custody details that are intended for a security firm!! Nothing particularly juicy so far, though, just the usual low-lifes.. It seems there's a list of fax numbers floating about with a 3 and an 8 transposed. I just phone whomever I can get hold of, and tell them about it. Then shred the faxes. Never thought to report them to the ICO... maybe next time I should - it's annoying as they usually try calling multiple times until I drag out the fax and connect it all up.
Getting a company on-board with a mass-deployment of laptop full disk encryption is hard, when nothing but good security practice is the only driving factor. This was our case, but with the introduction of MA CMR 17, we were able to leverage this law to apply best security practice for full disk encryption (upwards of 700 laptops). Since then, we have deployed a full disk encryption solution company wide on all laptops using a commercial solution, with piece of mind that we have good control over who has it, needs it, and recovery methods. I sleep a lot better at night knowing that if a laptop is stolen, its nothing more than a physical, small cost, asset lost.
In Nick's response:
I understand what you're saying about it being hard to encrypt every single laptop in a firm/company as well as it being very costly and time consuming, however, this is a must, that is no excuse for a company not to encrypt a laptop, that shouldn't even be mentioned at all. No matter how hard things can be, we have to do what needs to be done.
Setting up a business and getting everything running in good shape is a massive job, however that doesn't people from setting them up properly for their convenience, why should security of information be any different? I think some people are too scared to challenge the people above them - whether they managers, senior managers, head department or even head of business - when they want to take a shortcut, firstly this doesn't set a good example to other employees who will probably think 'well if my manager doesn't care then why should I?', but if they knew their information was compromised in this way they would be the first to kick up a big fuss and take the company to the ombudsman, the court, whoever they saw fit.
I am currently working in one of the biggest financial institutions in the UK, the company thrives to do our best to protect our customers' data as much as we can (as well as us - the employees) and we're constantly seeking new ways to stop fraudulent activity within out business, employing new technologies and spending a lot of time, research and money to make sure we protect our customers, but just as importantly ourselves.
I do believe that sometimes companies are not punished enough for their mistakes, if a laptop was stolen and wasn't encrypted, whether there was information compromised or not, the company should be punished for the worst care scenario because even if nothing major happened, it could have. It's like saying about a bad driver who injured a pedestrian really badly and another who nearly killed one, both should be sanctioned severely because what they did, regardless of the outcome, was very serious and wrong!
What do you guys think?
In response to Dee, (I am Nick, the poster above you).
I totally agree and understand, however its not all that simple. I work for a very large online business (international), and lead up their security. The problem is how do we balance what us security guys want, and want the business is ready for? For simple things like AntiVirus, its simple, and for the most part cheap and can be introduced into a fast pace environment on the fly. However, full disk encryption is a total different beast. Business thrive on profit, and will focus its spending on areas that show more return (i.e. development). Asking the company to float x money for a global full disk encryption project when it doesnt show any return up front and nothing is mandating that we use it can be hard. Trust me, i know better, I know we needed this for a long time.
The next part is adoption. Deploying a full disk encryption solution (at least the one we went with, which I feel is the best one of the top 5 commercial vendors) isn't as easy to deploy as say Sophos End Point (yes we are a customer). Getting the solution deployed and the employees properly trained was a huge step and learning experience. Introducing new stuff that impacts an employee requires proper training. We wanted to explain the "Pre-Boot Authentication" properly to each employee and what to do should they have issues (i.e. who to call, when to call). Then there is training support staff on how to help assist employees with issues where they cant boot into a laptop that was encryptioned. Training them how to use recovery methods, and authenticate the employee to help them with recovery logins...etc.
I've been in Security for many years now, and I'm hard core. I'm that guy at heart that says "Lock everything down now!!" but having worked in a very large company all this time, I've started to learn that it takes time and proper steps.
In the end, we are fully disk encrypted on laptops now....now we are tackling USB removable media :)
True Crypt is free opensource program that can crypt disks on the fly. Is there a reason it is not considered or what?